quexten / goldwarden Goto Github PK
View Code? Open in Web Editor NEWA feature-packed Bitwarden compatible desktop client
License: MIT License
A feature-packed Bitwarden compatible desktop client
License: MIT License
Since we already have SSH agent, git signing and ssh login can be done via the ssh agent. However, some actions (signing Goldwarden release packages ;) ) cannot be done with SSH keys.
Instead, we could implement: https://pkg.go.dev/github.com/prep/gpg/agent and add a GPG key encoding for secure notes.
$ goldwarden vault login --email [email protected]
Login failed: Could not login: could not pre-login: Bad Request: {"message":"Traffic from your network looks unusual. Connect to a different network or try again later. [Error Code 6]"}
I have no problems logging into the browser extension or anything else like that, nor have I ever seen a message like this from any other application.
A small GUI for setup + flatpak support would be nice, since it's fundamentally a desktop app and things should not have to be done through the CLI.
(Regardless, CLI will still be the main supported way).
I've completed all the setup steps and am attempting to login for the first time with goldwarden vault login
. On my Vaultwarden instance I have both FIDO2 and TOTP configured for 2FA. After the password prompt I get a prompt Fido2 PIN: Enter your token's PIN
, however I'm not able to complete this. I don't have a PIN set on my Yubikey for FIDO2, and I can't get past this prompt. I've tried submitting it blank (since there is no PIN) and with the actual FIDO2 payload but it crashes the same way. Looking at logs it's mentioning a segfault/nil pointer dereference:
$ goldwarden vault login --email [email protected]
panic: interface conversion: interface {} is nil, not messages.IPCMessage
goroutine 1 [running]:
github.com/quexten/goldwarden/client.UnixSocketClient.SendToAgent({0x8e37a0?}, {0x8e37a0, 0xc00020c660})
/home/runner/work/goldwarden/goldwarden/client/unixsocketclient.go:63 +0x269
github.com/quexten/goldwarden/cmd.glob..func7(0xc8ee20?, {0x927d03?, 0x2?, 0x2?})
/home/runner/work/goldwarden/goldwarden/cmd/login.go:28 +0xd8
github.com/spf13/cobra.(*Command).execute(0xc8ee20, {0xc0001a2ea0, 0x2, 0x2})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:987 +0xa91
github.com/spf13/cobra.(*Command).ExecuteC(0xc8b4a0)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x425
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
github.com/quexten/goldwarden/cmd.Execute({0x0, 0x0, {0x0, 0x0}, 0x0, {0xc0001a8bd0, 0x2c}, 0x0, 0x0, {0x0, ...}, ...})
/home/runner/work/goldwarden/goldwarden/cmd/root.go:35 +0x1fb
main.main()
/home/runner/work/goldwarden/goldwarden/main.go:83 +0x978
$ journalctl --user -u goldwarden
Dec 30 19:15:03 debian systemd[3395]: Started goldwarden.service - "Goldwarden daemon".
Dec 30 19:15:03 debian goldwarden[35621]: [INF] [19:15] [Goldwarden > Keyring] >>> Creating new memguard keyring
Dec 30 19:15:03 debian goldwarden[35621]: [INF] [19:15] [Goldwarden > SSH] >>> SSH Agent listening on /home/user/.goldwarden-ssh-agent.sock
Dec 30 19:15:03 debian goldwarden[35621]: [INF] [19:15] [Goldwarden > Agent] >>> Agent listening on /home/user/.goldwarden.sock...
Dec 30 19:15:03 debian goldwarden[35621]: Blocking, press ctrl+c to continue...
Dec 30 19:18:55 debian goldwarden[35621]: [INF] [19:18] [Goldwarden > Pinentry] >>> Asking for pin |Unlock Goldwarden|Enter the vault PIN|
Dec 30 19:18:59 debian goldwarden[35621]: [INF] [19:18] [Goldwarden > Pinentry] >>> Got pin from user
Dec 30 19:19:02 debian goldwarden[35621]: [INF] [19:19] [Goldwarden > Pinentry] >>> Asking for pin |Bitwarden Password|Enter your Bitwarden password|
Dec 30 19:19:13 debian goldwarden[35621]: [INF] [19:19] [Goldwarden > Pinentry] >>> Got pin from user
Dec 30 19:19:13 debian goldwarden[35621]: [INF] [19:19] [Goldwarden > Pinentry] >>> Asking for pin |Fido2 PIN|Enter your token's PIN|
Dec 30 19:19:18 debian goldwarden[35621]: [INF] [19:19] [Goldwarden > Pinentry] >>> Got pin from user
Dec 30 19:19:19 debian goldwarden[35621]: panic: runtime error: invalid memory address or nil pointer dereference
Dec 30 19:19:19 debian goldwarden[35621]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x733830]
Dec 30 19:19:19 debian goldwarden[35621]: goroutine 278 [running]:
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent/bitwarden/twofactor.Fido2TwoFactor({0xc0000341e0, 0x2b}, {0xc0001a2120, 0x2, 0x88fd00?}, 0xc0003c0380?)
