SUMMARY Digikam saves the mysql password in ~/.config/digikamrc. Instead it should be stored securely in kdewallet STEPS TO REPRODUCE 1. Configure with Mysql data base OBSERVED RESULT Password stored in plain text EXPECTED RESULT Password stored securely. Report forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721826
There is no plan to add a specific another KDE dependency to digiKam for this report. The goal is to reduce KDE dependencies in the future not to add new ones. But i agree that password need to be encrypted in digikamrc file. Gilles Caulier
We can use QCryptographicHash fo that : https://stackoverflow.com/questions/2990722/howto-crypt-encrypt-some-string-e-g-password-on-qt-simple Gilles Caulier
QCryptographicHash only creates a hash. This means that the password cannot be reconstructed, only comparing whether the user has entered the correct password. We would have to "hide" a password to encrypt in the code. This is not so easy with OpenSource. It would only help with a quick look at the configuration file that the password is not immediately readable. Maik
Hashing password can be enough for the use case in digiKam. Look this comment: https://forum.qt.io/topic/76859/encrypt-and-decrypt-the-password-entered-in-qlineedit/8 It simple to do and enough safe. No need extra library and to be paranoid (:=)))... Gilles
Maik, Good news : 02 library from digiKam core include already a simple Qt class to crypt/ decrypt passwords. It based on this code : https://wiki.qt.io/Simple_encryption_with_SimpleCrypt It's really enough for digiKam. I will use it for the database. MediaWiki plugin also store password in clear text in config file. I will patch this code too. Gilles
I had already thought about the encryption in the O2 library, even if the key is not really hidden. But it is enough for our purposes. We should probably come up with a solution to see if the current password is still plain text. So that the user does not have to enter the password again. Possibly add a string extension to the encrypted and check it. Maik
Note : after verification, MediaWiki do not store password in config file. Gilles
Maik, Yes, i made a patch in this way in DBEngineParameters class. the non encrypted password is read and converted in a,crypted version. Non encrypted version is removed from config file. Gilles
Git commit 9e68bc874e38b82e48981df728a1d83d317557f1 by Gilles Caulier. Committed on 14/03/2020 at 07:18. Pushed by cgilles into branch 'master'. database password encryption : use 02 Simple Crypt algorithm to store password in config file instead clear string. remove older non encrypted password version in config file. M +28 -2 core/libs/database/engine/dbengineparameters.cpp https://invent.kde.org/kde/digikam/commit/9e68bc874e38b82e48981df728a1d83d317557f1
Maik, Take a look in my simple patch just committed. It must work in all cases i think. Gilles
Yes, works fine. Maik
Thanks Maik to cross-check, i close this file now... Gilles