Based on https://invent.kde.org/frameworks/kwallet/-/issues/3 SUMMARY KWallet introduced Secret Service API support in 5.97.0, but only using encrypted communication over DBus ("dh-ietf1024-sha256-aes128-cbc-pkcs7" algorthm). https://invent.kde.org/frameworks/kwallet/-/blob/master/src/runtime/kwalletd/kwalletfreedesktopservice.cpp#L265 Some applications use a hardcoded "plain" algorithm for secret transfer and the specification says: "It is strongly recommended that a service implementing this API support the plain algorithm." https://specifications.freedesktop.org/secret-service/latest/ch07s02.html It would be awesome if "plain" would also be supported to support more applications. SOFTWARE/OS VERSIONS KDE Frameworks Version: 5.97.0
That said, apps should generally use QtKeyChain or at least `libsecret` to communicate with the the Secret Service API, so this is more a matter of completeness and broader compatibility with existing apps.
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kwallet/-/merge_requests/35
This change was either intentional or a regression. After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm being used in wallet communications between the VPN frontend and the keyring. The upgrade today was from KWallet 5.96.0 to 5.98.0. The plain algorithm support worked for versions 5.96 and lower. Therefore, a change to restrict this algorithm must have been introduced in 5.97. Can we not revert this change?
(In reply to tgpski from comment #3) > After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm > being used in wallet communications between the VPN frontend and the keyring. > > The upgrade today was from KWallet 5.96.0 to 5.98.0. 5.97 introduced Secret Service API support in KWallet, there was no Service Service support at all prior to that. The "plain" algorithm discussed here is specifically the "plain" algorithm for the Secret Service API, which was never implemented. What I suspect in your case, is possibly the VPN client was using the Secret Service API to store its credentials in Gnome keyring. You can try disabling Secret Service support in the KWallet settings to see if that resolves your issue (you may need to kill the `kwalletd5` process or restart the PC for the change to take effect). If that doesn't help, you'll need to provide more details on the software you are using. But this is not likely to be related to this issue.
Git commit b9ada3a3c9a75e5244e55afa01eb3bf3c6f5c7f3 by Nicolas Fella, on behalf of Georg Kotheimer. Committed on 11/10/2022 at 21:25. Pushed by nicolasfella into branch 'master'. Add support for plain transfer algorithm to Secret Service API Move the secret transfer encryption and decryption logic from KWalletFreedesktopSession to the newly introduced KWalletFreedesktopSessionAlgorithm class, abstracting from the concrete secret transfer algorithm in use. M +35 -29 src/runtime/kwalletd/kwalletfreedesktopservice.cpp M +5 -6 src/runtime/kwalletd/kwalletfreedesktopservice.h M +73 -26 src/runtime/kwalletd/kwalletfreedesktopsession.cpp M +34 -13 src/runtime/kwalletd/kwalletfreedesktopsession.h https://invent.kde.org/frameworks/kwallet/commit/b9ada3a3c9a75e5244e55afa01eb3bf3c6f5c7f3