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/bitwarden/twofactor/fido2twofactor.go:80 +0x430
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent/bitwarden/twofactor.PerformSecondFactor(0xc000292068, 0x25a?)
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/bitwarden/twofactor/twofactor.go:26 +0x3e8
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent/bitwarden.Perform2FA(0x380?, 0xc0001a2080, 0xc000002180, {0x9ec098, 0xc0000280f0})
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/bitwarden/auth.go:233 +0xd3
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent/bitwarden.LoginWithMasterpassword({0x9ec098, 0xc0000280f0}, {0xc000290018, 0x14}, 0xc000002180, 0xe3a10cfb5cf091df?)
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/bitwarden/auth.go:109 +0xd97
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent/actions.handleLogin({0xc83190?, {0xc000414780?, 0x873b?, 0xeab?}}, 0xc000002180, 0xc00007e280, 0x4?)
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/actions/login.go:38 +0x245
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent/actions.ensureIsNotLocked.func1({0xc0002a69e4?, {0xc000414780?, 0xc00015a507?, 0xa?}}, 0xc0001129a7?, 0x4?, 0xc0000ebf20)
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/actions/actions.go:95 +0x1b7
Dec 30 19:19:19 debian goldwarden[35621]: github.com/quexten/goldwarden/agent.serveAgentSession({0x9ee470, 0xc0000be028}, {0xc0001a53f4?, 0x4?}, 0xc?, 0x4?)
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/unixsocketagent.go:67 +0x252
Dec 30 19:19:19 debian goldwarden[35621]: created by github.com/quexten/goldwarden/agent.StartUnixAgent.func8
Dec 30 19:19:19 debian goldwarden[35621]: /home/runner/work/goldwarden/goldwarden/agent/unixsocketagent.go:282 +0x55
Dec 30 19:19:19 debian systemd[3395]: goldwarden.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
I'm using Debian 12 Gnome/Wayland if it matters.
Cheers
Hi! Something I really like about the 1Password desktop app that I miss a lot in Bitwarden is the ability to just click "Ctrl+Shift+Space" and search for the account I want and then click "Ctrl+Shift+C" to get its password. It's great when the regular autofill misbehaves or something like that or if you want enter any credentials in a terminal.
Btw, few unrelated questions:
Right now goldwarden is only installable by direct download of the binary, or by compiling from source. Packages for at least arch / rpm / deb are needed.
In response to @mufeedali:
Polkit an the pin serve two different purposes (somewhat). Since we do not want to expose the vault to someone having access to the disk on boot (unencrypted main volume, etc), the pin is required to derive a key to decrypt the vault. If this were not the case, anyone with access to your (unencrypted) disk, or an unfortunate backup that captured the config, could access your vault.
Polkit only does authentication, no key derivation. Thus, it is only useful once the encryption key is already present in memory.
The two (not great) alternatives are: storing the key in libsecret - which makes the disk image unproblematic at least, but exposes the key to the user's other running processes. And alternatively, using no encryption, but this is just really not great, due to the mentioned attack above. Maybe I will introduce an environment variable such as GOLDWARDEN_NO_PIN_THIS_EXPOSES_YOUR_VAULT_TO_YOUR_DISK=true
, so that way the user is aware of the risk.
Originally posted by @quexten in #46 (reply in thread)
Bitwarden is migrating to individual cipher key encryption. Will need to rewrite the core to support this.
Here is an example to illustrate the issue:
~/.mozilla ··········································································································································· 18:19:59
❯ goldwarden setup browserbiometrics
Found chrome-like browser: /home/anthonyfiddes/.config/google-chrome/NativeMessagingHosts
Found chrome-like browser: /home/anthonyfiddes/.config/thorium/NativeMessagingHosts
Done.
