SUMMARY When using the KWallet XDG Secrets Portal implementation with Flatpak packages, the generated secret never gets stored back to the wallet. STEPS TO REPRODUCE 1. With KWallet running and the main wallet open, run a Flatpak that uses the XDG Secret Portal. 2. Trigger the application to look for secrets (e.g., try to open an encrypted vault). 3. If the application caches its secret, restart the application and try the operation again. OBSERVED RESULT Applications will successfully create secrets, but be unable to read them back. In the case of the repro program I wrote (see "Additional Information"), output similar to the following is given: 2024-05-22T03:04:18.100605Z INFO kwallet_secretportal_repro: Attempt #1 2024-05-22T03:04:18.103380Z INFO kwallet_secretportal_repro: Secret CRC: b9446548 2024-05-22T03:04:18.103399Z INFO kwallet_secretportal_repro: Attempt #2 2024-05-22T03:04:18.112340Z INFO kwallet_secretportal_repro: Secret CRC: cf16a0a8 2024-05-22T03:04:18.112356Z ERROR kwallet_secretportal_repro: Secrets don't match (old CRC: b9446548, new CRC: cf16a0a8) After a couple attempts, KWallet shows a message box saying: "There have been repeated failed attempts to gain access to a wallet. An application may be misbehaving." EXPECTED RESULT The secret provided from KWallet is the same every time, so applications can decrypt secrets they stored. SOFTWARE/OS VERSIONS Linux/KDE Plasma: Gentoo Linux 2.15 (Kernel 6.6.30-gentoo-dist) KDE Plasma Version: 6.0.4 KDE Frameworks Version: 6.2.0 Qt Version: 6.7.0 ADDITIONAL INFORMATION To help reproduce this error, I've built a small test program (https://invent.kde.org/flurry/secretportalrepro). For a real-world example, I originally saw this when trying to use Pika Backup (https://flathub.org/apps/org.gnome.World.PikaBackup). Note that this error does not occur when interacting with the Secret Portal outside of a Flatpak. For example, using the same test program in a shell with `cargo run`: $ cargo run Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.07s Running `target/debug/kwallet-secretportal-repro` 2024-05-22T03:05:20.027170Z INFO kwallet_secretportal_repro: Attempt #1 2024-05-22T03:05:20.030658Z INFO kwallet_secretportal_repro: Secret CRC: becbc17e 2024-05-22T03:05:20.030685Z INFO kwallet_secretportal_repro: Attempt #2 2024-05-22T03:05:20.033057Z INFO kwallet_secretportal_repro: Secret CRC: becbc17e 2024-05-22T03:05:20.033081Z INFO kwallet_secretportal_repro: Attempt #3 2024-05-22T03:05:20.034901Z INFO kwallet_secretportal_repro: Secret CRC: becbc17e
Maybe this requires the Flatpak packaging to have appropriate permissions?
Thanks, the test program was very helpful!
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kwallet/-/merge_requests/84
*** Bug 487094 has been marked as a duplicate of this bug. ***
The problem does also occur with the KDE wallet subsystem _disabled_ in the KDE Wallet System Settings.
Git commit 425cf15fc9116a1fc115dd52eb5537c2eb5d66be by Nicolas Fella. Committed on 22/05/2024 at 20:11. Pushed by nicolasfella into branch 'master'. Fix secrets portal wallet access The current code checks whether the wallet is open and only if it's not calls openAsync However kwallet internally tracks which apps have openend the wallet and only gives access to those that have called open This works fine if the portal request triggered the opening of the wallet and subsequent access works, but if the wallet was opened by another app before any attempt to read from the wallet will fail To fix this always open the wallet before accessing. This allows to simplify the code since we then can tie a portal request to a KWallet transaction ID. Also consistently use xdg-desktop-portal as appid when making calls to kwallet M +11 -25 src/runtime/kwalletd/kwalletportalsecrets.cpp M +1 -3 src/runtime/kwalletd/kwalletportalsecrets.h https://invent.kde.org/frameworks/kwallet/-/commit/425cf15fc9116a1fc115dd52eb5537c2eb5d66be
Git commit fc097984e7a6ea127fe7e0ca9df2ff98271888d3 by Nicolas Fella. Committed on 24/05/2024 at 19:55. Pushed by nicolasfella into branch 'Frameworks/6.2'. Fix secrets portal wallet access The current code checks whether the wallet is open and only if it's not calls openAsync However kwallet internally tracks which apps have openend the wallet and only gives access to those that have called open This works fine if the portal request triggered the opening of the wallet and subsequent access works, but if the wallet was opened by another app before any attempt to read from the wallet will fail To fix this always open the wallet before accessing. This allows to simplify the code since we then can tie a portal request to a KWallet transaction ID. Also consistently use xdg-desktop-portal as appid when making calls to kwallet (cherry picked from commit 425cf15fc9116a1fc115dd52eb5537c2eb5d66be) M +11 -25 src/runtime/kwalletd/kwalletportalsecrets.cpp M +1 -3 src/runtime/kwalletd/kwalletportalsecrets.h https://invent.kde.org/frameworks/kwallet/-/commit/fc097984e7a6ea127fe7e0ca9df2ff98271888d3