Bug 458644

Summary: Make legacy KWallet entries searchable via Secret Service API
Product: [Frameworks and Libraries] frameworks-kwallet Reporter: michaelk83 <mk.mateng>
Component: generalAssignee: Valentin Rusu <valir>
Status: RESOLVED FIXED    
Severity: wishlist CC: dashonwwIII, kdelibs-bugs-null, m.kurz, nate, uwu
Priority: NOR    
Version First Reported In: 5.97.0   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: https://invent.kde.org/frameworks/kwallet/-/commit/abf970c067fa465ae9b7b970600de08f035d00e2 Version Fixed In:
Sentry Crash Report:
Bug Depends on:    
Bug Blocks: 458318    

Description michaelk83 2022-09-02 17:42:33 UTC 
SUMMARY
Secret Service API (`org.freedesktop.secrets`) support was added to KWallet Framework in 5.97.0. Legacy entries that were created with the old `org.kde.kwalletd5` lack any attributes, so they're not searchable with the new API. Furthermore, they cannot be easily accessed directly, since their item indices are not trivial to determine. This presents a potential migration issue should the legacy `org.kde.kwalletd5` API be discontinued (Bug 458318).

STEPS TO REPRODUCE
1. Install KWallet 5.97.0 and enable Secret Service integration.
2. Create some entries via the old `org.kde.kwalletd5` API (or via KWalletManager).
3. Inspect the wallet contents via the DBus Secret Service API and/or via a Secret Service client such as Seahorse. For example, run the following commands:

> qdbus org.freedesktop.secrets
> qdbus --literal org.freedesktop.secrets /org/freedesktop/secrets/collection/<name-of-wallet>/<legacy-item-index> org.freedesktop.Secret.Item.Label
> qdbus --literal org.freedesktop.secrets /org/freedesktop/secrets/collection/<name-of-wallet>/<legacy-item-index> org.freedesktop.Secret.Item.Attributes

OBSERVED RESULT
- Legacy items have no attributes, so are not searchable.
- Items are listed by index only; indices of specific items are not trivial to determine.
- Items cannot be accessed by legacy path or label.

EXPECTED RESULT
- Legacy items should be searchable at least by their legacy path and label.

SOFTWARE/OS VERSIONS
KDE Frameworks Version: 5.97.0

PROPOSAL:
Expose a read-only virtual attribute `org.kde.kwalletd5:label` for all legacy items. The value of this attribute should be the same as the `Label` property of the item, which includes its legacy path. For example, an item created as "mypassword" under folder "MyFolder", would have `org.kde.kwalletd5:label` equal to "MyFolder/mypassword". Items should be searchable by this attribute using the `org.freedesktop.Secret.Service.SearchItems()` and `org.freedesktop.Secret.Collection.SearchItems()` methods.

ADDITIONAL INFORMATION
Legacy entries that were created with the old `org.kde.kwalletd5` are enumerated via the `org.freedesktop.Secret.Service.Collections` and `org.freedesktop.Secret.Collection.Items` properties:
https://specifications.freedesktop.org/secret-service/latest/re01.html
https://specifications.freedesktop.org/secret-service/latest/re02.html

However, they are not listed by label or path, and their DBus paths are based on their index within the collection, not the legacy path. For example, a password created as "Foo/test" may show up only as `/org/freedesktop/secrets/collection/<name-of-wallet>/0`. The item index is not trivial to determine. Furthermore, they lack any attributes, so are not searchable with the `SearchItems()` methods (which can only search by attributes).

This is correct behavior per the Secret Service API specification, as the intention of the API was to search items by their attributes. But the legacy `org.kde.kwalletd5` API does not support specifying attributes.

Exposing a searchable virtual attribute `org.kde.kwalletd5:label` for all legacy items would allow the legacy items to be easily accessed via the Secret Service API. Each client app or library (including but not limited to QtKeyChain) can then migrate legacy items to their new Secret Service location as needed. Client apps would not need QtKeyChain or some other tool to migrate for them (though it's still possible). This approach also guarantees that the source and target locations are in the same backend, so items won't be unintentionally migrated from one secrets store to some other (such as from old KWallet to Gnome keyring).
Comment 1 michaelk83 2022-09-02 18:55:36 UTC 
(In reply to michaelk83 from comment #0)
> Expose a read-only virtual attribute `org.kde.kwalletd5:label` for all legacy items.
Maybe make it non-virtual, so that it's discoverable through `org.freedesktop.Secret.Item.Attributes` property. But this would expose the labels of all legacy items, since attributes are not encrypted per the Secret Service specification - https://specifications.freedesktop.org/secret-service/latest/ch05.html .

