secret-service implementation

[colemickens]

Hi,

I'm trying to use https://github.com/mdellweg/pass_secret_service but between python, python-crytography, what I suspect is pypass, I am less interested in making it work than I would be hacking on a Rust solution.

Is this something you've considered?

[colemickens]

I'd be willing to throw a bit of money at this (like 500 USD). I can't deal with pass-secret-service anymore and don't have time to work on this myself.

[timvisee]

Is this something you've considered?

Cool idea!

The idea is that prs would function as secret store, where dbus can be used to interface with it. Am I seeing that right?

At this time, I'm not familiar with how that would work at all. I haven't looked into this yet. Based on the other pass clients available for this I'm sure it can be done. I wonder how well this would work in some scenarios though: for example, if running prs as secret service, I don't think it would be able to easily ask for a sudo password when trying to automatically unlock a Tomb.

Are you familiar with using pass as secret service at all? If so, what would be important things to consider when implementing this for prs?

I can't deal with pass-secret-service anymore and don't have time to work on this myself.

Out of curiosity. What are the current problems with it? I'd like to determine whether these are fixable before putting effort into this.

[colemickens]

Yes. Sorry, I could've supplied a lot more information up front:

• https://specifications.freedesktop.org/secret-service/latest/ links to the API and dbus API

What are the current problems with it? I'd like to determine whether these are fixable before putting effort into this.

I'll be honest, it mostly boils down to python + python/cryptography + error handling or lack thereof.

if running prs as secret service, I don't think it would be able to easily ask for a sudo password when trying to automatically unlock a Tomb.

1. I'm not sure about sudo and I don't use tombs, but I assume you mean prompting for a GPG pin or passphrase? If you really mean sudo, I guess (handwave) something-something polkit elevation?
2. I currently restart pass-secret-service.service after my desktop has started (which exports WAYLAND_DISPLAY into the systemd user environment), so the service is able to prompt me. I suspect I can make the service wait for graphical-session.target to be started, avoiding the need for this manual restart, I just haven't gotten to testing it yet.
3. There is a small issue with my yubikey --I have to remove/re-insert my yubikey when my pinentry pops up and prompts me to insert my smartcard. I suspect this is somehow related to the UID of the service and gpg-agent trying to protect me, and gpg weirdness or security mechanism requiring a physical remove/re-insert.

This is an example of how pass-secret-service is utilizing password-store:

❯ eza --tree ~/.local/share/password-store/secret_service
/home/cole/.local/share/password-store/secret_service
├── 66a24f09_0318_45b1_98b4_4293e1f48305
│  ├── 02abc74d_b7fd_436d_a676_5a4ed9deeb5b.gpg
│  ├── 02abc74d_b7fd_436d_a676_5a4ed9deeb5b.properties
│  ├── 2c17e770_a349_4297_bcc7_6fa3630af84e.gpg
│  ├── 2c17e770_a349_4297_bcc7_6fa3630af84e.properties
│  ├── 2eeb0b0c_2bf4_43e2_9922_22792f64d350.gpg
│  ├── 2eeb0b0c_2bf4_43e2_9922_22792f64d350.properties
│  ├── 4ba3ab1f_0d0f_466a_adad_0959648f28bb.gpg
│  ├── 4ba3ab1f_0d0f_466a_adad_0959648f28bb.properties
│  ├── 8d318c99_bc53_4233_bd02_34cd58e830ae.gpg
│  ├── 8d318c99_bc53_4233_bd02_34cd58e830ae.properties
│  ├── 38ca3bb9_a7a0_42d3_9749_becd7ae8104b.properties
│  ├── 58f87f49_c2ac_41d1_b97a_6480026a3b78.properties
│  ├── 78b6e38e_bcdc_4d79_afe7_54685cadc871.gpg
│  ├── 78b6e38e_bcdc_4d79_afe7_54685cadc871.properties
│  ├── 506c8a99_31bf_421a_8a99_9372aa50ce80.gpg
│  ├── 506c8a99_31bf_421a_8a99_9372aa50ce80.properties
│  ├── 7399196b_4ef6_4535_947f_46a8ba2e5291.gpg
│  ├── 7399196b_4ef6_4535_947f_46a8ba2e5291.properties
│  └── be16197d_0300_461c_a7d1_14a32de4f8d2.properties
└── aeb71665_4107_4af0_9582_398a2499d1c7
   ├── 074d7a2b_34ac_479d_aea8_3bfbfdefea13.gpg
   ├── 4fd0e483_0c13_44ef_8d70_93f33eb1dcc4.gpg
   ├── 4fd0e483_0c13_44ef_8d70_93f33eb1dcc4.properties
   ├── a9502979_090b_4524_9293_ab3b6204cde3.gpg
   ├── a9502979_090b_4524_9293_ab3b6204cde3.properties
   ├── d60c1491_2a97_4459_b145_8751d668cd65.gpg
   ├── d60c1491_2a97_4459_b145_8751d668cd65.properties
   ├── fc704fac_b69a_4a8d_8df5_8bb43ca36e4d.gpg
   └── fc704fac_b69a_4a8d_8df5_8bb43ca36e4d.properties

❯ cat ~/.local/share/password-store/secret_service/66a24f09_0318_45b1_98b4_4293e1f48305/02abc74d_b7fd_436d_a676_5a4ed9deeb5b.properties
{"org.freedesktop.Secret.Item.Attributes": {"server": "nheko", "type": "plaintext", "user": "matrix.47DEredactuFU=.m.cross_signing.master", "xdg:schema": "org.qt.keychain"}, "org.freedesktop.Secret.Item.Label": "nheko"}%

❯ gpg -d ~/.local/share/password-store/secret_service/66a24f09_0318_45b1_98b4_4293e1f48305/02abc74d_b7fd_436d_a676_5a4ed9deeb5b.gpg
gpg: encrypted with rsa4096 key, ID 0x62556A61E301DC21, created 2018-05-22
      "Cole Mickens <[email protected]>"
h6Ynredacteredact=%

[timvisee]

Thank you very much on elaborating on this.

I did take some time to investigate how this can be done, but sadly it turns out to be quite a huge task. There currently is no library/crate that implements an interface for this, so everything has to be built from scratch based on the secret service documentation. Along with that it relies on modifying system files to actually get it to work, as it conflicts with what GNOME and other desktop environments provide.

Because of that I'm afraid I cannot implement this at this time.

If there's anyone else that would like to pick this up, please feel free to give it a shot!