~/.mozilla ··········································································································································· 18:20:16
❯ mkdir native-messaging-hosts
~/.mozilla ··········································································································································· 18:20:17
❯ goldwarden setup browserbiometrics
Found chrome-like browser: /home/anthonyfiddes/.config/google-chrome/NativeMessagingHosts
Found chrome-like browser: /home/anthonyfiddes/.config/thorium/NativeMessagingHosts
Found mozilla-like browser: /home/anthonyfiddes/.mozilla/native-messaging-hosts
Done.
Maybe we could add instructions to the wiki page about this, since I'm not sure if goldwarden is supposed to create the folder, or if the folder is already supposed to exist and for some reason does not.
I personally use librewolf and cloned the repo to add .librewolf
as a folder to search when I noticed this.
Ok I created an ssh key. Added the public key to the known_hosts. Made the change in .bashrc from the wiki. But it fails to login.
It is connecting to the agent but nothing happens. Am I missing something?
Jan 18 06:39:25 Archie goldwarden[1229]: [INF] [06:39] [Goldwarden > SSH] >>> SSH Agent connection accepted
Jan 18 06:41:54 Archie goldwarden[1229]: [INF] [06:41] [Goldwarden > SSH] >>> SSH Agent connection from kgx>bash>ssh
Ok something else I noticed when I do goldwarden ssh list I get a reply but when I do
ssh-add I get The Agent has no identities.
At the moment you have to use an unsandboxed daemon, with the socket mapped into the flatpak in order to be able to use fido2 in the flatpak. This could be circumvented by granting the flatpak an all-devices permission, which has the downside of being too broad and also marking the flatpak as unsafe on FlatHub.
The best way forward is a portal, such as proposed in:
flatpak/xdg-desktop-portal#989
When using the global autotype shortcut, we shouldn't need to approve the listing of credentials.
Sorry if this is another case of me not reading the documentation correctly, but from my understanding, once you select an entry in the autotype window, it's supposed to automatically type that out in the set text boxes, correct?
On my system, selecting and entering just closes the auto-type window. It does not type out anything.
I also noticed there are key shortcuts (by default, u
for username and p
for password) that can be used to copy either the username or password of the selected entry into the clipboard, but again, it does nothing on my system.
Video
https://youtu.be/VIrCcl2wDVs
Logs
flatpak
flatpak run com.quexten.Goldwarden
/app/bin/monitors/dbus_autofill_monitor.py:4: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '4.0') before import to ensure that the right version gets loaded.
from gi.repository import Gtk
IS daemon running False
running daemon
Failed err None
Flatpak Config directory: /home/zany130/.var/app/com.quexten.Goldwarden/config/goldwarden.json
[INF] [19:49] [Goldwarden > Keyring] >>> Creating new memguard keyring
[INF] [19:49] [Goldwarden > Agent] >>> Agent listening on /home/zany130/.var/app/com.quexten.Goldwarden/data/goldwarden.sock...
Blocking, press ctrl+c to continue...
[INF] [19:49] [Goldwarden > SSH] >>> SSH Agent listening on /home/zany130/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock
[WRN] [19:49] [Goldwarden > Agent] >>> Could not monitor idle: org.freedesktop.DBus.Error.ServiceUnknown
autostart enabled..!?
(':1.15', '/org/freedesktop/portal/desktop/request/1_468/com/quexten/Goldwarden/13804143', 'org.freedesktop.portal.Request', 'Response', GLib.Variant('(ua{sv})', (0, {'background': <true>, 'autostart': <true>})), None)
/app/bin/settings.py:34: DeprecationWarning: Adw.ActionRow.set_icon_name is deprecated
self.ssh_row.set_icon_name("emblem-default")
[INF] [19:49] [Goldwarden > Pinentry] >>> Asking for pin |Unlock Goldwarden|Enter the vault PIN|
[INF] [19:49] [Goldwarden > Pinentry] >>> Got pin from user
[INF] [19:49] [Goldwarden > Keyring] >>> Unlocking keyring with account key
[INF] [19:49] [Goldwarden > Auth] >>> Refreshing token
[INF] [19:49] [Goldwarden > Auth] >>> Refreshing using refresh token
[INF] [19:49] [Goldwarden > Auth] >>> Token refreshed
[INF] [19:49] [Goldwarden > Bitwarden API] >>> Performing full sync...
