From 90b7385c449c7392afe89a276aaa1c619b4a73d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 13:31:54 +0000
Subject: [PATCH 1/2] pcsclient: make 'keyring' module optional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is not available in some distros, and since it is merely a
convenience to avoid repeated password entry, it can be made
optional.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 .../PcsClientTool/lib/intelsgx/credential.py  | 29 +++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/tools/PcsClientTool/lib/intelsgx/credential.py b/tools/PcsClientTool/lib/intelsgx/credential.py
index fa1e38d0..e0e32ddb 100644
--- a/tools/PcsClientTool/lib/intelsgx/credential.py
+++ b/tools/PcsClientTool/lib/intelsgx/credential.py
@@ -1,4 +1,7 @@
-import keyring
+try:
+    import keyring
+except:
+    keyring = None
 import getpass
 
 class Credentials:
@@ -7,11 +10,12 @@ class Credentials:
 
     def get_pcs_api_key(self):
         pcs_api_key = ""
-        try:
-            print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
-            pcs_api_key = keyring.get_password(self.APPNAME, self.KEY_PCS_APIKEY)
-        except keyring.errors.KeyringError as ke:
-            pcs_api_key = ""
+        if keyring is not None:
+            try:
+                print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
+                pcs_api_key = keyring.get_password(self.APPNAME, self.KEY_PCS_APIKEY)
+            except keyring.errors.KeyringError as ke:
+                pcs_api_key = ""
         
         while pcs_api_key is None or pcs_api_key == '':
             pcs_api_key = getpass.getpass(prompt="Please input ApiKey for Intel PCS:")
@@ -24,10 +28,11 @@ def get_pcs_api_key(self):
         return pcs_api_key
 
     def set_pcs_api_key(self, apikey):
-        try:
-            print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
-            keyring.set_password(self.APPNAME, self.KEY_PCS_APIKEY, apikey)
-        except keyring.errors.PasswordSetError as ke:
-            print("Failed to store PCS API key.")
-            return False
+        if keyring is not None:
+            try:
+                print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
+                keyring.set_password(self.APPNAME, self.KEY_PCS_APIKEY, apikey)
+            except keyring.errors.PasswordSetError as ke:
+                print("Failed to store PCS API key.")
+                return False
         return True

From 8a609cb637892478e2fcee020ff81ac8f8b8f197 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 18:05:14 +0000
Subject: [PATCH 2/2] pcsclient: ignore errors trying to clear the keyring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On authentication errors with PCS, an attempt is made to clear the
keyring. This may fail if the user's login environment has no keyring
configured. The user would have declined to store the key when first
prompted, so there would be nothing to clear either in this case.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 tools/PcsClientTool/lib/intelsgx/pcs.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py
index 8a8dc865..1519c6c3 100644
--- a/tools/PcsClientTool/lib/intelsgx/pcs.py
+++ b/tools/PcsClientTool/lib/intelsgx/pcs.py
@@ -343,7 +343,13 @@ def get_pck_cert(self, eppid, pceid, cpusvn, pcesvn, dec=None):
         if response.status_code != 200:
             print(str(response.content, 'utf-8'))
             if response.status_code == 401:
-                Credentials().set_pcs_api_key('')   #reset ApiKey
+                try:
+                    Credentials().set_pcs_api_key('')   #reset ApiKey
+                except:
+                    # If keyring is unavailable, we don't want to trigger
+                    # traceback, as the user may have declined to save
+                    # the key in the keyring earlier
+                    pass
             return None
 
         # Verify expected headers
@@ -418,7 +424,13 @@ def get_pck_certs(self, eppid, pceid, platform_manifest, dec=None):
         if response.status_code != 200:
             print(str(response.content, 'utf-8'))
             if response.status_code == 401:
-                Credentials().set_pcs_api_key('')   #reset ApiKey
+                try:
+                    Credentials().set_pcs_api_key('')   #reset ApiKey
+                except:
+                    # If keyring is unavailable, we don't want to trigger
+                    # traceback, as the user may have declined to save
+                    # the key in the keyring earlier
+                    pass
             return None
 
         # Verify expected headers