Re: gnome-keyring [PATCH] Unlock keyrings using GPG-encrypted password

[Herr Oswald <herr_oswald gmx de>]

Hello Michał,

thanks for your message. Unluckily - it's beyond my abilities to
implement it. But your approach sounds pretty smart. I cannot really
estimate the security level - but certainly much better than without
any password, I guess.

I still think that there is a great demand for something like that -
the many requests for "auto login without password" seem to be an
indicator.

I'd strongly appreciate if your solution would be evaluated, optimized,
probabely enhanced - and merged into GNOME. What can we do to achieve
this?

Cheers,
Wolf

Am Donnerstag, den 08.06.2017, 09:14 +0200 schrieb Michał Górny:
> Hi,
>
> I'm sorry about not sending it earlier. Here's patch I was talking
> about. As I said, it's pretty dumb. Set a random keyring password
> first,
> then encrypt it in a file <keyring_name>.gpg and put into keyrings
> dir,
> e.g. if your keyring is 'login.keyring' in ~/.gnome2/keyrings:
>
>   umask 077
>   echo mypassword > ~/.gnome2/keyrings/login
>   gpg -e ~/.gnome/keyrings/login
>
> It will ask about your user ID, you select to encrypt to yourself
> and after building gnome-keyring with the patch you should get GPG
> password dialog (to decrypt the password) before the normal dialog
> (asking for password).
>
> ---
>  pkcs11/wrap-layer/gkm-wrap-prompt.c | 66
> +++++++++++++++++++++++++++++++++++++
>  1 file changed, 66 insertions(+)
>
> diff --git a/pkcs11/wrap-layer/gkm-wrap-prompt.c b/pkcs11/wrap-
> layer/gkm-wrap-prompt.c
> index 71bc14da..4bba2997 100644
> --- a/pkcs11/wrap-layer/gkm-wrap-prompt.c
> +++ b/pkcs11/wrap-layer/gkm-wrap-prompt.c
> @@ -165,11 +165,77 @@ auto_unlock_object_digest (CK_ATTRIBUTE_PTR
> attrs, CK_ULONG n_attrs)
>  }
>  
>  static gchar*
> +auto_unlock_try_gpg (CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
> +{
> +     CK_ATTRIBUTE_PTR attr;
> +     gchar* directory;
> +     gchar* path;
> +     gchar* argv[4];
> +     gchar* password;
> +     gint exitst;
> +     GError* err;
> +
> +     attr = gkm_attributes_find (attrs, n_attrs, CKA_ID);
> +     if (attr == NULL)
> +             return NULL;
> +
> +     directory = gkm_util_locate_keyrings_directory();
> +     path = g_strdup_printf("%s/%s.gpg", directory, (gchar*)attr-
> > pValue);
> +     g_free(directory);
> +
> +     if (!g_file_test(path, G_FILE_TEST_IS_REGULAR))
> +     {
> +             g_free(path);
> +             return NULL;
> +     }
> +
> +     argv[0] = "gpg";
> +     argv[1] = "-d";
> +     argv[2] = path;
> +     argv[3] = NULL;
> +
> +     if (!g_spawn_sync(NULL, argv, NULL,
> +                     G_SPAWN_SEARCH_PATH|G_SPAWN_CHILD_INHERITS_S
> TDIN,
> +                     NULL, NULL,
> +                     &password, NULL,
> +                     &exitst, &err))
> +     {
> +             fprintf(stderr, "Error spawning key decrypt: %s\n",
> +                             err->message);
> +             g_free(path);
> +             return NULL;
> +     }
> +
> +     g_free(path);
> +
> +     if (!g_spawn_check_exit_status(exitst, &err))
> +     {
> +             fprintf(stderr, "Key decrypt exit abnormally: %s\n",
> +                             err->message);
> +             g_free(password);
> +             return NULL;
> +     }
> +
> +     g_strchomp(password);
> +     if (!*password)
> +     {
> +             g_free(password);
> +             return NULL;
> +     }
> +
> +     return password;
> +}
> +
> +static gchar*
>  auto_unlock_lookup_keyring (CK_ATTRIBUTE_PTR attrs, CK_ULONG
> n_attrs)
>  {
>       gchar *location;
>       gchar *password;
>  
> +     password = auto_unlock_try_gpg(attrs, n_attrs);
> +     if (password)
> +             return password;
> +
>       location = auto_unlock_keyring_location (attrs, n_attrs);
>       if (location == NULL)
>               return NULL;