[INF] [19:49] [Goldwarden > Websocket] >>> Connected to websocket server...
[INF] [19:50] [Goldwarden > Bitwarden API] >>> Sync successful, initializing keyring and vault...
[INF] [19:50] [Goldwarden > Bitwarden API] >>> Reading 0 org keys...
[INF] [19:50] [Goldwarden > Bitwarden API] >>> Initializing keyring from user symmetric key...
[INF] [19:50] [Goldwarden > Keyring] >>> Unlocking keyring with account key
[INF] [19:50] [Goldwarden > Bitwarden API] >>> Clearing vault...
[INF] [19:50] [Goldwarden > Bitwarden API] >>> Adding 563 ciphers to vault...
[WRN] [19:50] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:50] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:50] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:50] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:50] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:50] [Goldwarden > Websocket] >>> Invalid message received, length too short
/app/bin/autofill.py:6: PyGIWarning: Notify was imported without specifying a version first. Use gi.require_version('Notify', '0.7') before import to ensure that the right version gets loaded.
from gi.repository import Gtk, Adw, GLib, Notify
/app/bin/autofill.py:80: DeprecationWarning: Gtk.Widget.hide is deprecated
self.history_list.hide()
/app/bin/autofill.py:108: DeprecationWarning: Gtk.Widget.get_style_context is deprecated
self.history_list.get_style_context().add_class("boxed-list")
/app/bin/autofill.py:108: DeprecationWarning: Gtk.StyleContext.add_class is deprecated
self.history_list.get_style_context().add_class("boxed-list")
[INF] [19:50] [Goldwarden > Systemauth] >>> Checking permission for goldwarden with session type com.quexten.goldwarden.accessvault
[INF] [19:50] [Goldwarden > Biometrics] >>> Checking biometrics for com.quexten.goldwarden.accessvault
[INF] [19:50] [Goldwarden > Biometrics] >>> Biometrics result: true
[INF] [19:50] [Goldwarden > Systemauth] >>> Permission granted, creating session
[INF] [19:50] [Goldwarden > Pinentry] >>> Asking for approval |Approve List Credentials|zany130 on main.py>python3>goldwarden is trying access all credentials|
[INF] [19:50] [Goldwarden > Pinentry] >>> Got approval from user
/app/bin/autofill.py:64: DeprecationWarning: Adw.ActionRow.set_icon_name is deprecated
action_row.set_icon_name("dialog-password")
/app/bin/autofill.py:46: DeprecationWarning: Gtk.Widget.show is deprecated
self.history_list.show()
copy username
Failed to connect to a Wayland server: No such file or directory
Note: WAYLAND_DISPLAY is set to wayland-0
Note: XDG_RUNTIME_DIR is set to /run/user/1000
Please check whether /run/user/1000/wayland-0 socket exists and is accessible.
(autofill.py:1320): libnotify-WARNING **: 19:51:03.787: Running in confined mode, using Portal notifications. Some features and hints won't be supported
copy username
Failed to connect to a Wayland server: No such file or directory
Note: WAYLAND_DISPLAY is set to wayland-0
Note: XDG_RUNTIME_DIR is set to /run/user/1000
Please check whether /run/user/1000/wayland-0 socket exists and is accessible.
copy password
Failed to connect to a Wayland server: No such file or directory
Note: WAYLAND_DISPLAY is set to wayland-0
Note: XDG_RUNTIME_DIR is set to /run/user/1000
Please check whether /run/user/1000/wayland-0 socket exists and is accessible.
copy password
Failed to connect to a Wayland server: No such file or directory
Note: WAYLAND_DISPLAY is set to wayland-0
Note: XDG_RUNTIME_DIR is set to /run/user/1000
Please check whether /run/user/1000/wayland-0 socket exists and is accessible.
copy password
Failed to connect to a Wayland server: No such file or directory
Note: WAYLAND_DISPLAY is set to wayland-0
Note: XDG_RUNTIME_DIR is set to /run/user/1000
Please check whether /run/user/1000/wayland-0 socket exists and is accessible.
enter
secure.hulu.com
[WRN] [19:51] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:51] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:51] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:51] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:52] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:52] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:52] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:52] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:52] [Goldwarden > Websocket] >>> Invalid message received, length too short
[WRN] [19:52] [Goldwarden > Websocket] >>> Invalid message received, length too short
Operating System: Garuda Linux
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.114.0
Qt Version: 5.15.12
Kernel Version: 6.7.0-3-cachyos (64-bit)
Graphics Platform: Wayland
Processors: 12 × AMD Ryzen 5 5600X 6-Core Processor
Memory: 31.3 GiB of RAM
Graphics Processor: AMD Radeon RX 6700 XT
I was trying to setup Goldwarden on my Plasma EndeavourOS setup.
