| Summary: | plasma-nm is now unable to read passwords from KeepassXC-based secret service backend | ||
|---|---|---|---|
| Product: | [Plasma] plasmashell | Reporter: | Andreas Schneider <asn> |
| Component: | Networking in general | Assignee: | Plasma Bugs List <plasma-bugs-null> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | caucusgrating600, dion, john, kde, lgmrszd, mail, mk.mateng, nate, nicolas.fella, notmart, tbondvagyok, turtoise |
| Priority: | NOR | Keywords: | regression |
| Version First Reported In: | 6.3.5 | ||
| Target Milestone: | 1.0 | ||
| Platform: | Fedora RPMs | ||
| OS: | Linux | ||
| See Also: |
https://bugs.kde.org/show_bug.cgi?id=504358 https://bugs.kde.org/show_bug.cgi?id=515024 https://bugs.kde.org/show_bug.cgi?id=514039 |
||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
| Attachments: |
DBus traces of entering WiFi password (password removed from traces)
Full dbus log for a fresh user Analysis of the DBus log from comment 23 |
||
|
Description
Andreas Schneider
2025-05-16 07:39:40 UTC
AFAIK, plasma-nm doesn't have code to use Secret Service directly. It's one of the KDE apps that need to be migrated to QtKeyChain (which can use both Secret Service and old KWallet APIs). Until that's implemented, the other part here is to make sure that the kwalletd proxy is working correctly (it may not be). Now that we have a few more users here, it would be good to get some DBus traces, so we can check if kwalletd is at fault. The relevant interfaces are org.kde.kwalletd6 , org.kde.KWallet , org.freedesktop.secrets , and org.kde.secretservicecompat . Or you could filter by path: /modules/kwalletd6 , /org/freedesktop/secrets , and /ksecretd . It would also be good to see your kwalletrc, to check that everything is configured correctly (or to see how different configurations affect the behavior). One ting i noted while using keepassXC is that every entry in the wallet is separatedly locked, but what should happen in that case is keepassxc popping up with some gui to unlock when networkmanager tries to access the network (In reply to michaelk83 from comment #2) > Now that we have a few more users here, it would be good to get some DBus > traces, so we can check if kwalletd is at fault. The relevant interfaces are > org.kde.kwalletd6 , org.kde.KWallet , org.freedesktop.secrets , and > org.kde.secretservicecompat . Or you could filter by path: > /modules/kwalletd6 , /org/freedesktop/secrets , and /ksecretd . > > It would also be good to see your kwalletrc, to check that everything is > configured correctly (or to see how different configurations affect the > behavior). For me, this is the kwalletrc: [KSecretD] Enabled=false [Migration] MigrateTo3rdParty=true WalletsMigratedToSecretService=kdewallet [Wallet] Close When Idle=false Close on Screensaver=false Default Wallet=Passwörter Enabled=true First Use=false Idle Timeout=10 Launch Manager=false Leave Manager Open=false Leave Open=true Prompt on Open=false Use One Wallet=true [org.freedesktop.secrets] apiEnabled=true And i'll add the DBus Traces as attachment. Created attachment 181492 [details]
DBus traces of entering WiFi password (password removed from traces)
(In reply to Marco Martin from comment #3) > One ting i noted while using keepassXC is that every entry in the wallet is > separatedly locked, but what should happen in that case is keepassxc popping > up with some gui to unlock when networkmanager tries to access the network That's a good point, but one of the problems with that is that not all the relevant API methods support the Prompt interface. However, KeepPassXC may still try to show an unlock prompt to avoid some other problems. In that case, the call can still time out. See https://gitlab.freedesktop.org/xdg/xdg-specs/-/issues/101 and https://github.com/keepassxreboot/keepassxc/issues/4443 To avoid that, clients should never use `Collection.SearchItems()` with KeePassXC (`Service.SearchItems()` at least has a `locked` output array), and, if possible, should issue an explicit `Unlock()` call before trying any other operations. (In reply to turtoise from comment #5) > Created attachment 181492 [details] > DBus traces of entering WiFi password (password removed from traces) Thanks! What I see from this trace, is: A. The network manager is talking to the old KWallet API (and not directly to Secret Service), as expected currently. B. More `folderUpdated` signals than I'd expect to see, for a bunch of unrelated folders. Might indicate some issue or weird behavior, but probably not related to this bug. C. There are a few attempts to save a password (writeMap), and what looks like one attempt to read it back (readMap), but without the `method return` bits, its hard to tell if any of these are successful or not. I don't see any communication between KWallet and KeePassXC's Secret Service. That's probably due to the trace filter. What I would like to see is the part where plasma-nm is trying (and failing) to read the stored password, including the communication between KWallet and KeePassXC, and with the method return values as well. Trying to reproduce i didn't manage to reproduce the problem
in KeepassXC i do get an entry for each wifi network, in the form "Network Management/{UUID such as 07ea43b2-......}/802-11-wireless-security" each of them contains a value of type {"psk": "pass..."}
NetworkManager seems to be able to access those entries just fine and seems to just work.
