fix: skip deepin-keyring-whitebox for xrdp sessions

[fly602]

Modify the startup script to conditionally skip launching deepin- keyring-whitebox client when XRDP remote desktop session is detected. Added a check for XRDP_SESSION environment variable before starting the whitebox keyring service.

The change prevents potential conflicts and issues that may arise when trying to use the whitebox keyring system in remote desktop environments where it may not be properly supported or could cause authentication problems.

Influence:

1. Test local login to ensure deepin-keyring-whitebox still starts normally
2. Test XRDP remote login to verify the service is properly skipped
3. Verify no authentication issues occur in either scenario
4. Check that other keyring components (gnome-keyring-daemon) continue to work correctly

fix: xrdp远程登录时跳过白盒密钥环

修改启动脚本，在检测到XRDP远程桌面会话时有条件地跳过启动deepin-keyring-
whitebox客户端。在启动白盒密钥环服务前添加了对XRDP_SESSION环境变量的
检查。

此更改防止在远程桌面环境中使用白盒密钥环系统时可能出现的潜在冲突和问题，
因为在这些环境中可能无法正确支持或可能导致认证问题。
PMS: BUG-320847
Influence:

1. 测试本地登录确保deepin-keyring-whitebox仍正常启动
2. 测试XRDP远程登录验证服务被正确跳过
3. 验证两种场景下都不会出现认证问题
4. 检查其他密钥环组件（gnome-keyring-daemon）继续正常工作

Summary by Sourcery

Skip starting the deepin keyring whitebox client when an XRDP remote desktop session is detected to avoid authentication issues while preserving normal behavior for local sessions.

Bug Fixes:

• Avoid conflicts and authentication problems by not launching deepin-keyring-whitebox during XRDP-based remote logins.

Tests:

• Ensure deepin-keyring-whitebox starts as usual on local logins and is skipped during XRDP sessions without impacting other keyring components.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fly602

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Conditionally skip starting the deepin keyring whitebox client during XRDP sessions by guarding its startup in the Xsession script with an XRDP-specific environment check, while keeping behavior unchanged for normal local logins.

File-Level Changes

Change	Details	Files
Guard deepin-keyring-whitebox startup behind an XRDP session check in the Xsession startup script.	Add a conditional check for the XRDP_SESSION (or related) environment variable before launching the deepin-keyring-whitebox client Skip starting the whitebox keyring service when an XRDP remote desktop session is detected Preserve existing startup behavior for local (non-XRDP) sessions so deepin-keyring-whitebox still runs normally	misc/Xsession.d/97deepin-keyring-wb

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

这段代码主要涉及从传统的 Xsession 启动脚本迁移到 systemd 用户服务管理的过程。这是一个很好的现代化改进，有助于更好地管理桌面会话的生命周期。

以下是对该 diff 的详细审查和改进建议：

1. 语法与逻辑审查

• Xsession 脚本 (97deepin-keyring-wb):

  • 逻辑变更: 逻辑从直接在脚本中启动守护进程改为触发 systemd 服务。这是正确的做法，符合现代 Linux 发行版（尤其是使用 systemd 的发行版）的最佳实践。
  • 检查方式: 原脚本检查文件是否可执行 (-x)，新脚本检查服务文件是否存在 (-f)。这符合 systemd 的上下文，因为服务文件的存在意味着它已安装并被 systemd 识别。

• CMakeLists.txt:

  • 构建逻辑: 正确地添加了新的 .service.in 文件配置，并将其添加到安装列表中。逻辑清晰，无语法错误。

• systemd 服务文件 (dde-keyring.service.in):

  • 启动逻辑: ExecStart 使用 /bin/sh -c 来包裹复杂的 shell 逻辑。虽然这是可行的，但在 systemd 单元文件中直接写复杂的 shell 脚本通常不是最佳实践（详见下文改进意见）。
  • 环境变量: 检查了 $XRDP_SESSION 环境变量，逻辑合理，防止在远程桌面会话中启动不需要的组件。
  • 后台运行: deepin-keyring-whitebox 命令末尾使用了 & 将其放入后台。在 Type=oneshot 的服务中，这通常是必要的，否则 systemd 会认为服务启动失败（因为主进程退出了）。