The setup commands were successful:
$ goldwarden setup polkit
failed setting selinux context
exit status 1
Polkit setup successfully
$ goldwarden setup systemd
Systemd setup successfully
$ goldwarden setup browserbiometrics
Native messaging host directory already exists: /home/mufeed/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/
Native messaging host directory already exists: /home/mufeed/.mozilla/native-messaging-hosts/
Found mozilla-like browser: /home/mufeed/.mozilla/native-messaging-hosts
Done.
I setup my environment variables as I did on my Tumbleweed setup to work well with the Flatpak (which is working fine, but uses a Plasma 6 dev build):
$ set -Ux GOLDWARDEN_SOCKET_PATH ~/.var/app/com.quexten.Goldwarden/data/goldwarden.sock
$ set -Ux GOLDWARDEN_SSH_AUTH_SOCK ~/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock
$ set -Ux SSH_AUTH_SOCK ~/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock
So I rebooted before setting up the vault (because of updates) and then come back and try to setup my vault. I get a polkit prompt and then I get the following error:
$ goldwarden vault pin set
Pin updating failed: pinentry: unexpected response: "S ERROR gtk2.isatty 83918950 "
My immediate response was to check GitHub issues and found #38. So I checked the response you had, saw the comment regarding the DISPLAY variable.
$ echo $DISPLAY
:1
Okay, that should be the issue. So I edited the service to set DISPLAY to 1 instead. And then I tried restarting the service. It works!
I setup everything and was happy. But I just turned on my device again, tried to use Goldwarden and I just dont get the pin prompt. So I tried running the pin set command again. Same error.
But it gets weirder. I restarted the goldwarden service using systemctl and now it works again... So now I wanted to know if it would keep working or if it would break. So I tried doing a soft-reboot and the issue is back... But again, simply restarting the service fixes it again...
Very lost right now
Installed goldwarden from the AUR
following https://github.com/quexten/goldwarden/wiki/System%E2%80%90wide-Autotype
I cant get dbus-send --type=method_call --dest=com.quexten.Goldwarden.autofill /com/quexten/Goldwarden com.quexten.Goldwarden.Autofill.autofill
tested trying to get my password for google with goldwarden logins get www.google.com
and that works so Goldwarden seems to be accessing my bitwarden account fine
systemctl --user status goldwarden.service
● goldwarden.service - "Goldwarden daemon"
Loaded: loaded (/home/zany130/.config/systemd/user/goldwarden.service; enabled; preset: enabled)
Active: active (running) since Thu 2023-12-28 19:22:22 EST; 1min 24s ago
Main PID: 796781 (goldwarden)
Tasks: 17 (limit: 38363)
Memory: 80.4M (peak: 2.0G)
CPU: 7.039s
CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/goldwarden.service
└─796781 /usr/bin/goldwarden daemonize
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Keyring] >>> Unlocking keyring with account key
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Bitwarden API] >>> Clearing vault...
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Bitwarden API] >>> Adding 560 ciphers to vault...
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Systemauth] >>> Checking permission for goldwarden with session type com.quexten.goldwarden.accessvault
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Systemauth] >>> Permission granted from cached session
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Pinentry] >>> Asking for approval |Approve Credential Access|zany130 on alacritty>fish>goldwarden is trying to access credentials for u>
Dec 28 19:23:30 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Websocket] >>> Connected to websocket server...
Dec 28 19:23:33 Garuda-Linux goldwarden[796781]: [WRN] [19:23] [Goldwarden > Websocket] >>> Invalid message received, length too short
Dec 28 19:23:33 Garuda-Linux goldwarden[796781]: [INF] [19:23] [Goldwarden > Pinentry] >>> Got approval from user
Dec 28 19:23:39 Garuda-Linux goldwarden[796781]: [WRN] [19:23] [Goldwarden > Websocket] >>> Invalid message received, length too short
On the official servers, logins sometimes get blocked due to brute-force prevention (captcha). This can be circumvented by using the api key.
