diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0afde99ee6..c0c147045e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3915,6 +3915,13 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
LoadCredential= and LoadCredentialEncrypted= take priority over
credentials found by ImportCredential=.
+ Note that if decryption or authentication of a credential picked up as result of
+ ImportCredential= fails it will be skipped gracefully (a warning is generated, but
+ the credential will not be made available to the invoked service). This is different for those
+ configured via
+ SetCredentialEncrypted=/LoadCredentialEncrypted=, where failed
+ decryption/authentication will result in service failure.
+
diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index f7f388c2c0..b0cc9ad068 100644
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -463,7 +463,8 @@ static int maybe_decrypt_and_write_credential(
struct load_cred_args *args,
const char *id,
const char *data,
- size_t size) {
+ size_t size,
+ bool graceful) {
_cleanup_(iovec_done_erase) struct iovec plaintext = {};
size_t add;
@@ -517,8 +518,14 @@ static int maybe_decrypt_and_write_credential(
default:
assert_not_reached();
}
- if (r < 0)
+ if (r < 0) {
+ if (graceful) {
+ log_warning_errno(r, "Unable to decrypt credential '%s', skipping.", id);
+ return 0;
+ }
+
return r;
+ }
data = plaintext.iov_base;
size = plaintext.iov_len;
@@ -607,7 +614,7 @@ static int load_credential_glob(
if (r < 0)
return log_debug_errno(r, "Failed to read credential '%s': %m", *p);
- r = maybe_decrypt_and_write_credential(args, fn, data, size);
+ r = maybe_decrypt_and_write_credential(args, fn, data, size, /* graceful= */ true);
if (r < 0)
return r;
}
@@ -732,7 +739,7 @@ static int load_credential(
if (r < 0)
return log_debug_errno(r, "Failed to read credential '%s': %m", path);
- return maybe_decrypt_and_write_credential(args, id, data, size);
+ return maybe_decrypt_and_write_credential(args, id, data, size, /* graceful= */ true);
}
static int load_cred_recurse_dir_cb(
@@ -869,10 +876,11 @@ static int acquire_credentials(
args.encrypted = false;
- r = load_credential_glob(&args,
- ic,
- search_path,
- READ_FULL_FILE_SECURE|READ_FULL_FILE_FAIL_WHEN_LARGER);
+ r = load_credential_glob(
+ &args,
+ ic,
+ search_path,
+ READ_FULL_FILE_SECURE|READ_FULL_FILE_FAIL_WHEN_LARGER);
if (r < 0)
return r;
@@ -884,10 +892,11 @@ static int acquire_credentials(
args.encrypted = true;
- r = load_credential_glob(&args,
- ic,
- search_path,
- READ_FULL_FILE_SECURE|READ_FULL_FILE_FAIL_WHEN_LARGER|READ_FULL_FILE_UNBASE64);
+ r = load_credential_glob(
+ &args,
+ ic,
+ search_path,
+ READ_FULL_FILE_SECURE|READ_FULL_FILE_FAIL_WHEN_LARGER|READ_FULL_FILE_UNBASE64);
if (r < 0)
return r;
}
@@ -905,7 +914,7 @@ static int acquire_credentials(
if (errno != ENOENT)
return log_debug_errno(errno, "Failed to test if credential %s exists: %m", sc->id);
- r = maybe_decrypt_and_write_credential(&args, sc->id, sc->data, sc->size);
+ r = maybe_decrypt_and_write_credential(&args, sc->id, sc->data, sc->size, /* graceful= */ false);
if (r < 0)
return r;
}