Tuesday, 2018-07-03

*** frinring_ is now known as frinring01:56
dcalisteHello chriadam, how are you?07:01
chriadamdcaliste: hi!07:02
chriadamI'm well thanks07:02
chriadamhow are you?07:02
dcalisteFine, thank you. I've some questions ;)07:03
chriadamsure :-)07:03
dcalisteI would like to store key passphrases in a secret collection. I create the collection with DeviceLock and DeviceLockKeepUnlocked.07:05
dcalisteThen, I can store a secret inside, I've checked with the setting page that my secret exists.07:05
dcalisteAs long as the daemon is running, it's fine, then, passphrase is retrieved from storage.07:06
dcalisteBut when I stop the daemon, and restart it, my collection is locked (there is a lock icon in the setting page).07:06
dcalisteAnd I don't know how to unlock it.07:07
chriadamvery strange... let me do a quick test on my device07:08
dcalisteThere is no dialog poping up saying that the collection is locked and should be unlocked for access.07:08
chriadamwe don't pop up such a dialog automatically07:08
dcalisteMaybe I miss some parameter on collection creation…07:08
chriadamyou have to tap on the (locked) collection in the settings page to trigger the unlock fow07:08
dcalisteCould the unlock flow be triggered by a request in an app?07:08
chriadamthe "automatically trigger unlock flow when an operation is attempted" work is TODO07:09
dcalisteNot just in the setting?07:09
chriadamdcaliste: yes07:09
dcalisteOk, so currently I'll put the code in pinentry to unlock if locked.07:09
dcalisteGood, good.07:09
chriadamI'm wrong07:09
chriadamLockCodeRequest allows lock/unlock of plugin or metadatadb, not collection...07:10
chriadamcollection WILL be automatically unlocked if you attempt to access it07:10
chriadamI mean the unlock flow will be triggered automatically07:10
chriadamso if that's failing... that is bad, it means that the devicelock key was unable to be regenerated upon daemon restart07:10
chriadamlet me test on device, one sec07:10
dcalisteAh, so the message in daemon, was "unable to ensure the authenticity of caller" or something like that (from memory).07:11
chriadamPassword Agent was unable to verify the authenticity of the user07:16
chriadamthis can occur if the security UI is running in a different session for some reason, although I don't fully understand why that's the case.07:17
chriadamI can reproduce the issue.  I will investigate tomorrow - thankyou very much for reporting that07:17
dcalisteGreat, sorry for the additional work!07:17
chriadamdcaliste: no problem.  so, if you tap on the collection from the Settings/Keys page, it does trigger the unlock flow for that collection07:19
chriadambut I don't understand why that doesn't work for an application (e.g. shell script) run from nemo terminal07:19
dcalisteWell, in fact no, and I have no message in daemon as far as I remember. I'm reproducing… But yes, my testing work flow is to run 'gpg2 -s toto' in terminal as nemo through ssh.07:21
chriadamquick investigation shows a crash07:23
chriadam(gdb) bt07:23
chriadam#0  0xb6c6a2f4 in QVariant::QVariant(QVariant const&) () from /usr/lib/libQt5Core.so.507:23
chriadam#1  0x2a04250e in QList<QVariant>::takeFirst (this=this@entry=0xbeffef4c) at /usr/include/qt5/QtCore/qlist.h:55207:23
chriadam#2  0x2a061d44 in Sailfish::Secrets::Daemon::ApiImpl::RequestProcessor::authenticationCompleted (this=0x2a113908, callerPid=<optimized out>, requestId=8,07:23
chriadam    result=...) at SecretsImpl/secretsrequestprocessor.cpp:620107:23
chriadamunguarded takeFirst()07:23
chriadamI will continue investigation tomorrow, thanks!07:23
chriadamdcaliste: any other questions?07:23
chriadamby the way, we branched 2.2.1 yesterday07:23
chriadamso I will hopefully merge gpg plugin this week07:23
dcalisteAnother (simpler) question: I've put a setting in /desktop/sailfish/secrets/storeGnuPGPassphrases (boolean), is it the right place?07:23
chriadamdcaliste: dconf?  heh.  this is an ongoing question for us internally...07:24
chriadamshort answer is: dconf is fine07:24
dcalisteAnd related question, if I want to make a UI for this, where should I put it?07:24
chriadamlong answer is: long term, we think we need to unify how we store settings, currently different apps use different things (.conf files in /etc which is very bad if we want readonly root partition, dconf which has issues with access control enforcement, .ini files in /home/nemo/.local/share/system/privileged/Contacts etc which ...)07:25
dcalisteBecause, caching passphrase is comfortable but some people will want to disable this.07:25
chriadamdcaliste: install a subpage to Settings application is the usual way.07:25
chriadamthe email app may have an example of that07:26
dcalisteYeh, but that's for application, here I don't have an application… It may go to somewhere in the key setting page, but I don't see where.07:27
chriadamdcaliste: I see07:29
chriadamthat Keys settings page is super rough, IMO07:29
chriadamit was rushed big time, and Martin Schuele will no doubt want to make many many changes to it in the nearish future07:29
dcalisteYes, so maybe keep in mind a little setting to store passphrases ;)07:30
chriadamso I suspect that such settings can go in there (per-plugin settings, perhaps programmatically generated toggles from plugin .json or something?)07:30
chriadamyes, and something like that also might be possible (e.g. reduced security but more convenient)07:30
dcalisteLast question: I've added account settings in QMF to add for an email account if we desire digital signature, the key id to be used and the protocol.07:33
dcalisteI would like to add a UI to set these beside the checkbox "append a signature" in the account setting page for instance. May I request to have access to jolla-settings-accounts-extensions-email repo for this?07:33
chriadamit's probably just part of jolla-settings-accounts.  yes, although all of the accounts framework stuff is extremely horrible at the moment, mostly because I had no idea what I was doing when I originally started work on the accounts stuff.07:34
dcalisteI've added an issue in bitbucket to discuss these design choices: https://bitbucket.org/jolla/ui-jolla-email/issues/2/design-discussion-on-signature-process-and07:34
chriadamdcaliste: however I cannot give access to such things, and this week rainemak + pvuorela + jpetrell are on vacation07:34
chriadamrainemak should be back next week, if you poke him about that then, he can ask about getting you access07:34
dcalisteNo problem, it's not in a hurry and you can discuss internally when they are back if that's reasonable or not.07:35
chriadamgreat, will do.  poke me so I don't forget, next week :-)07:35
dcalisteNice, thank you.07:37
chriadamok, if nothing else, I need to head off for the night - have a great week :-)07:38
dcalisteSure, have a good night. See you next week.07:38
*** cvp is now known as sailfishmods08:18
*** feodoran is now known as Guest7025123:49
*** feodoran_ is now known as feodoran23:49

Generated by irclog2html.py 2.17.1 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!