Is by change all normal preshared keys or is more complicated wifi authentication methods?
(In reply to michaelk83 from comment #6) > (In reply to Marco Martin from comment #3) > > One ting i noted while using keepassXC is that every entry in the wallet is > > separatedly locked, but what should happen in that case is keepassxc popping > > up with some gui to unlock when networkmanager tries to access the network > > That's a good point, but one of the problems with that is that not all the > relevant API methods support the Prompt interface. However, KeepPassXC may > still try to show an unlock prompt to avoid some other problems. In that > case, the call can still time out. > See https://gitlab.freedesktop.org/xdg/xdg-specs/-/issues/101 and > https://github.com/keepassxreboot/keepassxc/issues/4443 > > To avoid that, clients should never use `Collection.SearchItems()` with > KeePassXC (`Service.SearchItems()` at least has a `locked` output array), > and, if possible, should issue an explicit `Unlock()` call before trying any > other operations. searching is fine, it will get the names and the metadata of the locked value just fine, it will just need an explicit unlock when trying to actually retrieve the secret, which we do. when this happens, i see that for me keepassxc pops up with an authorization dialog (In reply to Marco Martin from comment #8) > Trying to reproduce i didn't manage to reproduce the problem > > in KeepassXC i do get an entry for each wifi network, in the form "Network > Management/{UUID such as 07ea43b2-......}/802-11-wireless-security" each of > them contains a value of type {"psk": "pass..."} > > NetworkManager seems to be able to access those entries just fine and seems > to just work. Actually, for me it's the same behaviour, KeePassXC is updating the Network Management Key correctly. But my system does not seem to ask KeePassXC for the keys so for me it may be a configuration problem only. (In reply to turtoise from comment #10) > Actually, for me it's the same behaviour, KeePassXC is updating the Network > Management Key correctly. But my system does not seem to ask KeePassXC for > the keys so for me it may be a configuration problem only. if you go in the kwallet systemsettings page, is the "default wallet" set to the one where the password is actually saved? (In reply to michaelk83 from comment #2) > Now that we have a few more users here, it would be good to get some DBus > traces, so we can check if kwalletd is at fault. The relevant interfaces are > org.kde.kwalletd6 , org.kde.KWallet , org.freedesktop.secrets , and > org.kde.secretservicecompat . Or you could filter by path: > /modules/kwalletd6 , /org/freedesktop/secrets , and /ksecretd . > > It would also be good to see your kwalletrc, to check that everything is > configured correctly (or to see how different configurations affect the > behavior). I'm also running into issues on my notebook with Fedora 42. How exactly do I trace dbus? I can open kwallet, and if I open a password in kwallet, keepassxc asks me if kwallet is allowed to read the password. Also my mailtransport passwords are there and work just fine. However with plasma-nm I'm not able to store a password. I also don't get any popups anymore. This is really strange. However I don't really know how to debug it and help would be very welcome. Same problem here, happy to add my dbus traces - can you share the command we should run so you receive the traces you need? kwalletrc (Last line added by me to disable the service): ``` [Wallet] First Use=false Enabled=false ``` (In reply to Jan Torben Heuer from comment #14) > Same problem here, happy to add my dbus traces - can you share the command > we should run so you receive the traces you need? What i did to create the traces were the following things: 1. Run this command: dbus-monitor "interface='org.kde.kwalletd6'" \ "interface='org.kde.KWallet'" \ "interface='org.freedesktop.secrets'" \ "interface='org.kde.secretservicecompat'" \ "path='/modules/kwalletd6'" \ "path='/org/freedesktop/secrets'" \ "path='/ksecretd'" > ~/kwallet-dbus.log 2. Connect to the WiFi such that the traces are written into the log file. Then stop the monitoring. 3. In the resulting log file, there were byte arrays that represented my password. I removed the password from the log. KDE Plasma 6.4.5 / KDE 6.17.0
