KeePassXC prompts to create new database even though there is an unlocked one in use

[mrusme]

Overview

[TIP]:

NOTE:
Maybe this has something to do with this and/or this. I've created a fresh database in KeePassXC 2.7.1 (Gentoo Linux) and have KeePassXC running with it unlocked. When I launch Element for the first time, I get the create database popup from KeePassXC, instead of simply utilizing the existing database.

Steps to Reproduce

NOTE:

1. Create a fresh database with KeePassXC 2.7.1 and keep it running and unlocked
2. Launch element-desktop

Expected Behavior

element-desktop should simply add its key to the existing, currently opened database.

Actual Behavior

KeePassXC shows the "New Database" window.

Context

Gentoo Linux, Wayland, Sway

KeePassXC - 2.7
Revision: 1

Operating System: Linux
Desktop Env: Sway
Windowing System: Wayland

[Aetf]

Could you paste here the output of the following command (mask any byte array which can reveal your password)?

dbus-monitor "destination=org.freedesktop.secrets" "sender=org.freedesktop.secrets"

[mrusme]

@Aetf ran the command you posted and launched element-desktop. Entered my passphrase when asked about it, then the New database popup showed up, which I cancelled, then I quit element-desktop and stopped the command. Here's the output:

signal time=1649543943.143444 sender=org.freedesktop.DBus -> destination=:1.85 serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
   string ":1.85"
signal time=1649543943.143457 sender=org.freedesktop.DBus -> destination=:1.85 serial=4 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost
   string ":1.85"
method call time=1649543950.417929 sender=:1.94 -> destination=:1.6 serial=7 path=/org/freedesktop/secrets; interface=org.freedesktop.DBus.Properties; member=GetAll
   string "org.freedesktop.Secret.Service"
method call time=1649543950.418173 sender=:1.6 -> destination=org.freedesktop.DBus serial=38 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
   string ":1.94"
method return time=1649543950.418177 sender=org.freedesktop.DBus -> destination=:1.6 serial=18 reply_serial=38
   uint32 31807
method call time=1649543950.418798 sender=:1.6 -> destination=org.freedesktop.DBus serial=39 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
   string ":1.94"
method return time=1649543950.418802 sender=org.freedesktop.DBus -> destination=:1.6 serial=19 reply_serial=39
   uint32 31807
method call time=1649543950.419205 sender=:1.6 -> destination=org.freedesktop.DBus serial=40 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch
   string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',arg0=':1.94',arg2=''"
method return time=1649543950.419401 sender=:1.6 -> destination=:1.94 serial=41 reply_serial=7
   array [
      dict entry(
         string "Collections"
         variant             array [
               object path "/org/freedesktop/secrets/collection/all_ciphers_are_bad"
            ]
      )
   ]
method call time=1649543950.420839 sender=:1.94 -> destination=:1.6 serial=8 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=OpenSession
   string "dh-ietf1024-sha256-aes128-cbc-pkcs7"
   variant       array of bytes [
      ]
method return time=1649543950.423138 sender=:1.6 -> destination=:1.94 serial=42 reply_serial=8
   variant       array of bytes [
      ]
   object path "/org/freedesktop/secrets/session/d4fa235e93cb46a5ba2292316b671072"
method call time=1649543950.424644 sender=:1.94 -> destination=:1.6 serial=9 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=SearchItems
   array [
      dict entry(
         string "account"
         string "@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
      )
      dict entry(
         string "service"
         string "element.io"
      )
      dict entry(
         string "xdg:schema"
         string "org.freedesktop.Secret.Generic"
      )
   ]
signal time=1649543953.947245 sender=:1.6 -> destination=(null destination) serial=43 path=/org/freedesktop/secrets/prompt/d9c6bda5dab840299c05639358f2ce8f; interface=org.freedesktop.Secret.Prompt; member=Completed
   boolean false
   variant       array [
         object path "/org/freedesktop/secrets/collection/all_ciphers_are_bad"
      ]
signal time=1649543953.947611 sender=:1.6 -> destination=(null destination) serial=44 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=CollectionChanged
   object path "/org/freedesktop/secrets/collection/all_ciphers_are_bad"
signal time=1649543953.948517 sender=:1.6 -> destination=(null destination) serial=45 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=CollectionDeleted
   object path "/org/freedesktop/secrets/collection/all_ciphers_are_bad"
signal time=1649543953.948526 sender=:1.6 -> destination=(null destination) serial=46 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=CollectionChanged
   object path "/"
method return time=1649543953.948880 sender=:1.6 -> destination=:1.94 serial=47 reply_serial=9
   array [
   ]
   array [
   ]
method call time=1649543953.949350 sender=:1.94 -> destination=:1.6 serial=10 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=SearchItems
