Skip to content

Transitional system for KWallet to SecretService

Marco Martin requested to merge work/mart/SecretServiceMigration into master

As discussed on the issue plasma/plasma-desktop#138 we want to gradually migrate to Secret Service on the backend side and QtKeyChain on the client side fading out the KWallet API.

But we need to support the kwallet api for the time being as well, since on our side it will take time to port everything to QtKeychain and there are also 3rd parties using kwallet, such as chromium.

This patch converts the old KWallet daemon to a new "ksecretd" service exposing only the pre-existing secret service api, while introducing a new "kwallet" daemon which exposes the kwallet dbus api and translates it to secret service calls, using either ksecretd (the old kwallet) with flexibility to move to any other SecretService provider without having mulitple storage providers. If something else is used instead of ksecretd it will perform a data migration of all the wallets as secret service collections in the relevant Secret Service storage.

Architecture synopsis:

  • ksecretd exports org.freedesktop.secrets on dbus, but also same api on org.kde.secretservicecompat, to not fail in case some other secretservice provider was running
  • org.kde.secretservicecompat is dbus activable
  • kwalletd reads UseKWalletBackend in kwalletrc
  • if true, will forward to secretservice api using org.kde.secretservicecompat, so we are sure we are using the old kwallet backend provided by ksecretd which will be automatically spawned due dbus activation
  • if false will use org.freedesktop.secrets and do data migration to the new service (saving in kwalletrc the wallets that it successfully migrated so is not done twice)
  • it uses the same metadata structure that QtKeychain is using, so if an app is ported later, it shouldn't require a further step of data migration

Testing instructions:

  • backup the entire content of ~.local/share/kwalletd/
  • build the branch
  • make sure kwalletmanager is not running
  • kill kwalletd6
  • start the newly biult one
  • ensure ksecretd has been started as well
  • now can be tested with kwalletmanager, client applications etc
Edited by Marco Martin

Merge request reports