Maybe an enhancement security wise

[jonas-w]

First of all, thanks for creating this neat little program.

As you stated yourself this is absolutely not secure.

So i created a little neat pinentry script to make it maybe more secure.

This isn't probably top notch security, but at least better than storing the password in the systemd file.

My approach is not using systemd it is using the autostart of whatever DE you use. I use sway and put it there as "exec $HOME/scripts/pinentry-secretservice.sh". And it works flawlessly.

It stores the entered password in $HOME/.secretservicepw hashed with sha512 and checks if it was right (if the file already existed). If it was wrong it will reprompt until you cancel the pinentry.

Then later it will create a md5 hash from a sha256 hash of the entered password. md5sums are exact 32 characters long.

If everything was right, MASTERPASSWORD gets set and then secretserviced will be started.

#!/bin/bash
# ask for password
PINENTRY_OUT=$(echo -e "SETPROMPT Unlock secretservice:\nGETPIN\n" | pinentry-gnome3)
if [[ "$PINENTRY_OUT" = *"cancel"* ]]; then
  echo "User cancelled";
  exit
fi
# extract password
pw=$(echo "$PINENTRY_OUT" | grep "^D " | cut -d' ' -f2-)
# check if it matches .secretservicepw in $HOME
pw512=$(echo $pw | sha512sum | cut -d' ' -f1)

# if file exists verify it matches else create it and go on (probably first run)

if [ -f "$HOME/.secretservicepw" ]; then
  if [[ "$pw512" != "$(cat $HOME/.secretservicepw)" ]]; then
      # retry
      exec $0
      exit
  fi
else
  echo "$pw512" > $HOME/.secretservicepw
fi

# generate 32 character string from $pw

MASTERPASSWORD=$(echo "$pw" | sha256sum | cut -d' ' -f1 | md5sum | cut -d' ' -f1)
export MASTERPASSWORD
# now finally run secretserviced
cd $HOME

/usr/local/bin/secretserviced &

[yousefvand]

Thanks for your concern. This way user needs to enter password every time which I'm avoiding.