jabref icon indicating copy to clipboard operation
jabref copied to clipboard

Published 20 hours ago verified publisher icon JabRef

Credential store is not supported

Open ryan-carpenter opened this issue 9 months ago • 19 comments

JabRef version

5.13 (latest release)

Operating system

GNU / Linux

Details on version and operating system

openSUSE Tumbleweed, KDE Plasma Wayland

Checked with the latest development build (copy version output from About dialog)

  • [X] I made a backup of my libraries before testing the latest development version.
  • [X] I have tested the latest development version and the problem persists

Steps to reproduce the behaviour

  1. File > Preferences > Web search > Custom API key table
  2. Custom API key shows "No content in table" and no means of adding or enabling a key. I believe that I previously had a custom key saved prior to JabRef version 5.13.
  3. Event log shows "Credential store is not supported"
  4. Start JabRef from the terminal for more info (see warnings in the appendix)

jabref-missing-api-key

Appendix

...

Log File 
2024-05-15 23:51:31 [JavaFX Application Thread] org.jabref.preferences.JabRefPreferences.getFetcherKeysFromKeyring()
WARN: JabRef could not open the key store
2024-05-15 23:52:18 [JavaFX Application Thread] org.jabref.logic.util.OS.isKeyringAvailable()
WARN: Credential store not supported.

ryan-carpenter avatar May 16 '24 07:05 ryan-carpenter

openSUSE Tumbleweed, KDE Plasma Wayland

Is there any special procedure to install that setup - or does one "just" need to install openSUSE Tumbleweed?

Do you have an app for keyring security installed? e..g Something like Kwallet?

koppor avatar May 20 '24 18:05 koppor

Implementation "trace":

  • https://github.com/purejava/kdewallet is the app
  • We use java-keyring
  • java-keyring uses secret service. Does that communicate using kdewallet?

Possible follow ups:

  • If kdewallet is not supported, add support to java-keyring
  • If kdewallet is supported, ask @ryan-carpenter about the specifics of the setup.

koppor avatar May 20 '24 18:05 koppor

Gnome-keyring would be an alternative

Siedlerchr avatar May 20 '24 18:05 Siedlerchr

Interesting development tooling: https://github.com/purplesyringa/docker-boot

koppor avatar May 27 '24 22:05 koppor

@ryan-carpenter Did you have luck with installing gnome-keyring? It is enough to just install the gnome keyring manager. @calixtus said that he needed this for Skype as well

Siedlerchr avatar Jun 03 '24 19:06 Siedlerchr

openSUSE Tumbleweed, KDE Plasma Wayland

Is there any special procedure to install that setup - or does one "just" need to install openSUSE Tumbleweed?

Do you have an app for keyring security installed? e..g Something like Kwallet?

KDE Plasma includes Kwallet by default.

ryan-carpenter avatar Jun 13 '24 09:06 ryan-carpenter 

* java-keyring uses [secret service](https://github.com/swiesend/secret-service). Does that communicate using kdewallet?

Yes, I believe so. Here is a screenshot of the system settings for Kwallet on my system. image

* If kdewallet is supported, ask @ryan-carpenter about the specifics of the setup.

I don't have much experience with KWallet, so it is possible that I need to do something to configure it properly.

  • JabRef is not currently listed as connected or authorized to access the wallet, and it is not obvious how to manually connect/authorize an application or if this is possible.
  • I have only one wallet in the wallet manager, so having the wrong wallet open is not the problem.
  • I enabled the option to prompt when an application accesses a wallet in case this might help discover the underlying issue.

I don't enough about how this works to troubleshoot effectively, but I am open to suggestions.

I have updated JabRef since I first created the issue.

JabRef 5.14--2024-05-14--6376067 Linux 6.9.3-1-default amd64 Java 21.0.2 JavaFX 22.0.1+7

ryan-carpenter avatar Jun 13 '24 09:06 ryan-carpenter

@ryan-carpenter Did you have luck with installing gnome-keyring?

