[KWallet] Provide org.freedesktop.secrets support
Closed, ResolvedPublic

Description

Support for org.freedesktop.secrets was added in https://invent.kde.org/frameworks/kwallet/-/merge_requests/11
The original description is left for reference below

https://mail.kde.org/pipermail/plasma-devel/2016-July/055641.html

KWallet plays a central role in Plasma and many KDE applications as the central password storage. However, it being very old and not having been actively developed for a long time, it has lots of problems, including:

  • It has weak security, as it does not restrict applications accessing it by default, and even when it does, it does so simply based on application name which allows any malicious process to impersonate an allowed one
  • The initial setup has huge usability problems, as it forces users to make a choice on a very advanced technical level (encryption methods, no less!), and the option it suggests (GPG) is a nightmare to set up for ordinary users
  • It does support unlocking via PAM, but does not tell users what they need to do to make that work, which results in most users having to enter the KWallet password at each system start, which many find very annoying (we get lots of negative feedback for that)
  • It works only with KDE Frameworks-based applications
  • One cannot easily write a QML GUI for it, making it unsuitable for mobile

    Valentin has been working on KSecretService for quite a while, which is based on the freedesktop Secrets API [1] that is also supported in GNOME Keyring, and would solve many (and ideally all) of the above problems. However, Valentin told me he does not have the time to work on KSecretService any more.

    This means we have to find a solution to these problems. The options I see currently are
  • Improve KWallet (unlikely to fix all the problems without massive changes in it, though)
  • Find someone to finish and maintain KSecretService
  • Build a wrapper around one of the other existing keyring technologies
  • Each application (and each Plasma component that stores passwords) implements its own encrypted password storage
  • We make encrypted password storage optional and non-default (easiest solution, but not exactly in line with KDE's vision)

Adding some more:

  • kwallet dialog allows keyloggers on X11 (in defence of KWallet, I only know of pinentry which handles this properly at the cost of severely degraded user experience)
  • kwallet does not protect against ptrace (I didn't add the protection, due to the keylogger rendering it point less)
  • kwallet dialog windows sometimes are placed at the bottom of the stack due to focus stealing prevention (this happens for example with akonadi/other daemons)
  • kwallet shows total giberish like "kded requested to open the wallet"
  • if one doesn't unlock the wallet fast enough applications start asking for the password. So getting a coffee while desktop starts results in thousands of password windows.

https://specifications.freedesktop.org/secret-service/latest/
https://phabricator.kde.org/project/view/26/
https://phabricator.kde.org/source/ksecrets/
https://forum.kde.org/viewtopic.php?f=15&t=156925
https://bugs.kde.org/show_bug.cgi?id=313216
https://www.reddit.com/r/kde/comments/d8tjln/is_there_a_orgfreedesktopsecrets_implementation/

davidedmundson moved this task from Backlog to Needs Input on the KF6 board.Nov 24 2019, 11:25 AM
dfaure added a subscriber: dfaure.EditedJun 6 2020, 1:03 PM

Alternative solution: we port apps to libqt5keychain, which itself supports KWallet, gnome-keyring and libsecret (which I assume uses "secrets service").
See task T12219

Alternative solution: we port apps to libqt5keychain, which itself supports KWallet, gnome-keyring and libsecret (which I assume uses "secrets service").
See task T12219

Yes I agree, that would give the smoothest transition. Then all we'd need is a KWallet -> "Successor" conversion (as in conversion of the actual kwl files). Then we can either switch to finishing off KSecretsService (which QKeychain can talk to via libsecret) or use something more featureful like KeePassXC (which supports libsecret).

Either way, using QKeychain would be great as mentioned, because storing secrets becomes a run-time decision (on all platforms!) not bound by KWallet.

If this can mean that GNOME Keyring can work properly, be unlocked on login properly, etc (even if it only does after tweaking its corresponding /etc/xdg/autostart files), then boy you can count me in on liking this idea.

ngompa added a subscriber: ngompa.Nov 2 2020, 1:00 PM
ivzhh added a subscriber: ivzhh.Nov 2 2020, 2:26 PM
masven added a subscriber: masven.Jan 3 2021, 5:35 PM

I was asked to post my POC for choqok as a starting point about how to implement qtkeychain in other librarys. https://github.com/MaSven/choqok/commit/9234f1cc6caa689bf1e50b25743f1d5e58364da7

ognarb added a subscriber: ognarb.EditedJan 3 2021, 7:58 PM

I was asked to post my POC for choqok as a starting point about how to implement qtkeychain in other librarys. https://github.com/MaSven/choqok/commit/9234f1cc6caa689bf1e50b25743f1d5e58364da7

Looks nice, can you submit an MR in invent.kde.org? (if not already I didn't check)

<del>NeoChat is also using qtkeychain and for the moment nobody complained about it :) Only thing is that we need to use KConfig for Android.</del>

Ok QtKeyChain now provides a new android backend since 2 weeks ago (I'm not sure it is released yet)

masven added a comment.Jan 3 2021, 8:13 PM

I was asked to post my POC for choqok as a starting point about how to implement qtkeychain in other librarys. https://github.com/MaSven/choqok/commit/9234f1cc6caa689bf1e50b25743f1d5e58364da7

Looks nice, can you submit an MR in invent.kde.org? (if not already I didn't check)

NeoChat is also using qtkeychain and for the moment nobody complained about it :) Only thing is that we need to use KConfig for Android.

Sure will do but i think this needs a bit more polish first. I don't know if my cmake config is correct because I never used it before. But I will make an MR, and it can be discussed there.

ervin moved this task from Needs Input to In Discussion on the KF6 board.Mar 27 2021, 3:46 PM
ervin moved this task from In Discussion to Needs Input on the KF6 board.Mar 27 2021, 4:48 PM
nicolasfella moved this task from Needs Input to In Progress on the KF6 board.Nov 9 2021, 4:04 PM

The consensus seems to be

Does anyone feel qualified to review that MR?

geck0 added a subscriber: geck0.May 12 2022, 1:03 PM
mikeljohnson renamed this task from Replace KWallet with KSecretsService (provide org.freedesktop.secrets) to [KWallet] Provide org.freedesktop.secrets support.Aug 1 2022, 2:14 PM
mikeljohnson updated the task description. (Show Details)
ngraham closed this task as Resolved.Aug 1 2022, 2:17 PM
ngraham moved this task from In Progress to Done on the KF6 board.
ngraham claimed this task.

Looks like we can mark this as resolved now that the MR was merged!

beat to me to it, haha