New secret service #125

infeo · 2026-02-03T16:21:52Z

I remember that we did a migration between keychains for macOS. It was done in the main project, see https://github.com/cryptomator/cryptomator/blob/a7b8541912adce80744eed1640abd98991c32420/src/main/java/org/cryptomator/ui/preferences/GeneralPreferencesController.java#L103-L121.

Or is there a reason that the migration cannot be done on a higher level?

coderabbitai · 2025-12-21T10:27:49Z

⚠️ Potential issue | 🟠 Major

Replace assertion with proper error handling.

Using assert for error checking in production code is an anti-pattern because assertions can be disabled via the -da JVM flag. If the replace operation fails and assertions are disabled, execution will continue silently past a critical error.

🔎 Proposed fix

var itemProps = Item.createProperties(label, newAttribs); var replace = collection.createItem(itemProps, secret, true); - assert replace.isSuccess() : "Replacing migrated item failed"; + if (!replace.isSuccess()) { + LOG.error("Replacing migrated item {} failed: {}", i.getPath(), replace.error()); + continue; + } item.delete();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

assert replace.isSuccess() : "Replacing migrated item failed";

var itemProps = Item.createProperties(label, newAttribs);

var replace = collection.createItem(itemProps, secret, true);

if (!replace.isSuccess()) {

LOG.error("Replacing migrated item {} failed: {}", i.getPath(), replace.error());

continue;

}

item.delete();

🤖 Prompt for AI Agents

In src/main/java/org/cryptomator/linux/keychain/SecretServiceKeychainAccess.java around line 185, replace the assertion "assert replace.isSuccess() : ..." with explicit error handling: check if replace.isSuccess() is false, log an error with context and any available details from the replace result (e.g. replace.toString() or a getError/getMessage accessor), and then fail-fast by throwing an appropriate unchecked exception (IllegalStateException or a specific custom exception) so failure cannot be skipped when assertions are disabled; ensure any necessary cleanup or rollback is performed before throwing.

@purejava What is the reason not checking the success status of collection.createItem() ?

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

@purejava What is the reason not checking the success status of collection.createItem() ?

Yes, this should be checked, there is no reason to omit such a check. But, probably we do not need SecretServiceKeychainAccess#migrateKDEWalletEntries() at all, when we use GeneralPreferencesController#migrateKeychainEntries() instead, as you noted.

I wasn't aware of this feature and I am about to test, whether migrateKeychainEntries() does work with all keychain backends on Linux, once the method is enabled for Linux as well.

infeo · 2026-02-03T16:18:29Z

As the bot pointed out: Do we require to disable the tests if no DISPLAY is available?

Hi @infeo, I understand the bot to mean, that DISPLAY is not set for Wayland and the guard only works for x server sessions.

And I understand your question to mean, whether to disable the guard, when DISLPLAY is not set?

To my understanding, the guard already checks that: when DISPLAY contains anything, so an x server is available, the test is run.

The guard checks, whether we are on a system with a display and not on CI, so in the end whether DBus is available, right? So my suggestion is to use @EnabledIfEnvironmentVariable(named = "DBUS_SESSION_BUS_ADDRESS", matches = ".*") instead.

The bot pointed out, that the "is-supported" method (and all other methods), do not depend on the DISPLAY variable.

I don't know Linux good, but to my understanding DBus is not tied to a graphical user interface. It is independent of it. Hence, yes we should check wether dbus is available on the system.

You are right. DBus is independent of a graphical user interface. I wasn't aware of that. Nevertheless, the change mentioned above checks exactly what is needed here. I'll commit it.

-Original file line number
+Diff line change
@@ Expand Up / @@ -44,6 +44,7 @@ @@
     		<jackson.version>2.20.1</jackson.version>
     		<secret-service.version>2.0.1-alpha</secret-service.version>
     		<kdewallet.version>1.4.0</kdewallet.version>
+    		<secret-service-02.version>1.1.0</secret-service-02.version>
     		<flatpakupdateportal.version>1.1.0</flatpakupdateportal.version>
     		<appindicator.version>1.4.2</appindicator.version>
@@ Expand Down Expand Up / @@ -103,6 +104,11 @@ @@
     			<artifactId>kdewallet</artifactId>
     			<version>${kdewallet.version}</version>
     		</dependency>
+    		<dependency>
+    			<groupId>org.purejava</groupId>
+    			<artifactId>secret-service</artifactId>
+    			<version>${secret-service-02.version}</version>
+    		</dependency>
     		<!-- Java bindings for appindicator -->
     		<dependency>
     			<groupId>org.purejava</groupId>
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,7 @@ @@
     import org.cryptomator.linux.autostart.FreedesktopAutoStartService;
     import org.cryptomator.linux.keychain.GnomeKeyringKeychainAccess;
     import org.cryptomator.linux.keychain.KDEWalletKeychainAccess;
+    import org.cryptomator.linux.keychain.SecretServiceKeychainAccess;
     import org.cryptomator.linux.quickaccess.DolphinPlaces;
     import org.cryptomator.linux.quickaccess.NautilusBookmarks;
     import org.cryptomator.linux.revealpath.DBusSendRevealPathService;
@@ Expand All / @@ -21,12 +22,13 @@ @@
     	requires org.purejava.kwallet;
     	requires org.purejava.portal;
     	requires de.swiesend.secretservice;
+    	requires org.purejava.secret;
     	requires java.xml;
     	requires java.net.http;
     	requires com.fasterxml.jackson.databind;
     	provides AutoStartProvider with FreedesktopAutoStartService;
-    	provides KeychainAccessProvider with GnomeKeyringKeychainAccess, KDEWalletKeychainAccess;
+    	provides KeychainAccessProvider with SecretServiceKeychainAccess, GnomeKeyringKeychainAccess, KDEWalletKeychainAccess;
     	provides RevealPathService with DBusSendRevealPathService;
     	provides TrayMenuController with AppindicatorTrayMenuController;
     	provides QuickAccessService with NautilusBookmarks, DolphinPlaces;
@@ Expand Down @@