For testing (and because my desktop doesn't have biometrics), I'd like to set a non-biometric pin (password would be good enough for my case) using goldwarden vault pin set
but I get this log:
Jan 13 20:48:09 HEPHAISTOS .goldwarden-wrapped[1385378]: [INF] [20:48] [Goldwarden > Systemauth] >>> Checking permission for .goldwarden-wra with session type com.quexten.goldwarden.accessvault
Jan 13 20:48:09 HEPHAISTOS .goldwarden-wrapped[1385378]: [INF] [20:48] [Goldwarden > Biometrics] >>> Checking biometrics for com.quexten.goldwarden.accessvault
Jan 13 20:48:09 HEPHAISTOS .goldwarden-wrapped[1385378]: [INF] [20:48] [Goldwarden > Biometrics] >>> Biometrics result: false
Installed under NixOS 24.05 (polkit enabled)
Thanks understood. It might be nice to be able to configure from the UI whether the daemon continues to run in the background or stops with the UI and whether or not it's autostarted. (That might also help to make the default behaviour a bit more obvious).
Originally posted by @baarkerlounger in #47 (comment)
Hello,
I've recently started switching to Linux and I really want to make this work, because I really enjoy using biometrics for Bitwarden on Windows. I'm running Fedora 39, and I installed both the Goldwarden rpm and flatpak. My browser of choice is Vivaldi. I setup browserbiometrics via the commandline, and it seemed to have found Vivaldi. The Goldwarden GUI shows that the SSH and Goldwarden Daemons are both running, and "Login with device" shows "Waiting for requests" and "DBUS Service" shows "Listening". The Wiki seems to tell me to just turn on browser biometrics on the browser extension from here, but it shows "Waiting confirmation from desktop" without any indication that the desktop is trying to connect. I'm unsure what to do from here.
setting up systemd fails
goldwarden setup systemd
panic: exit status 1
goroutine 1 [running]:
github.com/quexten/goldwarden/cmd.setupSystemd()
github.com/quexten/goldwarden/cmd/setup.go:83 +0x26b
github.com/quexten/goldwarden/cmd.glob..func12(0xc0000e7a00?, {0x564fa2040320?, 0x4?, 0x564fa204020e?})
github.com/quexten/goldwarden/cmd/setup.go:94 +0xf
github.com/spf13/cobra.(*Command).execute(0x564fa26de400, {0x564fa294aaa0, 0x0, 0x0})
github.com/spf13/[email protected]/command.go:944 +0x863
github.com/spf13/cobra.(*Command).ExecuteC(0x564fa26ddb60)
github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/[email protected]/command.go:992
github.com/quexten/goldwarden/cmd.Execute({0x0, 0x0, {0x0, 0x0}, 0x0, {0xc00034eed0, 0x25}, 0x0, 0x0, {0x0, ...}, ...})
github.com/quexten/goldwarden/cmd/root.go:35 +0x165
main.main()
github.com/quexten/goldwarden/main.go:65 +0x578
```
this is built from the latest git
sys info
inxi -b
System:
Host: Garuda-Linux Kernel: 6.5.2-273-tkg-bore-eevdf arch: x86_64 bits: 64
Desktop: KDE Plasma v: 5.27.7 Distro: Garuda Linux
Machine:
Type: Desktop Mobo: ASRock model: X470 Taichi serial: <superuser required>
UEFI: American Megatrends v: P5.10 date: 10/20/2022
CPU:
Info: 6-core AMD Ryzen 5 5600X [MT MCP] speed (MHz): avg: 4074
min/max: 550/4651
Graphics:
Device-1: AMD Navi 22 [Radeon RX 6700/6700 XT/6750 XT / 6800M/6850M XT]
driver: amdgpu v: kernel
Display: wayland server: X.org v: 1.21.1.8 with: Xwayland v: 23.2.0
compositor: kwin_wayland driver: X: loaded: amdgpu
unloaded: modesetting,radeon dri: radeonsi gpu: amdgpu resolution:
1: 2048x864 2: 1536x864 3: 1536x864
API: OpenGL v: 4.6 Mesa 23.1.7-arch1.1 renderer: AMD Radeon RX 6700 XT
(navi22 LLVM 16.0.6 DRM 3.54 6.5.2-273-tkg-bore-eevdf)
Network:
Device-1: Intel Dual Band Wireless-AC 3168NGW [Stone Peak] driver: iwlwifi
Device-2: Intel I211 Gigabit Network driver: igb
Drives:
Local Storage: total: 2.96 TiB used: 2.33 TiB (78.7%)
Info:
Processes: 530 Uptime: 1h 30m Memory: total: 32 GiB available: 31.26 GiB
used: 11.23 GiB (35.9%) Shell: fish inxi: 3.3.29
From @alba4k in #62 (comment)_
On Fedora 39, I've noticed that the polkit policy will not load when selinux is set to enforcing.
