Libsecret schema for os_crypt is incompatible with gnome-keyring. |
||||
Issue descriptionIn the current implementation of libsecret for os_crypt, the schema used is not compatible with any possible schema from gnome-keyring. More specifically, libsecret can use a special schema name, of which keyring is not aware. As a result, it is impossible to create an implementation for gnome-keyring, such that the user can upgrade from gnome-keyring to libsecret without losing access to their local profile. A solution is to migrate any existing keys stored by libsecret into a new schema, which will be compatible with gnome keyring. Since the problematic implementation has reached beta (M52), the code should continue to expect entries in the old schema. Notes: - gnome-keyring is a deprecated library for storing passwords in Gnome, whose successor is libsecret. - There are still gnome machines that use the old library. - Support in os_crypt for these libraries begun being implemented in reverse chronological order.
,
Aug 22 2016
dvadym@ suggested that we could scope encryption keys to a profile while we're at it. This allows migrating a profile to a new encryption key, without damaging other profiles. The problem is that os_crypt is initialized before profile initialisation. It should not be possible to use profile information at that point. In what circumstances would we migrate a profile and how likely is that we do? If the scenario is just hypothetical, I don't think it is worth solving beforehand. The other os_crypt implementations (including mac) don't scope the key either.
,
Aug 22 2016
,
Aug 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/02da78d1d5cb36b3e40afd72e40c0c0cc6883c41 commit 02da78d1d5cb36b3e40afd72e40c0c0cc6883c41 Author: cfroussios <cfroussios@chromium.org> Date: Tue Aug 30 09:27:05 2016 Migrate Libsecret for OSCrypt to a new schema Schemas for gnome-keyring and libsecret are not 100% interchangeable. To support gnome-keyring, we need to use equivalent schemas in both libraries. This will allow a user to upgrade their machine from gnome-keyring to libsecret, without chrome losing access to OSCrypt's encryption key. We correct the unfortunate initial choice for a schema by copying entries to the new schema. As a bonus, this will correct the mislabeling of some entries (see crbug/640603) BUG= 639298 Review-Url: https://codereview.chromium.org/2273723002 Cr-Commit-Position: refs/heads/master@{#415254} [modify] https://crrev.com/02da78d1d5cb36b3e40afd72e40c0c0cc6883c41/components/os_crypt/key_storage_libsecret.cc [modify] https://crrev.com/02da78d1d5cb36b3e40afd72e40c0c0cc6883c41/components/os_crypt/key_storage_libsecret.h [modify] https://crrev.com/02da78d1d5cb36b3e40afd72e40c0c0cc6883c41/components/os_crypt/os_crypt_util_linux_unittest.cc
,
Aug 30 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by cfroussios@chromium.org
, Aug 22 2016