Running this command I see only this output and only after manually entering the wifi password. I suspect this output comes from some kind of after-connect hook from akonadi/kontact:
```
array [
dict entry(
string "user"
string "akonadi_davgroupware_resource_1,$default$"
)
dict entry(
string "server"
string "Passwords"
)
dict entry(
string "type"
string "plaintext"
)
]
method call time=1768846209.104867 sender=:1.132 -> destination=:1.73 serial=79 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=SearchItems
array [
dict entry(
string "user"
string "akonadi_davgroupware_resource_1,$default$"
)
dict entry(
string "server"
string "Passwords"
)
dict entry(
string "type"
string "base64"
)
]
method call time=1768846209.108048 sender=:1.99 -> destination=:1.73 serial=30 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=SearchItems
array [
dict entry(
string "user"
string "akonadi_imap_resource_0rc"
)
dict entry(
string "server"
string "imap"
)
dict entry(
string "type"
string "plaintext"
)
]
method call time=1768846209.108294 sender=:1.99 -> destination=:1.73 serial=31 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=GetSecrets
array [
object path "/org/freedesktop/secrets/collection/Passwords/ae487b58e01e4e1093c754ccea2a1e9e"
]
object path "/org/freedesktop/secrets/session/d152eb256fd94902865e1729c68b5c80"
```
It can be tricky to get the correct filtering so you don't over-filter useful communication. If you have `busctl`, you can try
`busctl monitor org.freedesktop.secrets org.kde.kwalletd6 > ~/kwallet-dbus.log`
Otherwise, this one might work ok:
```
dbus-monitor "path_namespace='/modules/kwalletd6'" \
"path_namespace='/org/freedesktop/secrets'" \
"path_namespace='/ksecretd'" \
"type='method_return'" \
"type='error'" > ~/kwallet-dbus.log
```
However, I notice your wallet seems to be disabled. Since plasma-nm doesn't support Secret Service directly yet, we still need kwalletd to act as a proxy. So first step is to enable it. Then, if you want it to proxy to KeePassXC, follow their instructions to enable Secret Service integration, and https://notmart.org/blog/2025/04/towards-a-transition-from-kwallet-to-secret-service to connect the two. Also make sure you're not running GNOME keyring daemon - sometimes it's installed without users realizing, and can take over the Secret Service bus.
Okay, I managed to get kwallet configured according to the blog post above:
```
[KSecretD]
Enabled=false
[Migration]
MigrateTo3rdParty=true
```
Restarting the KDE session triggered a migration and I got a keepassxc popup, a few new entries from kontact, nextcloud and the network manager. So far so good!
On the next restart however, it didn't work anymore: Both kontact and network manager time out. Nextcloud (I assume they have native freedesktop support) works fine, so I think the freedesktop api -> keepassxc part works.
This is how my kwalletrc looks like now, does this look correct to you, after the migration of the entries?
```
[KSecretD]
Enabled=false
[Migration]
MigrateTo3rdParty=true
WalletsMigratedToSecretService=kdewallet
[Wallet]
Close When Idle=false
Close on Screensaver=false
Enabled=true
First Use=false
Idle Timeout=10
Launch Manager=false
Leave Manager Open=false
Leave Open=true
Prompt on Open=false
Use One Wallet=true
[org.freedesktop.secrets]
apiEnabled=false
```
Another observation: When changing the password type of my WiFi to "Ask for this password every time" it still didn't prompt me but timed out after some time.
This is the log until the network manager "Waiting for authorization" times out with "No secrets were provided":
```
$ dbus-monitor "interface='org.kde.kwalletd6'" \
"interface='org.kde.KWallet'" \
"interface='org.freedesktop.secrets'" \
"interface='org.kde.secretservicecompat'" \
"path='/modules/kwalletd6'" \
"path='/org/freedesktop/secrets'" \
"path='/ksecretd'"
signal time=1769356679.339025 sender=org.freedesktop.DBus -> destination=:1.141 serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
string ":1.141"
signal time=1769356679.339070 sender=org.freedesktop.DBus -> destination=:1.141 serial=4 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost
string ":1.141"
```
Another observation: keepassxc lists as applications using secret service "kontact", "akonadi_imap_resource" and "nextcloud" - I'm almost sure that I saw kwallet(5/6) here during the working session.
