How secret service integration works?

[AmirHosseinKarimi]

According to #275 new versions of OTPClient do not ask for the password and are opened by the power of the secret service. As a user, I am worried about the security of my database file. Also, as a programmer, I want to know how it works.

So, In the past versions, the database file was encrypted by password and OTPClient asked for the password to open the database. But where is the password storage in the current version?

I'd appreciate it if someone explained about this important change in the details.

[paolostivanin]

Hello, secret service integration is provided by libsecret, a widely used library, so I trust those devs to have built something secure :smile: A short gist about libsecret can be found here: https://superuser.com/questions/1527816/what-is-libsecret , while what is secret service can be found here: https://specifications.freedesktop.org/secret-service/latest/

If you don't trust secret service, you can always disable it by toggling "Settings -> Enable secret service".

[AmirHosseinKarimi]

Hi, It's not about whether I trust this service or not. As a user, I wonder when the software does not ask for the password. When it happened for the first time I wondered if I changed any setting that removed the password and decreased my database file security.

Finally, I think it is a good idea to show a message to the user and inform them about the changes that applied in the new version and settings that have been changed automatically.

[paolostivanin]

It actually should show an info bar when upgrading from a non-enabled secrect service installation to one that supports it (https://github.com/paolostivanin/OTPClient/blob/b31ec26b3e66d41716342c281f2c2609b0f259db/src/app.c#L287)