feat: add support for OS specific keychains

.github/workflows/binaries.yml

@@ -46,7 +46,7 @@ jobs:
     - run: rustup target add ${{ matrix.sys.target }}
 
     - if: matrix.sys.target == 'aarch64-unknown-linux-gnu'
-      run: sudo apt-get update && sudo apt-get -y install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libudev-dev
+      run: sudo apt-get update && sudo apt-get -y install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libudev-dev libdbus-1-dev
 
     - name: Setup vars
       run: |
@@ -69,6 +69,7 @@ jobs:
       env:
         CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
       working-directory: ${{ env.BUILD_WORKING_DIR }}
+      run: sudo apt-get update && sudo apt-get -y install libdbus-1-dev
       run: cargo build --target-dir="$GITHUB_WORKSPACE/target" --package ${{ matrix.crate.name }} --features opt --release --target ${{ matrix.sys.target }}
 
     - name: Build provenance for attestation (release only)

.github/workflows/bindings-ts.yml

@@ -35,6 +35,7 @@ jobs:
             target/
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
       - run: rustup update
+      - run: sudo apt install -y libdbus-1-dev
       - run: cargo build
       - run: rustup target add wasm32-unknown-unknown
       - run: make build-test-wasms

.github/workflows/rpc-tests.yml

@@ -39,6 +39,7 @@ jobs:
             target/
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
       - run: rustup update
+      - run: sudo apt install -y libdbus-1-dev
       - run: cargo build
       - run: rustup target add wasm32-unknown-unknown
       - run: make build-test-wasms

.github/workflows/rust.yml

@@ -49,6 +49,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: stellar/actions/rust-cache@main
     - run: rustup update
+    - run: sudo apt install -y libdbus-1-dev
     - run: make generate-full-help-doc
     - run: git add -N . && git diff HEAD --exit-code
 
@@ -90,7 +91,7 @@ jobs:
     - run: rustup target add ${{ matrix.sys.target }}
     - run: rustup target add wasm32-unknown-unknown
     - if: runner.os == 'Linux'
-      run: sudo apt-get update && sudo apt-get -y install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libudev-dev
+      run: sudo apt-get update && sudo apt-get -y install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libudev-dev libdbus-1-dev
     - run: cargo clippy --all-targets --target ${{ matrix.sys.target }}
     - run: make test
       env:

FULL_HELP_DOCS.md

@@ -933,7 +933,7 @@ Create and manage identities including keys and addresses
 
 ###### **Subcommands:**
 
-* `add` — Add a new identity (keypair, ledger, macOS keychain)
+* `add` — Add a new identity (keypair, ledger, OS specific secure store)
 * `address` — Given an identity return its address (public key)
 * `fund` — Fund an identity on a test network
 * `generate` — Generate a new identity with a seed phrase, currently 12 words
@@ -946,7 +946,7 @@ Create and manage identities including keys and addresses
 
 ## `stellar keys add`
 
-Add a new identity (keypair, ledger, macOS keychain)
+Add a new identity (keypair, ledger, OS specific secure store)
 
 **Usage:** `stellar keys add [OPTIONS] <NAME>`
 
@@ -1018,6 +1018,7 @@ Generate a new identity with a seed phrase, currently 12 words
 * `--no-fund` — Do not fund address
 * `--seed <SEED>` — Optional seed to use when generating seed phrase. Random otherwise
 * `-s`, `--as-secret` — Output the generated identity as a secret key
+* `--secure-store` — Save in OS-specific secure store
 * `--global` — Use global config
 * `--config-dir <CONFIG_DIR>` — Location of config directory, default is "."
 * `--hd-path <HD_PATH>` — When generating a secret key, which `hd_path` should be used from the original `seed_phrase`

cmd/soroban-cli/Cargo.toml

@@ -20,6 +20,10 @@ path = "src/bin/stellar.rs"
 name = "soroban"
 path = "src/bin/soroban.rs"
 
+[[bin]]
+name = "secret"
+path = "src/bin/secret.rs"
+
 [package.metadata.binstall]
 pkg-url = "{ repo }/releases/download/v{ version }/{ name }-{ version }-{ target }{ archive-suffix }"
 bin-dir = "{ bin }{ binary-ext }"
@@ -72,7 +76,8 @@ rand = "0.8.5"
 wasmparser = { workspace = true }
 sha2 = { workspace = true }
 csv = "1.1.6"
-ed25519-dalek = { workspace = true }
+# zeroize feature ensures that all sensitive data is zeroed out when dropped
+ed25519-dalek = { workspace = true, features = ["zeroize"] }
 reqwest = { version = "0.12.7", default-features = false, features = [
     "rustls-tls",
     "http2",
@@ -124,6 +129,10 @@ fqdn = "0.3.12"
 open = "5.3.0"
 url = "2.5.2"
 wasm-gen = "0.1.4"
+zeroize = "1.8.1"
+keyring = { version = "3", features = ["apple-native", "windows-native", "sync-secret-service"] }
+whoami = "1.5.2"
+
 
 [build-dependencies]
 crate-git-revision = "0.0.6"

cmd/soroban-cli/src/bin/secret.rs

@@ -0,0 +1,17 @@
+use soroban_cli::signer::keyring::StellarEntry;
+
+fn main() {
+    let entry = StellarEntry::new("test").unwrap();
+    if let Ok(key) = entry.get_public_key() {
+        println!("{key}");
+        return;
+    };
+
+    let secret = soroban_cli::config::secret::Secret::from_seed(None).unwrap();
+    let pub_key = secret.public_key(None).unwrap();
+    let key_pair = secret.key_pair(None).unwrap();
+    entry.set_password(key_pair.as_bytes()).unwrap();
+    let pub_key_2 = entry.get_public_key().unwrap();
+    assert_eq!(pub_key, pub_key_2);
+    println!("{pub_key} == {pub_key_2}");
+}

cmd/soroban-cli/src/commands/keys/add.rs

@@ -1,21 +1,25 @@
 use clap::command;
 
-use crate::config::{locator, secret};
+use crate::config::{
+    address::{self, KeyName},
+    locator, secret,
+};
 
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
     #[error(transparent)]
     Secret(#[from] secret::Error),
-
     #[error(transparent)]
     Config(#[from] locator::Error),
+    #[error(transparent)]
+    Address(#[from] address::Error),
 }
 
 #[derive(Debug, clap::Parser, Clone)]
 #[group(skip)]
 pub struct Cmd {
     /// Name of identity
-    pub name: String,
+    pub name: KeyName,
 
     #[command(flatten)]
     pub secrets: secret::Args,