GNU bug report logs - #62952
28.2.50; secrets.el unlocking items

Previous Next

Package: emacs;

Reported by: "Philipp Uhl" <git <at> ph-uhl.com>

Date: Wed, 19 Apr 2023 19:59:02 UTC

Severity: normal

Found in version 28.2.50

Fixed in version 30.1

Done: Michael Albinus <michael.albinus <at> gmx.de>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: "Philipp Uhl" <git <at> ph-uhl.com>
To: 62952 <at> debbugs.gnu.org
Subject: bug#62952: 28.2.50; secrets.el unlocking items
Date: Wed, 19 Apr 2023 14:23:17 +0200

The secrets.el implementation lacks support for unlocking specific
items. It only unlocks collections. This does not work well with certain
password managers (e.g. in my case KeepassXC, accessed through secret
service). When receiving a secret through

(secrets-get-secret  "MyPws" "MyEntry")

with the setting "Confirm when passwords are retrieved by clients"
turned on in KeepassXC, secrets-get-secret will just say IsLocked.

Instead, secrets-get-secret should try to unlock the entry itself before
retrieving.

Here is a proof of concept:

+  ;; New function, analogously to secrets-unlock-collection, that
+  ;; specifically unlocks the item
+  (defun secrets-unlock-item (collection item)
+    "Unlock item labeled ITEM from collection labeled COLLECTION.
+  If successful, return the object path of the item."
+    (let ((item-path (secrets-item-path collection item)))
+      (unless (secrets-empty-path item-path)
+        (secrets-prompt
+         (cadr
+          (dbus-call-method
+           :session secrets-service secrets-path secrets-interface-service
+           "Unlock" `(:array :object-path ,item-path)))))
+      item-path))

  (defun secrets-get-secret (collection item)
    "Return the secret of item labeled ITEM in COLLECTION.
  If there are several items labeled ITEM, it is undefined which
  one is returned.  If there is no such item, return nil.

  ITEM can also be an object path, which is used if contained in COLLECTION."
-    (let ((item-path (secrets-item-path collection item)))
+    (let ((item-path (secrets-unlock-item collection item)))
      (unless (secrets-empty-path item-path)
        (dbus-byte-array-to-string
         (nth 2
              (dbus-call-method
               :session secrets-service item-path secrets-interface-item
               "GetSecret" :object-path secrets-session-path))))))

To make this function a bit more similar to how it was before, one could
concider to explicitly wait for the IsLocked event before unlocking the
item. That way, if the password manager does not support unlocking of
items, this would not be braking.

Cheers,
-----------------------------
  Philipp Uhl
  git <at> ph-uhl.com
This bug report was last modified 2 years and 18 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.