From the audit log:
type=AVC msg=audit(1697115971.173:129): avc: denied { open } for pid=1046 comm="polkitd" path="/usr/share/polkit-1/actions/com.quexten.goldwarden.policy" dev="dm-0" ino=559338 scontext=system_u:system_r:policykit_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
So I get the sudo prompt when trying to setup the pin. then I get the following error.
Pin updating failed: pinentry: unexpected response: "S ERROR curses.isatty 83918950 "
Right now you have to type the entry that you are looking for. In wayland, there is no direct way to get the active window title, but goldwarden could make use of window-manager specific dbus APIs, in order to retreive the active window title.
It used to be that the Flatpak would detect my account from the system installed in Goldewarden. However, it is no longer doing this.
Furthermore, I can't even log in using the flatpak as I get stuck in this window and the login button does nothing
System goldwarden (AUR)
Name : goldwarden
Version : 0.2.9-1
Flatpak
Goldwarden com.quexten.Goldwarden 0.2.9 stable flathub user
System
Operating System: Garuda Linux
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.114.0
Qt Version: 5.15.12
Kernel Version: 6.7.0-3-cachyos (64-bit)
Graphics Platform: Wayland
Processors: 12 × AMD Ryzen 5 5600X 6-Core Processor
Memory: 31.3 GiB of RAM
Graphics Processor: AMD Radeon RX 6700 XT
Hi,
I got the impression that goldwarden integrates with Secret service?
This is from it integrating with the desktop environment, and from a comment on bitwarden forum.
However, I don't see it on the dbus, so, is secret service/libsecret supported?
In that case, any suggestion on how to trouble shoot it missing?
And otherwise, I would like to add a feature request for it.
If you have a specific feature from the 1password quick access menu,
I guess it would be configurable shortcuts for copying the username, password and totp (which ig isn't present yet) just because I'm used to the 1Password shortcuts, but then again, I can see myself getting used to this too.
[...]
Originally posted by @mufeedali in #46 (comment)
It is working as intended with Firefox, but not with Brave.
It says:
"Browser integration is not set up in the Bitwarden desktop application. Please set it up in the settings within the desktop application."
The NativeMessagingHosts directory is present and had a 1Password-generated json file. But nothing from Bitwarden.
it seems like the GUI in the flatpak doesn't like KDE display scaling settings
installed the flatpak from flatpak install --user https://dl.flathub.org/build-repo/72997/com.quexten.Goldwarden.flatpakref
Screens
=======
Active screen follows mouse: yes
Number of Screens: 3
Screen 0:
---------
Name: DP-1
Enabled: 1
Geometry: 2932,677,2048x864
Scale: 1.25
Refresh Rate: 74991
Adaptive Sync: automatic
Screen 1:
---------
Name: DP-2
Enabled: 1
Geometry: 0,0,1396x785
Scale: 2.75
Refresh Rate: 120000
Adaptive Sync: always
Screen 2:
---------
Name: HDMI-A-2
Enabled: 1
Geometry: 1396,355,1536x864
Scale: 1.25
Refresh Rate: 74973
Adaptive Sync: automatic
Operating System: Garuda Linux
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.113.0
Qt Version: 5.15.11
Kernel Version: 6.6.8-1-cachyos (64-bit)
Graphics Platform: Wayland
Processors: 12 × AMD Ryzen 5 5600X 6-Core Processor
Memory: 31.3 GiB of RAM
Graphics Processor: AMD Radeon RX 6700 XT
Right now I'm only maintaining dvorak & qwerty as layouts for autotype. Alternatively, the pasting option can be used (in some applications). If anyone needs additional layouts, feel free to clone the qwerty layout, make modifications, and submit it as a pull request.