This attribute should *not* be added to (non-legacy) items created via the Secret Service API, since clients can't expect the same from other Secret Service API providers.
Comment 2 michaelk83 2022-09-08 20:11:50 UTC 
Better/additional STEPS TO REPRODUCE, assuming the proposed `org.kde.kwalletd5:label` behavior:
1. Install KWallet 5.97.0 and enable Secret Service integration.
2. Create some entries via the old `org.kde.kwalletd5` API (or via KWalletManager). For example, entry "mypass" in folder "test-legacy".
3. Run the following command (adjust the last parameter as needed):
> secret-tool lookup 'org.kde.kwalletd5:label' 'test-legacy/mypass'
(See https://manpages.ubuntu.com/manpages/trusty/man1/secret-tool.1.html )

OBSERVED RESULT
Not found

EXPECTED RESULT
Found
Comment 3 Marco Martin 2025-04-14 13:30:36 UTC 
Git commit abf970c067fa465ae9b7b970600de08f035d00e2 by Marco Martin, on behalf of David Edmundson.
Committed on 11/04/2025 at 13:22.
Pushed by mart into branch 'master'.

Add secret service bridge

The KWallet daemon is replaced by a new daemon which registers
itself on the KWallet dbus service name and exposes all its old api.

But instead of using directly the kwallet backend to store secrets,
it proxies the api requests to a SecretService daemon, offering a
compatibility layer for old kwallet-using applications.
It is to be seen as legacy support and migration aid

This daemon uses the same metadata format of QtKeychain, so
when the application will migrate to it, a further data
migration shouldn't be necessary

The old KWalled daemon is still there: and is called KSecretd.
It doesn't expose the kwallet dbus api animore, but only the
SecretService api. It's used as the default secretservice provider
for the new proxy kwalletd and it's launched by it unless is
explicitly configured to not do so
Related: bug 459289, bug 491280

M  +12   -1    README.md
M  +5    -0    src/api/KWallet/org.kde.KWallet.nodeprecated.xml
M  +5    -0    src/api/KWallet/org.kde.KWallet.xml
M  +15   -0    src/runtime/ksecretd/CMakeLists.txt
M  +2    -0    src/runtime/ksecretd/kwalletfreedesktopcollection.cpp
M  +1    -0    src/runtime/ksecretd/kwalletfreedesktopservice.cpp
M  +1    -1    src/runtime/ksecretd/main.cpp
A  +3    -0    src/runtime/ksecretd/org.kde.secretservicecompat.service.in
A  +3    -0    src/runtime/ksecretd/org.kde.secretservicecompat.service.win.in
A  +73   -0    src/runtime/kwalletd/CMakeLists.txt
A  +1173 -0    src/runtime/kwalletd/kwalletd.cpp     [License: LGPL(v2.0+)]
A  +216  -0    src/runtime/kwalletd/kwalletd.h     [License: LGPL(v2.0+)]
A  +53   -0    src/runtime/kwalletd/main.cpp     [License: GPL(3+eV) GPL(v3.0) LGPL(v2.0)]
A  +3    -0    src/runtime/kwalletd/org.kde.kwalletd5.service.in
A  +3    -0    src/runtime/kwalletd/org.kde.kwalletd5.service.win.in
A  +3    -0    src/runtime/kwalletd/org.kde.kwalletd6.service.in
A  +3    -0    src/runtime/kwalletd/org.kde.kwalletd6.service.win.in
A  +853  -0    src/runtime/kwalletd/secretserviceclient.cpp     [License: LGPL(v2.0+)]
A  +108  -0    src/runtime/kwalletd/secretserviceclient.h     [License: LGPL(v2.0+)]

https://invent.kde.org/frameworks/kwallet/-/commit/abf970c067fa465ae9b7b970600de08f035d00e2