Loading of passwords via libsecret (sometimes) not working

mhoeher · January 11, 2022, 11:05pm

Hi everyone,

not sure if this is a good place to ask such a question, nevertheless, I’d like to try

I am the developer of the app OpenTodoList, which is - among others - also packaged as a Flatpak app. This app uses QtKeychain to save and load passwords/tokens. Internally, this library uses any available backend for storing such information - within Flatpak, this means that it uses libsecret for getting the job done. This worked fine most of the time.

Since some weeks (unfortunately, I cannot tell exactly when), I noticed that the app would not load any passwords at all. Before that, I occasionally had this, but usually restarting the app would cure this and passwords would be back again.

I tried to debug this as far as I could and what I can tell so far: It seems that QtKeychain calls libsecret (specifically, the simple API which - according to the information I found - should use some special Flatpak magic to store passwords in an app specific keystore). However, the callbacks that are passed into the libsecret functions never get called.

From there, I wasn’t sure on how to continue. I experimented a bit and found an amazingly simple workaround for the issue: Before reading passwords, I simply wait for 2 seconds. For me - but this is just a guess - it seems like there’s some kind of race condition: If the app starts too fast, something isn’t ready yet and the calls to libsecret basically never “return” (alas, call back), which then cause the code further up the stack to misbehave.

Long story short:

Does anyone else experience this kind of issues?
Are there other, proper ways to tackle this issue? For me, the most important thing is that with this 2s delay, I have at least something at hand. However, I have no clue if these 2s are enough. Maybe, on another machine, the required waiting time might be higher… so, is there some kind of signalling so the app can “know” that it safely can call the libsecret APIs?
I have the feeling this issue probably should be reported to somewhere… the question is where? First, I was inclined to raise an issue against QtKeychain, but I actually don’t think there’s anything that can be done there. So, is this something that could be fixed in libsecret? Or is there a better place to report this kind of issue?

Thanks!

wjt · January 12, 2022, 5:05pm

This rings a couple of very faint bells:

github.com/flatpak/xdg-desktop-portal

[Secrets] Lock if multiple searches happen at the same time

opened 09:20PM - 05 Jan 21 UTC

bellegarde-c

Look at this https://gitlab.gnome.org/World/lollypop/-/commit/0695ce5eefcf015741…a1e35aab25167c129c13ee I have found a workaround for Eolie and Lollypop but here what is happening. On startup, Lollypop ask Secrets API for two passwords (LAST.FM and LIBRE.FM). Looks like the concurrent lookups do not work for Flatpak (no issue if installed without Flatpak). ``` Secret.password_search(schema, SecretAttributes, Secret.SearchFlags.UNLOCK | Secret.SearchFlags.LOAD_SECRETS, None, self.__on_secret_search) ``` __on_secret_search() is never called. If i disable LIBRE.FM code, then it works (only one call to Secret.password_search())

https://gitlab.gnome.org/GNOME/libsecret/-/issues/49

Not sure if either of these are your issue.

mhoeher · January 12, 2022, 5:32pm

Thanks a lot for these links!

I checked them out both. I guess the first should not be related to the issue I’ve seen: QtKeychain uses a job queue and hence will use libsecret sequentially, so I would think this cannot be the root cause.

For the second link: I just cross checked and from that issues it seems that problems have been introduced with v0.20.1 of libsecret. I checked what my app is using in the case it is built for Flatpak and - if the version history doesn’t betray me - I am on that version for nearly two years now. However, in the past loading of secrets used to work, so I am not sure if this might be related.

Thinking about it, I guess the only “moving target” that is (in my case) involved is the actual Flatpak software + runtime; not sure why/what in there could introduce a race condition like this…