Bug 487348 - Secret Portal fails to store secret for Flatpak applications
Summary: Secret Portal fails to store secret for Flatpak applications
Status: RESOLVED FIXED
Alias: None
Product: frameworks-kwallet
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 6.2.0
Platform: Gentoo Packages Linux
: NOR normal
Target Milestone: ---
Assignee: Valentin Rusu
URL:
Keywords:
: 487094 (view as bug list)
Depends on:
Blocks:
 
Reported: 2024-05-22 03:10 UTC by snow flurry
Modified: 2024-09-16 16:13 UTC (History)
12 users (show)

See Also:
Latest Commit: https://invent.kde.org/frameworks/kwallet/-/commit/fc097984e7a6ea127fe7e0ca9df2ff98271888d3
Version Fixed In: 6.2.1
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description snow flurry 2024-05-22 03:10:06 UTC 
SUMMARY
When using the KWallet XDG Secrets Portal implementation with Flatpak packages, the generated secret never gets stored back to the wallet.

STEPS TO REPRODUCE
1. With KWallet running and the main wallet open, run a Flatpak that uses the XDG Secret Portal.
2. Trigger the application to look for secrets (e.g., try to open an encrypted vault).
3. If the application caches its secret, restart the application and try the operation again.

OBSERVED RESULT
Applications will successfully create secrets, but be unable to read them back. In the case of the repro program I wrote (see "Additional Information"), output similar to the following is given:

2024-05-22T03:04:18.100605Z  INFO kwallet_secretportal_repro: Attempt #1
2024-05-22T03:04:18.103380Z  INFO kwallet_secretportal_repro: Secret CRC: b9446548
2024-05-22T03:04:18.103399Z  INFO kwallet_secretportal_repro: Attempt #2
2024-05-22T03:04:18.112340Z  INFO kwallet_secretportal_repro: Secret CRC: cf16a0a8
2024-05-22T03:04:18.112356Z ERROR kwallet_secretportal_repro: Secrets don't match (old CRC: b9446548, new CRC: cf16a0a8)

After a couple attempts, KWallet shows a message box saying:

"There have been repeated failed attempts to gain access to a wallet. An application may be misbehaving."

EXPECTED RESULT

The secret provided from KWallet is the same every time, so applications can decrypt secrets they stored.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Gentoo Linux 2.15 (Kernel 6.6.30-gentoo-dist)
KDE Plasma Version: 6.0.4
KDE Frameworks Version: 6.2.0
Qt Version: 6.7.0

ADDITIONAL INFORMATION
To help reproduce this error, I've built a small test program (https://invent.kde.org/flurry/secretportalrepro). For a real-world example, I originally saw this when trying to use Pika Backup (https://flathub.org/apps/org.gnome.World.PikaBackup).

Note that this error does not occur when interacting with the Secret Portal outside of a Flatpak. For example, using the same test program in a shell with `cargo run`:

$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.07s
     Running `target/debug/kwallet-secretportal-repro`
2024-05-22T03:05:20.027170Z  INFO kwallet_secretportal_repro: Attempt #1
2024-05-22T03:05:20.030658Z  INFO kwallet_secretportal_repro: Secret CRC: becbc17e
2024-05-22T03:05:20.030685Z  INFO kwallet_secretportal_repro: Attempt #2
2024-05-22T03:05:20.033057Z  INFO kwallet_secretportal_repro: Secret CRC: becbc17e
2024-05-22T03:05:20.033081Z  INFO kwallet_secretportal_repro: Attempt #3
2024-05-22T03:05:20.034901Z  INFO kwallet_secretportal_repro: Secret CRC: becbc17e
Comment 1 Nate Graham 2024-05-22 18:52:44 UTC 
Maybe this requires the Flatpak packaging to have appropriate permissions?
Comment 2 Nicolas Fella 2024-05-22 19:42:58 UTC 
Thanks, the test program was very helpful!
Comment 3 Bug Janitor Service 2024-05-22 20:07:28 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kwallet/-/merge_requests/84
Comment 4 Nicolas Fella 2024-05-22 20:13:46 UTC 
*** Bug 487094 has been marked as a duplicate of this bug. ***
Comment 5 Liz Lee 2024-05-23 08:59:06 UTC 
The problem does also occur with the KDE wallet subsystem _disabled_ in the KDE Wallet System Settings.
Comment 6 Nicolas Fella 2024-05-24 19:53:55 UTC 
Git commit 425cf15fc9116a1fc115dd52eb5537c2eb5d66be by Nicolas Fella.
Committed on 22/05/2024 at 20:11.
Pushed by nicolasfella into branch 'master'.

Fix secrets portal wallet access

The current code checks whether the wallet is open and only if it's not calls openAsync

However kwallet internally tracks which apps have openend the wallet and only gives access to those that have called open

This works fine if the portal request triggered the opening of the wallet and subsequent access works, but if the wallet was opened by another app before any attempt to read from the wallet will fail

To fix this always open the wallet before accessing. This allows to simplify the code since we then can tie a portal request to a KWallet transaction ID.

Also consistently use xdg-desktop-portal as appid when making calls to kwallet

M  +11   -25   src/runtime/kwalletd/kwalletportalsecrets.cpp
M  +1    -3    src/runtime/kwalletd/kwalletportalsecrets.h

https://invent.kde.org/frameworks/kwallet/-/commit/425cf15fc9116a1fc115dd52eb5537c2eb5d66be
Comment 7 Nicolas Fella 2024-05-24 19:56:17 UTC 
Git commit fc097984e7a6ea127fe7e0ca9df2ff98271888d3 by Nicolas Fella.
Committed on 24/05/2024 at 19:55.
Pushed by nicolasfella into branch 'Frameworks/6.2'.

Fix secrets portal wallet access

The current code checks whether the wallet is open and only if it's not calls openAsync

However kwallet internally tracks which apps have openend the wallet and only gives access to those that have called open

This works fine if the portal request triggered the opening of the wallet and subsequent access works, but if the wallet was opened by another app before any attempt to read from the wallet will fail

To fix this always open the wallet before accessing. This allows to simplify the code since we then can tie a portal request to a KWallet transaction ID.

Also consistently use xdg-desktop-portal as appid when making calls to kwallet
(cherry picked from commit 425cf15fc9116a1fc115dd52eb5537c2eb5d66be)

M  +11   -25   src/runtime/kwalletd/kwalletportalsecrets.cpp
M  +1    -3    src/runtime/kwalletd/kwalletportalsecrets.h

https://invent.kde.org/frameworks/kwallet/-/commit/fc097984e7a6ea127fe7e0ca9df2ff98271888d3
Comment 8 Roke Julian Lockhart Beedell 2024-09-02 12:01:20 UTC 
*** Bug 492541 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Rusek 2024-09-14 20:46:49 UTC 
It is not clear whether this actually has been resolved. Multiple users claim that it still happens on their systems with KWallet 6.5 and even that the freedesktop secrets service is (in some cases) now broken for non-Flatpak applications as well since the 6.5 update.

Please see this new ticket: https://bugs.kde.org/show_bug.cgi?id=492541
And also the downstream (Fedora) ticket: https://bugzilla.redhat.com/show_bug.cgi?id=2276060