So again: What are the key settings in kwalletrc to get the "proxy to another secret service setup"? And should I maybe never modify the kwallet settings in the system settings GUI?
(In reply to Jan Torben Heuer from comment #18) Your kwalletrc looks ok now. Just to be safe, make sure your KeePassXC has DBus autostart set up, similar to https://wiki.archlinux.org/title/KDE_Wallet#Automatic_D-Bus_activation but pointing at your KeePassXC executable. For the logs, try one of the options I posetd in comment 17. ```
$ busctl monitor org.freedesktop.secrets org.kde.kwalletd6
Call to org.freedesktop.DBus.Monitoring.BecomeMonitor failed: Access denied
$ sudo busctl monitor org.freedesktop.secrets org.kde.kwalletd6
[sudo: authenticate] Password:
Monitoring bus message stream.
```
Didn't return anything (I clicked on my Wifi in plasma-nm and waited for the authentication to time out, so until the desktop notification appeared),
```
$ dbus-monitor "path_namespace='/modules/kwalletd6'" \
"path_namespace='/org/freedesktop/secrets'" \
"path_namespace='/ksecretd'" \
"type='method_return'" \
"type='error'"
ignal time=1769365021.108310 sender=org.freedesktop.DBus -> destination=:1.149 serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
string ":1.149"
signal time=1769365021.108373 sender=org.freedesktop.DBus -> destination=:1.149 serial=4 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost
string ":1.149"
method return time=1769365022.353401 sender=:1.71 -> destination=:1.15 serial=3252 reply_serial=2324
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 2
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365022.354983 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2325
string "No entry for background"
method return time=1769365027.356838 sender=:1.71 -> destination=:1.15 serial=3253 reply_serial=2326
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 2
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365027.358695 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2327
string "No entry for background"
method return time=1769365035.339460 sender=:1.19 -> destination=:1.71 serial=3039 reply_serial=3254
boolean false
method return time=1769365035.339938 sender=:1.71 -> destination=:1.15 serial=3255 reply_serial=2328
variant boolean false
method return time=1769365035.339964 sender=:1.71 -> destination=:1.15 serial=3256 reply_serial=2328
method return time=1769365035.340529 sender=:1.15 -> destination=:1.31 serial=2329 reply_serial=1872
variant variant boolean false
method return time=1769365035.394251 sender=:1.19 -> destination=:1.71 serial=3043 reply_serial=3258
variant boolean false
method return time=1769365035.394604 sender=:1.19 -> destination=:1.71 serial=3044 reply_serial=3260
variant boolean true
method return time=1769365035.394738 sender=:1.19 -> destination=:1.71 serial=3045 reply_serial=3262
variant boolean true
method return time=1769365040.373830 sender=:1.71 -> destination=:1.15 serial=3266 reply_serial=2333
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.plasmashell"
variant uint32 2
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 1
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365040.375345 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2334
string "No entry for background"
method return time=1769365045.376834 sender=:1.71 -> destination=:1.15 serial=3267 reply_serial=2335
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.plasmashell"
variant uint32 2
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 1
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365045.378253 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2336
string "No entry for background"
method return time=1769365050.379591 sender=:1.71 -> destination=:1.15 serial=3268 reply_serial=2337
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.plasmashell"