2. 代码质量与改进意见

问题点：ExecStart 中的 Shell 脚本逻辑

在 dde-keyring.service.in 中，ExecStart 直接内嵌了多行 shell 脚本。这降低了可读性和可维护性。

改进建议：
建议将 ExecStart 中的逻辑提取到一个独立的脚本文件中（例如 /usr/bin/dde-keyring-wrapper），然后在服务文件中直接调用该脚本。

修改后的方案：

1. 创建辅助脚本 (例如在 CMake 中安装 /usr/libexec/dde-keyring-wrapper):

#!/bin/sh
# /usr/libexec/dde-keyring-wrapper

if [ -x /usr/bin/gnome-keyring-daemon ]; then
    echo "start gnome-keyring-daemon with components secrets,pkcs11,ssh"
    /usr/bin/gnome-keyring-daemon --start --components=secrets,pkcs11,ssh
fi

if [ -x /usr/bin/deepin-keyring-whitebox ] && [ -z "$XRDP_SESSION" ]; then
    echo "start deepin-keyring-whitebox client"
    # 注意：这里不需要 &，因为 systemd 的 Type=oneshot 配合 RemainAfterExit=yes 会处理进程状态
    # 或者如果该程序必须作为守护进程运行，建议将其拆分为另一个单独的 service
    /usr/bin/deepin-keyring-whitebox --opt-client=waitfifonotify &
fi

2. 简化服务文件 (systemd/dde-keyring.service.in):

[Unit]
Description=Deepin Keyring Service (GNOME Keyring + Whitebox Client)
Documentation=man:gnome-keyring-daemon(1)
After=dbus.socket
PartOf=graphical-session.target

[Service]
Type=oneshot
RemainAfterExit=yes
# 直接调用封装脚本，更清晰且易于调试
ExecStart=/usr/libexec/dde-keyring-wrapper
Restart=no
TimeoutStartSec=180

3. 代码性能

• 启动开销: 将启动逻辑移至 systemd 后，利用了 systemd 的并行启动能力，只要 dbus.socket 准备好就可以启动，这通常比 Xsession 串行执行脚本要快。
• 超时设置: TimeoutStartSec=180 (3分钟) 对于一个密钥环服务来说似乎过长。如果密钥环服务启动卡住，用户登录界面可能会等待很久。建议根据实际测试缩短此时间，例如 30s 或 60s。

4. 代码安全

• 环境变量注入: ExecStart=/bin/sh -c '...' 的方式如果处理不当可能存在命令注入风险（虽然这里主要是静态字符串）。提取为独立脚本文件可以减少这种风险，因为脚本文件的权限是受控的。
• XRDP 检查: 代码中检查 [ -z "$XRDP_SESSION" ] 来决定是否启动 deepin-keyring-whitebox。这是一个很好的安全/兼容性实践，避免了在远程会话中触发不必要的本地安全机制。
• || true 的移除: 原脚本中有 || true，而在新的服务文件中移除了它。在 systemd 中，如果 ExecStart 中的命令失败（返回非 0），服务会被标记为失败。这是符合预期的行为，比静默忽略错误要好，因为 systemd 可以捕获并记录这些失败状态。

总结

这个 diff 的主要方向（从 Xsession 迁移到 systemd）是正确的。
核心改进建议：

1. 将 ExecStart 中的内联 Shell 脚本提取为独立的可执行文件，以提高可维护性。
2. 考虑缩短 TimeoutStartSec。
3. 检查 deepin-keyring-whitebox 的运行模式：如果它是一个长期运行的守护进程，最佳实践是将其拆分为另一个 Type=forking 或 Type=dbus 的独立服务，而不是在 oneshot 服务中用 & 启动。如果它只是执行一个任务就退出，那么 & 是不必要的，且可能导致状态管理混乱。