I’ve recently returned to Sailfish OS and am trying to get back to development. Currently I’m trying to start using secrets manager but I can’t seem to get it working at all.
From what I found I need to add sailfishsecrets to PKGCONFIG but when I do that, I get this error:
Project ERROR: sailfishsecrets development package not found
Well, the error message states that you don’t have the sailfishsecrets development package installed in your target.
What’s missing is BuildRequires: pkgconfig(sailfishsecrets) in your .spec file. Or, if you prefer yaml, - sailfishsecrets in the PkgConfigBR section of the .yaml file.
Thanks, that worked! Now I get this error when deploying to emulator:
Unable to connect to secrets daemon: QDBusError("org.freedesktop.DBus.Error.FileNotFound", "Failed to connect to socket /run/user/100000/sailfishsecretsd/p2pSocket: No such file or directory") 1 "org.freedesktop.DBus.Error.FileNotFound"
You should have Requires: sailfishsecretsdaemon on your spec file. That way, when you deploy your app on the emulator, it will pull the daemon in with it. If I remember correctly, there’s still the issue that the daemon doesn’t start immediately after installing it, so you might need to restart the emulator after installation.
I’m afraid there isn’t. Someone should write that documentation. We do have Secrets and Crypto | Sailfish OS Documentation though, so it’s just one PR away. Another possibility would be adding it to the API documentation, which is currently only published as part of the SDK.
Bumping this because I’m also trying to get a simple secure storage for a password in pure QML, and am trying to navigate the maze that are the Secrets QML types.
Anyway, on my system, libsailfishsecrets-sqlcipher.so is in sailfishsecretsdaemon-secretsplugin-common, not sailfishsecretsdaemon-secretsplugins-default. (Note the plugin vs plugins naming difference.)
It is installed, but still, the error given above is output when running the following example code:
Output below. Packaging it in a “full” app with .desktop file and everything and running via sailfish-qml or invoker sailfish-qmlgives the same error.
nemo@PGXperiiia10:~/tmp $ qmlscene testccr.qml
11:59:36.135 unknown:0 unknown Using Wayland-EGL
library "libGLESv2_adreno.so" not found
library "eglSubDriverAndroid.so" not found
library "vendor.qti.qspmhal@1.0.so" not found
11:59:38.426 qml: file:///home/nemo/tmp/testccr.qml:38 onResultChanged CCR: error: No such storage plugin exists: org.sailfishos.secrets.plugin.encryptedstorage.sqlcipher
Question. That is then a ‘device lock’ block level protected collection? Does that mean that with device unlock more than one app can access the collection, or are you doing this with an additional secret?
I don’t know, but now I have everything working (collection create, collection delete, secret save (but NOT secret update), secret load), when trying to delete a collection I get:
Request error: Collection QtQmlViewer is locked and requires device lock authentication
I think you’ve answered my question! Looks like you have to force device lock auth. I’m not sure how it’s done, but, it’s sure to be present in those area of the Settings app like Developer where you’re prompted with the device lock?
I believe (but it’s only guesswork ATM) that access by others i managed managed by the SecretManager.accessControlMode -> enum AccessControlMode which has OwnerOnlyMode, SystemAccessControlMode, and NoAccessControlMode, although I understand other applications can not access foreign collections by design. See secretmanager.h#L48
What I find is that ‘owning application’ is determined with great bias, as a secret created by e.g.
Ok, that’s reassuring. The use case I’m looking at (tooter mastodon api keys) I’m not sure if it makes more sense just to store encrypted values. I believe you now have an encrypted store/collection with ‘plain values’?
You mean that addition of the parameter alone leads to a denial? Hmmmm. That might make sense if qmlscene could ‘leak’ secrets depending on how it’s called?