variant uint32 2
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 1
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365050.380788 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2338
string "No entry for background"
method return time=1769365055.382444 sender=:1.71 -> destination=:1.15 serial=3269 reply_serial=2339
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.plasmashell"
variant uint32 2
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 1
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365055.383773 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2340
string "No entry for background"
method return time=1769365157.135106 sender=:1.31 -> destination=:1.24 serial=1873 reply_serial=665
uint32 29
method return time=1769365157.151535 sender=:1.31 -> destination=:1.24 serial=1874 reply_serial=666
uint32 30
method return time=1769365157.294750 sender=:1.31 -> destination=:1.24 serial=1875 reply_serial=667
uint32 29
method return time=1769365157.296223 sender=:1.31 -> destination=:1.24 serial=1876 reply_serial=668
uint32 30
method return time=1769365162.137998 sender=:1.71 -> destination=:1.15 serial=3272 reply_serial=2341
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.plasmashell"
variant uint32 1
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 1
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365162.139280 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2342
string "No entry for background"
method return time=1769365167.141509 sender=:1.71 -> destination=:1.15 serial=3273 reply_serial=2343
array [
dict entry(
string "firefox_firefox"
variant uint32 1
)
dict entry(
string "org.kde.akonadiconsole"
variant uint32 1
)
dict entry(
string "org.kde.discover"
variant uint32 1
)
dict entry(
string "org.kde.dolphin"
variant uint32 1
)
dict entry(
string "org.kde.kcalc"
variant uint32 1
)
dict entry(
string "org.kde.kontact"
variant uint32 1
)
dict entry(
string "org.kde.plasmashell"
variant uint32 1
)
dict entry(
string "org.kde.spectacle"
variant uint32 1
)
dict entry(
string "org.kde.xwaylandvideobridge"
variant uint32 1
)
dict entry(
string "org.kde.yakuake"
variant uint32 1
)
dict entry(
string "org.keepassxc.KeePassXC"
variant uint32 1
)
]
error time=1769365167.142926 sender=:1.17 -> destination=:1.15 error_name=org.freedesktop.portal.Error.NotFound reply_serial=2344
string "No entry for background"
method return time=1769365169.567907 sender=:1.19 -> destination=:1.71 serial=3049 reply_serial=3276
variant boolean true
method return time=1769365169.569260 sender=:1.19 -> destination=:1.71 serial=3050 reply_serial=3278
variant boolean true
method return time=1769365169.570097 sender=:1.19 -> destination=:1.71 serial=3051 reply_serial=3280
variant boolean true
^C
```
Checking that kwallet is running:
```
$ ps aux | grep kwalletd6
jan 2436 0.0 0.6 847816 107412 ? SLl 14:34 0:00 /usr/bin/kwalletd6
```
And checking that keepassxc is accessible:
```
secret-tool search server "Network Management"
[/9ace364bfec84348b12e2b40044d2c16]
label = Network Management/{f8f55a76-a179-4245-8be5-5106a38d2a1d};802-11-wireless-security
secret = {"psk":"<WiFi password redacted>"}
created = 2026-01-24 16:28:17
modified = 2026-01-24 16:28:17
schema = org.qt.keychain
attribute.URL =
attribute.user = {f8f55a76-a179-4245-8be5-5106a38d2a1d};802-11-wireless-security
attribute.Title = Network Management/{f8f55a76-a179-4245-8be5-5106a38d2a1d};802-11-wireless-security
attribute.UserName = jtheuer
attribute.Notes =
attribute.Uuid = 9ace364bfec84348b12e2b40044d2c16
attribute.Path = /Network Management/{f8f55a76-a179-4245-8be5-5106a38d2a1d};802-11-wireless-security
attribute.type = map
attribute.server = Network Management
```
The only keepassxc oddness here is that it automatically adds the "attribute.UserName" entry by default....