I have not tried this yet, but based on your comments and the message in system settings for Kwallet, it looks as if gnome-keyring or keepassxc should work. However, the setting in KWallet is global, not per-application, so I might have to switch entirely to one of the alternatives, which is not ideal. On the other hand, ~maybe all I need to to is re-enter or reset the password~ as described here

ryan-carpenter avatar Jun 13 '24 10:06 ryan-carpenter

I am working on the assumption that this is a kwallet configuration issue.

Secret service is supposed to be supported, but dbus initial API had some challenges including not working with flatpak apps (resolved). Arch Wiki shows configuration options that might help.

  • Launching JabRef with --password-store=kwallet5 or --password-store=kwalletmanager5rc did not work for me.
  • My configuration in ~/.config/kwalletrc includes
[org.freedesktop.secrets]
apiEnabled=true

I am using openSUSE, which tends to have some differences in configuration and directory structure compared to other distributions, so it would be nice to know if anyone else is using JabRef successfully with Kwallet.

I will let you know if I manage to get it working. @koppor, do you want me to close the issue or leave it open while I investigate?

ryan-carpenter avatar Jun 13 '24 20:06 ryan-carpenter

I will let you know if I manage to get it working. @koppor, do you want me to close the issue or leave it open while I investigate?

Please leave it open. It is an issue and JabRef should be able to use kwallet.

koppor avatar Jun 24 '24 10:06 koppor

The secrets service is available and kwallet is using it (see details).

Details

Which DBus services are available? 

> qdbus6 | grep 'jabref\|keyring\|kwallet\|secret'
 org.freedesktop.impl.portal.desktop.kwallet
 org.freedesktop.secrets
 org.kde.kwalletd5
 org.kde.kwalletd6
 org.kde.kwalletmanager5

Which object paths are available on the secrets service?

> qdbus6 org.freedesktop.secrets
...
/modules/kwalletd5
/modules/kwalletd6
...
/org/freedesktop/secrets/aliases/default
/org/freedesktop/secrets/collection/kdewallet
...
/org/kde/kwalletd6

Which methods, signals and properties are available on the secrets service object path

> qdbus6 org.freedesktop.secrets /org/freedesktop/secrets
property read QList<QDBusObjectPath> org.freedesktop.Secret.Service.Collections
signal void org.freedesktop.Secret.Service.CollectionChanged(QDBusObjectPath collection)
signal void org.freedesktop.Secret.Service.CollectionCreated(QDBusObjectPath collection)
signal void org.freedesktop.Secret.Service.CollectionDeleted(QDBusObjectPath collection)
method QDBusObjectPath org.freedesktop.Secret.Service.CreateCollection(QVariantMap properties, QString alias, QDBusObjectPath& prompt)
method {D-Bus type "a{o(oayays)}"} org.freedesktop.Secret.Service.GetSecrets(QList<QDBusObjectPath> items, QDBusObjectPath session)
method QList<QDBusObjectPath> org.freedesktop.Secret.Service.Lock(QList<QDBusObjectPath> objects, QDBusObjectPath& Prompt)
method QDBusVariant org.freedesktop.Secret.Service.OpenSession(QString algorithm, QDBusVariant input, QDBusObjectPath& result)
method QDBusObjectPath org.freedesktop.Secret.Service.ReadAlias(QString name)
method QList<QDBusObjectPath> org.freedesktop.Secret.Service.SearchItems(QMap<QString,QString> attributes, QList<QDBusObjectPath>& locked)
method void org.freedesktop.Secret.Service.SetAlias(QString name, QDBusObjectPath collection)
method QList<QDBusObjectPath> org.freedesktop.Secret.Service.Unlock(QList<QDBusObjectPath> objects, QDBusObjectPath& prompt)
signal void org.freedesktop.DBus.Properties.PropertiesChanged(QString interface_name, QVariantMap changed_properties, QStringList invalidated_properties)
method QDBusVariant org.freedesktop.DBus.Properties.Get(QString interface_name, QString property_name)
method QVariantMap org.freedesktop.DBus.Properties.GetAll(QString interface_name)
method void org.freedesktop.DBus.Properties.Set(QString interface_name, QString property_name, QDBusVariant value)
method QString org.freedesktop.DBus.Introspectable.Introspect()
method QString org.freedesktop.DBus.Peer.GetMachineId()
method void org.freedesktop.DBus.Peer.Ping()

Which process is using the secrets service?