   array [
      dict entry(
         string "account"
         string "@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
      )
      dict entry(
         string "service"
         string "riot.im"
      )
      dict entry(
         string "xdg:schema"
         string "org.freedesktop.Secret.Generic"
      )
   ]
method return time=1649543953.949440 sender=:1.6 -> destination=:1.94 serial=48 reply_serial=10
   array [
   ]
   array [
   ]
method call time=1649543953.999135 sender=:1.94 -> destination=:1.6 serial=11 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=SearchItems
   array [
      dict entry(
         string "account"
         string "seshat|@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
      )
      dict entry(
         string "service"
         string "element.io"
      )
      dict entry(
         string "xdg:schema"
         string "org.freedesktop.Secret.Generic"
      )
   ]
method return time=1649543953.999277 sender=:1.6 -> destination=:1.94 serial=49 reply_serial=11
   array [
   ]
   array [
   ]
method call time=1649543954.000510 sender=:1.94 -> destination=org.freedesktop.secrets serial=12 path=/org/freedesktop/secrets/aliases/default; interface=org.freedesktop.Secret.Collection; member=CreateItem
   array [
      dict entry(
         string "org.freedesktop.Secret.Item.Attributes"
         variant             array [
               dict entry(
                  string "account"
                  string "seshat|@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
               )
               dict entry(
                  string "service"
                  string "element.io"
               )
               dict entry(
                  string "xdg:schema"
                  string "org.freedesktop.Secret.Generic"
               )
            ]
      )
      dict entry(
         string "org.freedesktop.Secret.Item.Label"
         variant             string "element.io/seshat|@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
      )
   ]
   struct {
      object path "/org/freedesktop/secrets/session/d4fa235e93cb46a5ba2292316b671072"
      array of bytes [
      ]
      array of bytes [
      ]
      string "text/plain"
   }
   boolean true
error time=1649543954.000563 sender=:1.6 -> destination=:1.94 error_name=org.freedesktop.DBus.Error.UnknownObject reply_serial=12
   string "No such object path '/org/freedesktop/secrets/aliases/default'"
method call time=1649543954.000716 sender=:1.94 -> destination=org.freedesktop.secrets serial=13 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=CreateCollection
   array [
      dict entry(
         string "org.freedesktop.Secret.Collection.Label"
         variant             string "Default keyring"
      )
   ]
   string "default"
method return time=1649543954.000811 sender=:1.6 -> destination=:1.94 serial=51 reply_serial=13
   object path "/"
   object path "/org/freedesktop/secrets/prompt/bca0b4331eb44fc2825c9cb563c72df1"
method call time=1649543954.001194 sender=:1.94 -> destination=:1.6 serial=20 path=/org/freedesktop/secrets/prompt/bca0b4331eb44fc2825c9cb563c72df1; interface=org.freedesktop.Secret.Prompt; member=Prompt
   string ""
method return time=1649543954.001249 sender=:1.6 -> destination=:1.94 serial=52 reply_serial=20
signal time=1649543959.490777 sender=:1.6 -> destination=(null destination) serial=53 path=/org/freedesktop/secrets/prompt/bca0b4331eb44fc2825c9cb563c72df1; interface=org.freedesktop.Secret.Prompt; member=Completed
   boolean true
   variant       object path "/"
method call time=1649543959.491145 sender=:1.94 -> destination=org.freedesktop.secrets serial=23 path=/org/freedesktop/secrets/aliases/default; interface=org.freedesktop.Secret.Collection; member=CreateItem
   array [
      dict entry(
         string "org.freedesktop.Secret.Item.Attributes"
         variant             array [
               dict entry(
                  string "account"
                  string "seshat|@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
               )
               dict entry(
                  string "service"
                  string "element.io"
               )
               dict entry(
                  string "xdg:schema"
                  string "org.freedesktop.Secret.Generic"
               )
            ]
      )
      dict entry(
         string "org.freedesktop.Secret.Item.Label"
         variant             string "element.io/seshat|@xxxxxxxxx:matrix.org|XXXXXXXXXXXX"
      )
   ]
   struct {
      object path "/org/freedesktop/secrets/session/d4fa235e93cb46a5ba2292316b671072"
      array of bytes [
      ]
      array of bytes [
      ]
      string "text/plain"
   }
   boolean true
error time=1649543959.491203 sender=:1.6 -> destination=:1.94 error_name=org.freedesktop.DBus.Error.UnknownObject reply_serial=23
   string "No such object path '/org/freedesktop/secrets/aliases/default'"
method call time=1649543962.678997 sender=:1.6 -> destination=org.freedesktop.DBus serial=55 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',arg0=':1.94',arg2=''"

