508870 – XDG Secrets portal does not trigger kwallet unlock

Bug 508870 - XDG Secrets portal does not trigger kwallet unlock

Summary: XDG Secrets portal does not trigger kwallet unlock

Status:	RESOLVED FIXED

Alias:	None

Product:	frameworks-kwallet
Classification:	Frameworks and Libraries
Component:	general (other bugs)
Version First Reported In:	6.12.0
Platform:	Kubuntu Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Valentin Rusu

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-28 19:07 UTC by Naomi Kirby
Modified:	2025-08-31 16:20 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:	https://invent.kde.org/frameworks/kwallet/-/commit/ecf9e2ec7fceca538a9266f5bb9488b4dced1d09
Version Fixed In:	6.18
Sentry Crash Report:

Attachments
Reproduction tool to dump secrets from the XDG portal (1.88 KB, application/gzip) 2025-08-28 19:07 UTC, Naomi Kirby	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Naomi Kirby 2025-08-28 19:07:31 UTC

Created attachment 184534 [details]
Reproduction tool to dump secrets from the XDG portal

SUMMARY
Configuring a Kubuntu installaton to automatically log a user in shows a warning message that the user will be prompted to unlock every time they are logged in. However, no such login prompt is shown. Attempting to access the KDE wallet via the XDG secrets portal does not trigger the KDE wallet unlock dialog, and reading the secret fails.  

STEPS TO REPRODUCE
1. Install Kubuntu 25.04
2. Enable the `Automatically log in` setting under the `Login Screen (SDDM)` settings.
3. Reboot the system and you should be logged into the desktop.
4. Compile the attached reproduction tool.
5. Run `dumpsecret`

OBSERVED RESULT
Reading the secret over the XDG secrets portal fails with an result code of 2:
> Got Secret: ""
> XDG response: 2

EXPECTED RESULT
A non-empty secret is returned and the result code is zero. For example, after unlocking the KDE wallet the program returns:
> Got Secret: "4392dfa2d9a495c848a9b8edfde0882471a0c6734d035c42fa95ce5e801ddcf34e9272f266f8628e90a4967d0541660b0fef9cd2e17f892b489d3c0d975b165a"
> XDG response: 0

SOFTWARE/OS VERSIONS
Windows: N/A
macOS: N/a
Linux/KDE Plasma: Kubuntu 25.04
KDE Plasma Version: 6.3.4
KDE Frameworks Version: 6.12.0
Qt Version: 6.8.3

ADDITIONAL INFORMATION
This was discovered in the Mozilla VPN project: https://github.com/mozilla-mobile/mozilla-vpn-client/issues/10728

Comment 1 Nicolas Fella 2025-08-29 21:11:55 UTC

Thanks for the report!

I think I see what's going wrong. When kwallet is already running but locked it will prompt for unlock as expected. However when it's not even running yet (because it didn't get started at login because of the autologin limitation) then trying to use it via the portal API will not start kwallet

Comment 2 Bug Janitor Service 2025-08-29 21:14:00 UTC

A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kwallet/-/merge_requests/128

Comment 3 Nicolas Fella 2025-08-31 16:14:38 UTC

Git commit ecf9e2ec7fceca538a9266f5bb9488b4dced1d09 by Nicolas Fella.
Committed on 29/08/2025 at 21:12.
Pushed by nicolasfella into branch 'master'.

Add service file for portal DBus service

When ksecretd is not already running and someone uses the secrets portal we need
to DBus-activate ksecretd, otherwise the portal isn't functioning.

M  +3    -0    src/runtime/ksecretd/CMakeLists.txt
A  +3    -0    src/runtime/ksecretd/org.freedesktop.impl.portal.desktop.kwallet.service.in

https://invent.kde.org/frameworks/kwallet/-/commit/ecf9e2ec7fceca538a9266f5bb9488b4dced1d09