> qdbus6 --session org.freedesktop.DBus / org.freedesktop.DBus.GetConnectionUnixProcessID org.freedesktop.secrets
1706
> ps ux | grep 1706
username      1706  0.0  0.2 1017544 81060 ?       SLl  18:05   0:00 /usr/bin/kwalletd6 --pam-login 13 14

I investigated some more, and found the following.

  • I can add passwords to kwallet manager from the command line by executing secret-tool store --label=Example username myusername service secret
  • I can add folders, maps, and passwords manually in kwallet manager by right-clicking in the folder area (https://docs.kde.org/stable5/en/kwalletmanager/kwallet5/kwalletmanager5.html).
  • I added a folder for JabRef and created a map containing an API key. However, I do not know what data needs to be entered to let JabRef access the key.
  • I added JabRef to the list of authorized applications in ~/.config/kwalletrc by editing the file, and the change is reflected in kwallet manager.
  • org.jabref.jabref appears in the output of dbus-monitor. Other applications that are working properly also appear in the output.
  • JabRef still shows the same error about the credential store.
> dbus-monitor
...
method call time=1719697099.412600 sender=:1.6 -> destination=:1.9 serial=3955 path=/org/freedesktop/impl/portal/PermissionStore; interface=org.freedesktop.impl.portal.PermissionStore; member=Lookup
   string "background"
   string "background"
method return time=1719697099.413621 sender=:1.9 -> destination=:1.6 serial=883 reply_serial=3955
   array [
      ...
      dict entry(
         string "org.jabref.jabref"
         array [
            string "yes"
       ...
         ]
      )
   ]
   variant       byte 0
...

ryan-carpenter avatar Jun 29 '24 21:06 ryan-carpenter

What needs to be done:

  • [ ] Create minimal Java application using https://github.com/javakeyring/java-keyring/
  • [ ] Try to debug java-keyring library
  • [ ] Fix java-keyring library (which fixes https://github.com/javakeyring/java-keyring/issues/98)
  • [ ] Release java-keyring containing the fix
  • [ ] Update java-keyring depdency in JabRef

koppor avatar Jul 02 '24 15:07 koppor

If java-keyring stores passwords using the freedesktop.org/secret-service D-Bus service via the swiesend/secret-service library, the D-Bus secrets service is in fact running, and KWallet is compatible with the Secret Service API, is purejava/kdewallet still required?

ryan-carpenter avatar Jul 03 '24 03:07 ryan-carpenter

Well, if all components by themselves work, I don't understand why there are issues. Since secret-service seems to work with KDE Wallet (if I interpret https://github.com/JabRef/jabref/issues/11296#issuecomment-2205003562 right), the TODOs are this:

  • [ ] Get CI for secret-service running (https://github.com/swiesend/secret-service/pull/43)
  • [ ] Add KDE Wallet to CI check
  • [ ] Check whether it works or there need to be fixes.

This way, we ensure that secret-service works. With the TODOs at https://github.com/JabRef/jabref/issues/11296#issuecomment-2203510073, we ensure that java-keyring works. And then we can check JabRef. I think, there aren't more components to check?

koppor avatar Jul 03 '24 06:07 koppor

if all components by themselves work, I don't understand why there are issues.

This is the right interpretation. As far as I can tell, each of the components appears to be working, but I don't know much about keychains and I don't work as a developer, so the number of components and interdependencies to understand make this a issue hard for me to troubleshoot.

I think, there aren't more components to check?

No, I don't think so.

If applicable, consider:

  • kwalletd and kwalletmanager versions could matter (must not predate secret-service support; my system currently has kwalletd6 and kwalletmanager5)
  • Encryption algorithm could matter (historical discussions say not to use GPG, which is supposed to be supported now)
  • Potential for conflict between gnome-keychain and KWallet. I understand that they can co-exist, but have seen some discussions about the wrong one being used by an application, or difficulty making both work. Currently, I have only KWallet on my system
  • Would QtKeychain be of any use?

