> It is of no protection at all if an application simply asks the secure-whatever for them and then proceeds to email them all to someone else.
On Windows the application can specify some extra entropy/salt, and the secret is not decryptable without it[1]. So it's a tad more difficult to exfiltrate than simply asking for it.
[1]: https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf...
Which is still protecting secrets at rest.
What are people not getting about this? The point of a shared keyring is to enable applications to share secrets. My git tokens are shared between git, my IDE, various scripts etc.
This discussion highlights the exact issue: people don't even understand what problem or use case they are actually solving.
From what I read here, the problem is that EVIL.app can read your git tokens, too, without you having anything to say about it.
Yes, you want a system that allows sharing of those tokens between various tools, but you also want the user to be in control of which tools can share them.