Hmm... I still don't see any communication between KWallet and Secret Service - or between plasma-nm and KWallet, for that matter. Maybe `busctl --user monitor org.freedesktop.secrets org.kde.kwalletd6` would work? (add --user) It's best to post these long logs as attachments, rather than inline. Created a fresh user account, set up keepassxc as secret service, disabled the ksecretd, restarted session. Captured all dbus logs (see attachment, all byte arrays redacted). Clicked on my WiFi name and entered the password. Same timeout observed and nothing stored in keepassxc. But I noticed a popup asking for the creation of a new keepass file (which is strange but shows that there is at least some sort of interaction). Hope this helps Created attachment 188923 [details]
Full dbus log for a fresh user
Created attachment 189003 [details] Analysis of the DBus log from comment 23 (In reply to Jan Torben Heuer from comment #22) > Same timeout observed and nothing stored in keepassxc. But I noticed a popup > asking for the creation of a new keepass file Based on your log, it looks like Network Manager specifically asks for "kdewallet", but your Secret Service database was `.../secrets/collection/Passwords` with label "Passwords". That's why you saw the create DB dialog. Later in the log you ended up creating a "Passwords_2a11" DB, with label "kdewallet". It also looks like you don't have a DBus autostart file for org.freedesktop.secrets. See my comment 19. Without this, DBus doesn't know how to start org.freedesktop.secrets (KeePassXC) on demand. This shouldn't be an issue if KeePassXC is already running anyway (which seems to be the case here), but worth noting. The detailed analysis is attached. @Marco Martin: From what I can see, `KWalletD::openInternal()` doesn't try to resolve "kdewallet" as the default alias. Though I'm not sure what the behavior should be if the default alias points to a collection that has a _different_ label than "kdewallet" (as in this case). If we're treating "kdewallet" as the legacy equivalent of the default alias, then I think the actual label shouldn't matter. It also looks like Network Manager doesn't listen for KWallet's `walletCreated` and `walletListDirty` signals. It's only waiting for `walletAsyncOpened`, which KWallet never sends out for a new wallet. So it just sits there waiting for the wallet to be opened (until it times out, I guess), completely oblivious that a new wallet has been created. (In reply to michaelk83 from comment #24) > I'm not sure what the behavior should be if the default alias points to > a collection that has a _different_ label than "kdewallet" (as in this case). > If we're treating "kdewallet" as the legacy equivalent of the default alias, > then I think the actual label shouldn't matter. When KWallet migrates the data from the default wallet to a 3rd party provider, it ignores the actual label of the target collection. It should do the same when accessing the default wallet. https://invent.kde.org/frameworks/kwallet/-/blob/master/src/runtime/kwalletd/kwalletd.cpp?ref_type=heads#L214-220 There is an issue with ~/.local/share/dbus-1/services/org.freedesktop.secrets.service [D-BUS Service] Name=org.freedesktop.secrets Exec=/usr/bin/keepassxc If you have plasma-nm and a wifi network. This starts keepassxc before Plasma fully initialized. It starts before can register a system tray icon. It starts somewhere in the background and you need to call keepassxc to bring the window into foreground. I have 2 better ways but they do not fully work yet. Option 1: ~/.local/share/dbus-1/services/org.freedesktop.secrets.service [D-BUS Service] Name=org.freedesktop.secrets Exec=/bin/false SystemdService=keepassxc.service ~/.config/systemd/user/keepassxc.service [Unit] Description=KeePassXC After=plasma-plasmashell.service PartOf=graphical-session.target [Service] ExecStart=/usr/bin/keepassxc Restart=on-failure [Install] WantedBy=plasma-workspace.target Problem: keepassxc is started before `busctl --user status org.kde.StatusNotifierWatcher` is up for system tray icons registration. You need to call keepassxc to bring it into foreground. Option: ~/.local/share/dbus-1/services/org.freedesktop.secrets.service [D-BUS Service] Name=org.freedesktop.secrets Exec=/usr/bin/kioclient --desktopfile ~/.local/share/keepassxc.desktop ~/.local/share/keepassxc.desktop [Desktop Entry] Name=KeePassXC GenericName=Password Manager Exec=keepassxc TryExec=keepassxc Icon=keepassxc StartupWMClass=keepassxc StartupNotify=false Terminal=false Type=Application Version=1.0 Categories=Utility;Security;Qt; MimeType=application/x-keepass2; X-GNOME-Autostart-enabled=true X-GNOME-Autostart-Delay=2 X-KDE-autostart-after=panel X-LXQt-Need-Tray=true Problem: Keepassxc starts and ask for the password correctly, but after unlocking plasma-nm is not able to fetch the password :-( (In reply to Andreas Schneider from comment #26) > If you have plasma-nm and a wifi network. This starts keepassxc before > Plasma fully initialized. That's probably bug 514039 (or related). > Option 1: ... This looks malformed. But correct SystemD+DBus setup is outside the scope of this issue. You'll need to consult online resources. > Option (2): > Problem: Keepassxc starts and ask for the password correctly, but after > unlocking plasma-nm is not able to fetch the password :-( Make sure your Secret Service DB is named "kdewallet". Network Manager expects that specific wallet, which in turn makes kwalletd look for a collection with that specific label. If I'm not mistaken, KeePassXC takes the collection label from the DB name (the internal name, not the file name). |