[Aetf]

Thanks for the output. In the log, the error was the "default" alias not found. Thus the program went ahead to try to create one.

Have you exposed a group to the secret service after creating the new database? By default, no groups or entries are exposed via the secret service for security reasons.
So you need to manually select a group to expose (Database -> Database Settings -> Secret Service Integration).

Also, there was another program creating and deleting a collection called "all_ciphers_are_bad" while you running the command.
It was that program that triggered the passphrase entering prompt, and it likely has nothing to do with element-desktop.
Are you aware of such a program? At least it looks rather suspicious to me.

Edit: I just realized, you didn't unlock the database before launching element-desktop, right? The passphrase prompt was
triggered by auto unlocking. And the deletion was because there is no exposed group set in the database, so once
unlocked, the collection representing the database was immediately deleted as it contains nothing.
Everything looks fine.

[droidmonkey]

I didn't realize we would "force" creation of a new database if no existing collection was defined. That seems like undesired behavior. I don't even think an error message is needed, just ignore the request.

[Aetf]

It's not us "force" create a new database. Likely it's the client library libsecrets.
After finding out there's no default collection, it simply goes ahead with a normal CreateCollection call.

[droidmonkey]

Right, what I mean is to not implement the CreateCollections interface. Just ignore it, or make it an option to ignore (not desired).

[Aetf]

What about making the CreateCollection prompt the user to select an exposed group of an existing database?
That's better discoverability and still matches the semantics.

We've seen multiple times that the user doesn't know/forgets to select an exposed group, so this makes sense to me.

[mrusme]

So you need to manually select a group to expose (Database -> Database Settings -> Secret Service Integration).

Exactly this, thank you very much. I did this and now it works. Still not smoothly, though. Now, every time I open element-desktop, I get an approval window where I can select "Allow Selected", "Allow All & Future", "Remember", "Deny All & Future" and "Details >>".

I had "Remember" checked and tried "Allow Selected" as well as "Allow All & Future", yet I'm still getting this popup every time element-desktop launches.

Is there another hidden setting where I could tell KeePassXC to allow element-desktop to access this specific key forever? At the end of the day, it was element-desktop who created it in first place.

[droidmonkey]

@Aetf that is a much better idea and implementation.

@mrusme you can disable confirmation prompts in the application settings, FDO Secrets

[mrusme]

@droidmonkey I would like to confirm, but only if a different program should try to access the key. Is there a way for KeePassXC to remember the program binary's sha hash or something and not request me to agree until the hash changes/it's an entirely different program?

[droidmonkey]

It's another request entirely on the issue board.

[Aetf]

@mrusme there's element-hq/element-web#7571.