-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build libsecret without gcrypt #756
base: master
Are you sure you want to change the base?
Conversation
Started test build 150490 |
Build 150490 successful
|
On Fedora 40 this works. |
We should use the keyring as default again, and if it's possible, also recover the key from the |
Nice! With this change,
Does that mean, the underlying issue was on the |
It's nice that it's working. If it was not working with Gnome before, what's the point of flatpak? It's supposed to be agnostic and be able to run anywhere. Doesn't Ubuntu provide this library, or is it outdated maybe? I recommend a bit more testing, especially without the env var and its checking, so that it defaults to use the keyring if available, just like upstream. |
I guess this is just yet another part that is not (yet) agnostic.
|
libsecret uses a file based backend inside Flatpak specifically which is incompatible with how Chromium tries to use it. Disabling this compiles out that backend and it reverts to the usual DBus backend same as how it works outside Flatpak.
I don't think it's possible to do that |
The library was already present through the electron baseapp btw but it isn't compiled with |
117ef20
to
9df1b09
Compare
Great research @bbhtt, I guess!
Are the upstream (Electron/Chromium) devs aware of this?
With "electron baseapp", you're referring to this repo? Any specific reason to not add the |
Started test build 150509 |
I don't know if chromium/electron developers are aware, but libsecret has an issue open for a long time https://gitlab.gnome.org/GNOME/libsecret/-/issues/49 The fix is for Chromium to use the proper API.
There is no migration path between the backends, switching the backend will mean the app cannot retrieve the secrets anymore. Electron baseapp was using gcrypt backend ever since its inception. Disabling it now and switching it will break any app that depends on it. It doesn't matter for signal because it was using plain text before. |
Build 150509 successful
|
This uses the Dbus backend instead of the file based ones under Flatpak
9df1b09
to
2caf105
Compare
Started test build 150532 |
Not sure if it's related but Tutanota Flatpak that's based on Electron creates dummy entry in keyring because of the bug in Chromium. Not sure if it's related to this bug but here's the text of the entry:
|
No that's unrelated. |
Build 150532 successful
|
The relevant discussion (this thread) happended almost 3 years ago. There was no further activity in the issue after that. Hence I'd consider it plausible that Chromium/Electron development never got a scent of this... |
So then open an issue with Electron or what is preventing you from doing that? I don't know the technical details well enough here to describe the problem, so it would be great if one of you could do it. |
Expertness, mainly. But I tried my best: https://issues.chromium.org/issues/370535829 (the original culprit is Chromium, not Electron, if I'm not mistaken). |
@bbhtt This works here. Thanks v. much! |
@bbhtt Works for me, F40 👍 |
What makes me wonder is, why this only breaks on Gnome. I'm using gnome-libsecret (i3) and the database works. So this Chromium/Electron misbehavior does not surface on other WMs/DMs. If Chromium fails, this should I break on all the host systems. |
I'm a bit lost with all the password backends. I have a simple question though, how do I get back the years of messages that were in the app's cache just last week? And if this requires fishing in backups, what's the path for the file that contains the secret we need to restore, and where do we need to restore it? |
Hi @hadess! Hope all is well. What worked for me:
If it looks like this, this is post broken migration, and you need to get an older backup - it doesn't matter how old, it's just the key we want, which won't have changed:
(the last bit from upstream at https://community.signalusers.org/t/warning-do-not-update-from-flathub-database-error/63222#p-251892-database-error-a-database-error-has-occurred-6 ) And you should be all set. When you run Signal, it will migrate that plaintext key into keyring, and it will be able to access your encrypted db again. |
Thanks @ramcq, now to test the restore portion of those backups... |
What distro are you on? Your system missing the necessary secret portal would explain why libsecret's file backend isn't used (like it is on Gnome). The conditions under which libsecret prefers its file backend (compiled out by this PR) are found here in the source. |
@bbhtt Correct me if I'm wrong. I skimmed over flatpak/xdg-desktop-portal#359 and the related changes and discussions and I think I understand the situation better now: The recommended way for Flatpaks to use the host's Unfortunately, this requires the app to use libsecret's I added a comment about this to my Chromium bug report. |
Yes Chromium/Electron needs to transition to using the secrets portal, until that is done they need the |
I have one from (gasp) last year, but it doesn't work. It migrates the old (only good thing out of this is that it forced me into root causing why my backups weren't working: |
Ruh roh. If you check in Seahorse and search Chromium Safe Storage, do you see a secret there with "application: Signal" under Details? That's the sign of a happy migration. If the key has migrated, and doesn't work, I don't understand what's happened. The recovery might have to be, set your current db aside, and restore the db that matches the key from the most recent backup you have. Signal should on the whole be able to resync missing history off your phone, but equally, not a Signal guru - I don't know what might be missing after that process. |
No, Signal has no support for this (yet), see this forum thread. |
That's because the migration to use gnome-libsecret is failing, keep using |
That's the idea... #756 (comment) |
I know, but I'm not sure it is what @hadess tried :) |
I tested the exact steps @ramcq mentioned, all using the It's very possible that the DB is toast from previous attempts. Log output
|
@hadess This "file is not a database" is consistent with a decryption failure. Maybe just to reduce variables; switch your override to |
@ramcq So this worked perfectly for me yesterday. I had to delete the database which I was ok with and Signal launched just fine. However, today Signal asked me to delete again the database, which is going to be annoying if I can't keep more than a day of history... I have bad memory issue since the flu which attacked my brain, so I need to rely on tools to help me remember things. 😭 And in any case, after I deleted the db again, Signal is now stuck:
It doesn't go any further than that, and doesn't display the window at all after waiting for it for several minutes. 🤦 |
@mbridon Are you sure when you run What responses do you get from the following 2 commands:
Edit: Just to be clear, if any of the commands above print a secret key, you have to redact that part before pasting the result anywhere public. |
This is only true for Gnome. |
Started test build 151720 |
Build 151720 successful
|
Additional comments:
|
Hi, here's results for those 2 commands;
|
@mbridon I think this output means you were not using an |
I'm now using a version from this PR, as explained in a comment above, I ran this command: The command from another comment above still says the same thing:
So what now? 😕 |
@mbridon Did you try To run the Signal test build just once with To set the Signal test build to always run with Thanks @hadess for the hint about |
|
If you previously had
basic
storage, run it asflatpak run --env=SIGNAL_PASSWORD_STORE=gnome-libsecret org.signal.Signal
and check if it's storing in the keyring correctly.