Can't retrieve pass from KeepassXC if confirmation options are enabled
alterdaemon opened this issue · comments
Protonmail bridge does not recognize secret service and wipes out all data after first run (tested under Keepassxc and pass).
Symptoms are all the same as in #359.
In first run a protonmail-bridge key is stored properly (there is a prompt in Keepassxc for password for db exposed for secret service), I can login and sync data but later after bridge app restart everything is wiped out and error comes up regarding secret service not being recognized (please see below)
Maybe it's a regression but I have tested previous versions of protonmail-brige as well as keepasscx and situation was the same
protonmai-bridge (gui)
O[Nov 30 13:16:45.776] bridge-gui starting
INFO[Nov 30 13:16:45.777] Using Qt 6.4.3
INFO[Nov 30 13:16:45.779] lock file created /home/alterdaemon/.cache/protonmail/bridge-v3/bridge-v3-gui.lock
INFO[Nov 30 13:16:45.779] New Sentry reporter - id: xKQXZEYUrGHtTlPIvSYQFMIVKKrU5zOPz1LcTVC48BA=.
DEBU[Nov 30 13:16:45.785] Bridge executable path: /usr/lib/protonmail/bridge/bridge
INFO[Nov 30 13:16:45.785] Launching bridge process with command "/usr/lib/protonmail/bridge/bridge" --grpc --parent-pid 15928 --session-id 20231130_131644895 --launcher /usr/lib/protonmail/bridge/proton-bridge
INFO[Nov 30 13:16:45.786] Retrieving gRPC service configuration from '/home/alterdaemon/.config/protonmail/bridge-v3/grpcServerConfig.json'
time="2023-11-30T13:16:45+01:00" level=info msg="Migrating keychain helper"
ERRO[Nov 30 13:16:46.009] Could not load/create vault key error="could not get keychain item: failed to get
secret: org.freedesktop.Secret.Error.IsLocked"
WARN[Nov 30 13:16:46.018] The vault key could not be retrieved; the vault will not be encrypted
INFO[Nov 30 13:16:46.321] Connecting to gRPC service
INFO[Nov 30 13:16:46.323] Connection to gRPC server at unix:///tmp/bridge9101. attempt #1
INFO[Nov 30 13:16:46.330] Successfully connected to gRPC server.
protonmail-brige --cli
INFO[0000] Migrating keychain helper
WARN[Nov 30 13:15:35.035] The vault is corrupt and has been wiped
Proton Mail Bridge is not able to detect a supported password manager
(secret-service or pass). Please install and set up a supported password manager
and restart the application.
Version Information
Protonmail Bridge 3.6.1-2_amd64
Keepassxc 2.7.6
Context (Environment)
Debian 12
Expected Behavior
Keepassxc secret service is properly recognized, key read and app initialized
Current Behavior
On second and following runs app does not start and complains about no pass or keyring service being recognized
Possible Solution
maybe it's worth to look this up again? #355
it looks like it has access to insert a key on first init but can't read the key later on.
Version Information
Protonmail Bridge 3.6.1-2_amd64
Keepassxc 2.7.6
Context (Environment)
Debian 12 (stable)
I don't use full-fledged desktop manager, I use dwm so no gnome keyrings.
I made research in issues regarding the topic, checked and tried everything as per instructions like those
#359 (comment)
#359 (comment)
everything looks alright on my side.
I'd like to add that I have tested my local setup thoroughly like so
https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/#secret-tools
using qbus dbus-monitor and secret-tool
I can cretate edit or delete keys witout any problem, keeepassxc secret service is recognized accordingly.
@alterdaemon are you sure your KeepassXC is running at the time bridge starts?
If you start bridge manually after starting KeepassXC does it work?
Yes, I am pretty much sure.
As I said, it works fine first time on key creation, but later it fails on read of that key.
@alterdaemon could you try to disable bridge auto start and then do the following.
- Start keepass and unlock your vault
- Now start bridge
And see if this works consistently for you?
I'm getting same issue with latest 3.6.1 release too. I'm using a secret service implementation called dssd
. It used to work perfectly until this release.
Simply ignore my report. It's caused by a recent update of gpg-agent which expires a dated option
Reason behind the problems are the two following options enabled (by default) in Keepassxc for Secret Service Integration:
disabling them (the 2nd and 3rd option) workarounded the problem and it works fine now (doesn't matter if Keepassxc is locked or unlocked)
confirming notifications regarding deletion and retrieval wasn't enough for the bridge to work accordingly.
I believe it should be supported by the bridge somehow so I am not closing the issue.
lost many hours because of this (and those noob for noob questions above regarding autostart and running precedence didn't help either TBH)
@alterdaemon I'm sure you are aware the flexibility of Linux and it's myriad of distributions and configurations is both a strength and a weakness of this platform.
The steps I asked you to check are the most common issue we face in CS reports. Now that we have ensured that is not the case we can dig down into the real problem.
We thank you for your time in helping to diagnose the issue and we'll now investigate this matter on our end.
Internally tracked as GODT-3157