Store passwords in the system keychain

[osteele]

Poetry currently requires either that you store your PyPI password in plaintext (via poetry config http-basic.pypi username password), or enter it on each poetry publish. The first is insecure, the second is inconvenient.

I like what Flit does: store the password in Keyring if that package is installed, and prompt the user to install it otherwise. (Keyring uses the system keychain, e.g. Keychain on macOS, the Freedesktop Secret Service standard on supported UN*X, WinVault on Windows.)

This relates to #111.

[osteele]

I believe this could be implemented by replacing:

if not password:
    password = self._io.ask_hidden("Password:")

by something like:

if not password:
    try:
        import keyring
        if keyring.get_keyring():
            password = keyring.get_password(repository_name, username)
    except ImportError:
        print("Install keyring to store passwords securely")
        keyring = None

if not password:
    password = self._io.ask_hidden("Password:")
    if keyring and keyring.get_keyring():
        keyring.set_password(repository_name, username, password)

in poetry/poetry/masonry/publishing/publisher.py:Publisher.publish.

[jacebrowning]

If this approach was taken, why not simply make keyring a dependency?

[osteele]

Yeah, that’s probably a better idea. Then it would be available when Poetry is installed via pipsi. I was copying the behavior of Flit, where it’s optional, but the advantages of doing it that way seem minor.

[abn]

@jacebrowning @osteele I have attempted an implementation using keyring in #774 . Would be great to get the change tested on different platforms.