Note:

  • The terminology can be rather ambiguous, with "KDE Wallet", "KWallet", "KWalletManager", "Wallet Manager" the "KDE wallet subsystem", "kdewallet" (the default wallet in Wallet Manager), and pure-java/kdewallet. I am using "KWallet" or "KDE Wallet" to mean any of the individual or collective components provided by KDE with the Plasma desktop.

  • KWallet Framework, which includes an "interface to KWallet" and "The kwalletd"

  • KWalletManager or "Wallet Manager"

image image

image image

image

ryan-carpenter avatar Jul 10 '24 21:07 ryan-carpenter

I submitted a bug report about this to KDE KWallet is not accessible by an application using via org.freedesktop.secrets.service

Other KDE bug reports

  • KWallet/Secret Service: potential conflict of auto-start files (DBus etc) with other Secret Service providers (https://bugs.kde.org/show_bug.cgi?id=458339)
  • Implement org.freedesktop.impl.portal.Secret (https://bugs.kde.org/show_bug.cgi?id=466197) - Version Fixed In: Frameworks 6.2 Committed on 21/04/2024
  • Initial support for secret service was released in KDE frameworks 5.97.0 (https://bugs.kde.org/show_bug.cgi?id=313216#c36)

ryan-carpenter avatar Jul 10 '24 22:07 ryan-carpenter

I disabled secret-service integration in kwallet and enabled it in keepassxc, then I created a keepassxc database and added a password to it from the command line using secret-tool.

When I launch JabRef from the command line I get the same error that JabRef could not open the key store and the credential store is not supported. The keepassxc database was open and unlocked, and I disabled the option to prompt to unlock.

I have not tried gnome keyring yet.

ryan-carpenter avatar Jul 25 '24 19:07 ryan-carpenter

No luck with gnome keyring, but I think the secrets service is no longer running, because secret-tool returns:

secret-tool: Error calling StartServiceByName for org.freedesktop.secrets: Timeout was reached

ryan-carpenter avatar Jul 25 '24 20:07 ryan-carpenter

In KDE Wallet Manager under Secret Service > Passwords, there is now a password for org.jabref.ai|apiKey-OPEN_AI__0_ which is for the API key that I saved in JabRef's AI preferences. It looks like JabRef is communicating successfully with Secret Service. However, the custom API section of JabRef's Web search preferences still shows "No content in table" and does not appear to be editable. Am I missing something?

Latest status:

JabRef 100.0.0 Linux 6.11.2-1-default amd64 Java 21.0.4 JavaFX 23+29

2024-10-16 03:11:43 [JavaFX Application Thread] org.freedesktop.dbus.connections.transports.TransportBuilder.build()
INFO: Using transport dbus-java-transport-native-unixsocket to connect to unix:path=/run/user/1000/bus
2024-10-16 03:11:44 [JavaFX Application Thread] org.freedesktop.secret.handlers.SignalHandler.await()
INFO: Await signal Prompt.Completed(/org/freedesktop/secrets/prompt/p0) within 120 seconds.
2024-10-16 03:11:44 [DBus-Signal-Receiver-1] org.freedesktop.secret.handlers.SignalHandler.handle()
INFO: Received signal Service.CollectionChanged: /org/freedesktop/secrets/collection/kdewallet
2024-10-16 03:11:44 [DBus-Signal-Receiver-1] org.freedesktop.secret.handlers.SignalHandler.handle()
INFO: Received signal Prompt.Completed(/org/freedesktop/secrets/prompt/p0): {dismissed: false, result: [[/org/freedesktop/secrets/aliases/default]]}
2024-10-16 03:11:44 [JavaFX Application Thread] org.jabref.gui.StateManager.setActiveDatabase()
INFO: No open database detected
2024-10-16 03:11:46 [pool-2-thread-2] org.jabref.gui.JabRefDialogService.notify()
INFO: Opening: '/path/to/library.bib'

ryan-carpenter avatar Oct 16 '24 10:10 ryan-carpenter