keepassxc "open" mode not working in non-english environment

[MorphBonehunter]

Describe the bug

After releasing v2.44.0 i try to use the new open mode of keepasscx because i plan to use a lot of secrets and opening/closing the database for every call isn't optimal and keep the database open could maybe lead to an speed increase.
After setting the mode to open chezmoi apply hangs. The prozessierst shows the open command but no password prompt is shown.
After quick check the code, Enter password to unlock is expected but as my system has

LANG=de_DE.UTF-8
LC_COLLATE=C
LANGUAGE=de:en

i got Passwort zum Entsperren von.

So i can workaround this with LANGUAGE=en chezmoi apply but then i got errors for opening the temporary attachment file

error calling keepassxcAttachment: open /tmp/chezmoi-keepassxc3644937192/file: no such file or directory

I'm not sure if the follow up error is related but i have no idea how to debug this further.

To reproduce

Set keepasscx mode to open and run LANGUAGE=de chezmoi apply.

Expected behavior

The template should render correctly.

[twpayne]

So i can workaround this with LANGUAGE=en chezmoi apply but then i got errors for opening the temporary attachment file

What is the KeePassXC template function that you are using and what are its exact arguments?

[MorphBonehunter]

Ahh...sorry, you are right, i missed that part.
This is the used template:

cat private_dot_ssh/private_id_ed25519.tmpl
{{ if (and (eq .chezmoi.hostname "cassandra") (eq .chezmoi.username "daniel")) -}}
{{ keepassxcAttachment "SSH / GPG/Firm - ed25519" "dwe@somedomain.de" }}
{{- end -}}

This works if i not use the open mode, but leads to the error if i use it:

LANGUAGE=en chezmoi --debug apply
2024-01-11T20:00:37+01:00 INF ReadFile component=system data="{{ if (and (eq .chezmoi.hostname \"cassandra\") (eq .chezmoi.usern..." name=/home/daniel/.local/share/chezmoi/private_dot_ssh/private_id_ed25519.tmpl size=166
2024-01-11T20:00:37+01:00 INF MkdirTemp tempDir=/tmp/chezmoi-keepassxc3807481411
2024-01-11T20:00:37+01:00 INF Start args=["keepassxc-cli","open","/mnt/Nextcloud/KeePassXC_dwe/Vault.kdbx"] path=/usr/sbin/keepassxc-cli start=2024-01-11T20:00:37+01:00
2024-01-11T20:00:45+01:00 INF RemoveAll tempDir=/tmp/chezmoi-keepassxc3807481411
chezmoi: template: private_dot_ssh/private_id_ed25519.tmpl:2:3: executing "private_dot_ssh/private_id_ed25519.tmpl" at <keepassxcAttachment "SSH / GPG/Firm - ed25519" "dwe@somedomain.de">: error calling keepassxcAttachment: open /tmp/chezmoi-keepassxc3890023639/dwe@somedomain.de: no such file or directory

Maybe this is an race condition as the output seems to indicate that the tempDir is removed before the file read?

BTW: i don't want to overload this issue but maybe it could be an better idea to use MemfdCreate function (at least at linux) for not having accessible files linger, but as i'm not an developer i did not know which dependencies this have.

[twpayne]

Thank you for the follow-up. It turns out that there were several problems, all of which should be fixed by #3471.

Firstly, the prompt localization should be fixed by chezmoi now setting the LANGUAGE=en environment variable when invoking keepassxc-cli, as you identified. I did a fair amount of reading on localization (including this entertaining epic rant), and it seems that LANGUAGE is indeed the correct environment variable to set, and not LC_ALL or LANG.

Secondly, in:

{{ keepassxcAttachment "SSH / GPG/Firm - ed25519" "dwe@somedomain.de" }}

The first argument (SSH / GPG/Firm - ed25519) is the entry name. This includes slashes, so it's actually an entry in a subgroup of a KeePassXC group, and it includes spaces, which means extra quoting is required when interacting with keepassxc-cli open. With #3471, chezmoi should now handle KeePassXC's groups correctly and handle spaces (and other non-word characters) in KeePassXC entry and group names.

Thirdly, chezmoi was using the attachment name (the second argument, i.e. dwe@somedomain.de) as a temporary filename, even though the entry name is not necessarily a valid filename. #3471 changes this to always use a valid filename, irrespective of the attachment name.

Finally, to respond to a couple of your questions:

Maybe this is an race condition as the output seems to indicate that the tempDir is removed before the file read?

It's not evident from the logs, but there is no race condition here. The RemoveAll line is emitted during chezmoi's cleanup (it uses Go's defer keyword to remove the temporary directory, no matter how the function exits). The error message is only printed after the function has exited, so it appears after the cleanup has happened, even though the actual error occurred before the cleanup.

BTW: i don't want to overload this issue but maybe it could be an better idea to use MemfdCreate function (at least at linux) for not having accessible files linger, but as i'm not an developer i did not know which dependencies this have.

This is very interesting, thank you. I did not know about MemfdCreate (which calls the memfd_create syscall). In this specific case, it's not currently possible to use it because keepassxc-cli needs a path on the file system to write the attachment to, and MemfdCreate only creates a file descriptor, not an actual file in the filesystem (note: maybe we can use /dev/fd/$FILENO as a filename, but this is likely OS-dependent). That said, MemfdCreate looks like a much better way for chezmoi to create temporary files, and I'll investigate where chezmoi can use it.

[MorphBonehunter]

Hey @twpayne, thanks for your detailed explanation (and thanks for the link to the language stuff rant! 🤣).

Regarding the memfd, i couldn't find any indication quickly whether a similar function also exists in OSX or windows, so i would guess this is sadly only useful on linux. Maybe this blog post is worth a reading for the file path problem.

[MorphBonehunter]

@twpayne unfortunately i have to come back to this issue as the fix from #3471 has side effects in open mode.
After updating and configure open mode, the password was correctly asked for but my ssh public keys are changed:

chezmoi apply
diff --git a/.ssh/id_ed25519_underverse.pub b/.ssh/id_ed25519_underverse.pub
index c4c248ca9831d6f9d8cb7a910bdb06884e4b68b2..e4418f91ecd026655301c19a84c0d2947b3976a5 100644
--- a/.ssh/id_ed25519_underverse.pub
+++ b/.ssh/id_ed25519_underverse.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ZrFoBYwruxZLLBo6OWDjppsR1On/vuC6cgWMc0j/P underverse
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ZrFoBYwruxZLLBo6OWDjppsR1On/vuC6cgWMc0j/P underverse

First i thought it is a kind of whitespace stuff...but then my keychain was not happy about the files anymore:

.ssh/id_ed25519_underverse.pub is not a public key file

So i take a closer look and the generated files do have some control sequences (seems to be ending of Bracketed Paste Mode) in front of the line:

cat -A .ssh/id_ed25519_underverse.pub
^[[?2004l^Mssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ZrFoBYwruxZLLBo6OWDjppsR1On/vuC6cgWMc0j/P underverse$

The used template for this is:

cat private_dot_ssh/id_ed25519_underverse.pub.tmpl
{{- keepassxcAttribute "SSH / GPG/Underverse - ed25519" "public-key" }}

The keepassxcAttachment and the keepassxc functions are working and the keepassxcAttribute is also working again after disabling the open mode.