Original file line number	Diff line number	Diff line change
Expand Up		@@ -193,3 +193,4 @@ private boolean walletIsOpen() throws KeychainAccessException {

		}
		}

-Original file line number
+Diff line change
@@ -1,2 +1,3 @@
+    org.cryptomator.linux.keychain.SecretServiceKeychainAccess
     org.cryptomator.linux.keychain.KDEWalletKeychainAccess
     org.cryptomator.linux.keychain.GnomeKeyringKeychainAccess

-Original file line number
+Diff line change
@@ Expand Up / @@ -87,4 +87,4 @@ public static boolean gnomeKeyringAvailableAndUnlocked() { @@
     		}
     	}
-    }
+    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New secret service #125

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

infeo Feb 3, 2026

Uh oh!

coderabbitai bot Dec 21, 2025 •

edited

Loading

Uh oh!

infeo Feb 4, 2026

Uh oh!

coderabbitai bot Feb 4, 2026

Uh oh!

purejava Feb 4, 2026

Uh oh!

infeo Feb 3, 2026

Uh oh!

purejava Feb 4, 2026

Uh oh!

infeo Feb 4, 2026

Uh oh!

purejava Feb 4, 2026

Uh oh!

-Original file line number
+Diff line change
@@ -0,0 +1,91 @@
+    package org.cryptomator.linux.keychain;
+    import org.cryptomator.integrations.keychain.KeychainAccessException;
+    import org.junit.jupiter.api.Assertions;
+    import org.junit.jupiter.api.BeforeAll;
+    import org.junit.jupiter.api.MethodOrderer;
+    import org.junit.jupiter.api.Nested;
+    import org.junit.jupiter.api.Order;
+    import org.junit.jupiter.api.Test;
+    import org.junit.jupiter.api.TestMethodOrder;
+    import org.junit.jupiter.api.condition.EnabledIf;
+    import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable;
+    import java.io.IOException;
+    import java.util.List;
+    import java.util.UUID;
+    import java.util.concurrent.TimeUnit;
+    /**
+     * Unit tests for Secret Service access via Dbus.
+     */
+    @EnabledIfEnvironmentVariable(named = "DISPLAY", matches = ".*")
+    public class SecretServiceKeychainAccessTest {
+    	private static boolean isInstalled;
+    	@BeforeAll
+    	public static void checkSystemAndSetup() throws IOException {
+    		ProcessBuilder dbusSend = new ProcessBuilder("dbus-send", "--print-reply", "--dest=org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus.ListNames");
+    		ProcessBuilder grep = new ProcessBuilder("grep", "-q", "org.freedesktop.secrets");
+    		try {
+    			Process end = ProcessBuilder.startPipeline(List.of(dbusSend, grep)).get(1);
+    			if (end.waitFor(1000, TimeUnit.MILLISECONDS)) {
+    				isInstalled = end.exitValue() == 0;
+    			} else {
+    				isInstalled = false;
+    			}
+    		} catch (InterruptedException e) {
+    			Thread.currentThread().interrupt();
+    		}
+    	}
+    	@Test
+    	public void testIsSupported() {
+    		var service = new SecretServiceKeychainAccess();
+    		Assertions.assertEquals(isInstalled, service.isSupported());
+    	}
+    	@Nested
+    	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+    	@EnabledIf("serviceAvailableAndUnlocked")
+    	class FunctionalTests {
+    		static final String KEY_ID = "cryptomator-test-" + UUID.randomUUID();
+    		final static SecretServiceKeychainAccess KEYRING = new SecretServiceKeychainAccess();
+    		@Test
+    		@Order(1)
+    		public void testStore() throws KeychainAccessException {
+    			KEYRING.isSupported(); // ensure encrypted session
+    			KEYRING.storePassphrase(KEY_ID, "cryptomator-test", "p0ssw0rd");
+    		}
+    		@Test
+    		@Order(2)
+    		public void testLoad() throws KeychainAccessException {
+    			var passphrase = KEYRING.loadPassphrase(KEY_ID);
+    			Assertions.assertNotNull(passphrase);
+    			Assertions.assertEquals("p0ssw0rd", String.copyValueOf(passphrase));
+    		}
+    		@Test
+    		@Order(3)
+    		public void testDelete() throws KeychainAccessException {
+    			KEYRING.deletePassphrase(KEY_ID);
+    		}
+    		@Test
+    		@Order(4)
+    		public void testLoadNotExisting() throws KeychainAccessException {
+    			var result = KEYRING.loadPassphrase(KEY_ID);
+    			Assertions.assertNull(result);
+    		}
+    		public static boolean serviceAvailableAndUnlocked() {
+    			var service = new SecretServiceKeychainAccess();
+    			return service.isSupported() && !service.isLocked();
+    		}
+    	}
+    }

New secret service #125

Are you sure you want to change the base?

Uh oh!

New secret service #125

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

infeo Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

infeo Feb 4, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

Uh oh!

purejava Feb 4, 2026

Choose a reason for hiding this comment

Uh oh!

infeo Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

purejava Feb 4, 2026

Choose a reason for hiding this comment

Uh oh!

infeo Feb 4, 2026

Choose a reason for hiding this comment

Uh oh!

purejava Feb 4, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 21, 2025 •

edited

Loading