Some documentation on how to get started with contributing would be great to have
It should be possible to use the screencast portal for autotype. This would enable autotype across X11 and Wayland, same as the current uinput based option, but also not require root (/ access to uinput) and handle keyboard layouts.
When the refresh token expires, goldwarden sends a sync error notification. Since this regularly occurs and is expected, the notification should only show after repeated sync errors.
The global hotkey portal should be used to activate autofill, instead of requiring a dbus message.
goldwarden setup
should not be required, instead the package managers should take care of the setup.
Hi,
tried goldwarden today and get following error:
/app/bin/monitors/dbus_autofill_monitor.py:4: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '4.0') before import to ensure that the right version gets loaded.
from gi.repository import Gtk
IS daemon running False
running daemon
Failed err None
Flatpak Config directory: /home/#MYUSER#/.var/app/com.quexten.Goldwarden/config/goldwarden.json
[INF] [14:31] [Goldwarden > Keyring] >>> Creating new memguard keyring
[INF] [14:31] [Goldwarden > Agent] >>> Agent listening on /home/#MYUSER#/.var/app/com.quexten.Goldwarden/data/goldwarden.sock...
Blocking, press ctrl+c to continue...
[INF] [14:31] [Goldwarden > SSH] >>> SSH Agent listening on /home/#MYUSER#/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock
[WRN] [14:31] [Goldwarden > Agent] >>> Could not monitor idle: org.freedesktop.DBus.Error.ServiceUnknown
autostart enabled..!?
(':1.55', '/org/freedesktop/portal/desktop/request/1_2174/com/quexten/Goldwarden/10748674', 'org.freedesktop.portal.Request', 'Response', GLib.Variant('(ua{sv})', (0, {'background': <true>, 'autostart': <true>})), None)
/app/bin/settings.py:34: DeprecationWarning: Adw.ActionRow.set_icon_name is deprecated
self.ssh_row.set_icon_name("emblem-default")
[INF] [14:31] [Goldwarden > Pinentry] >>> Asking for pin |Unlock Goldwarden|Enter the vault PIN|
[INF] [14:31] [Goldwarden > Pinentry] >>> Got pin from user
[INF] [14:31] [Goldwarden > Keyring] >>> Unlocking keyring with account key
[INF] [14:31] [Goldwarden > Auth] >>> Refreshing token
[INF] [14:31] [Goldwarden > Auth] >>> Refreshing using refresh token
[INF] [14:31] [Goldwarden > Auth] >>> Token refreshed
[INF] [14:31] [Goldwarden > Bitwarden API] >>> Performing full sync...
[INF] [14:31] [Goldwarden > Bitwarden API] >>> Sync successful, initializing keyring and vault...
[INF] [14:31] [Goldwarden > Bitwarden API] >>> Reading 1 org keys...
[INF] [14:31] [Goldwarden > Bitwarden API] >>> Initializing keyring from user symmetric key...
[INF] [14:31] [Goldwarden > Keyring] >>> Unlocking keyring with account key
[INF] [14:31] [Goldwarden > Bitwarden API] >>> Clearing vault...
[INF] [14:31] [Goldwarden > Bitwarden API] >>> Adding 282 ciphers to vault...
panic: cipher.NewCBCDecrypter: IV length must equal block size
goroutine 53 [running]:
crypto/cipher.NewCBCDecrypter({0x9f0510, 0xc0002ef8f0}, {0x0, 0x0, 0x0})
/opt/hostedtoolcache/go/1.20.12/x64/src/crypto/cipher/cbc.go:122 +0xcc
github.com/quexten/goldwarden/agent/bitwarden/crypto.DecryptWith({0x0, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}}, ...)
/home/runner/work/goldwarden/goldwarden/agent/bitwarden/crypto/encstring.go:159 +0x2df
github.com/quexten/goldwarden/agent/vault.(*Vault).isSSHKey(_, {0x2, 0xc0000c1130, {0x2, {0xc000366228, 0x10, 0x12}, {0xc000366240, 0x10, 0x12}, ...}, ...})
/home/runner/work/goldwarden/goldwarden/agent/vault/vault.go:147 +0x338
github.com/quexten/goldwarden/agent/vault.(*Vault).AddOrUpdateSecureNote(_, {0x2, 0xc0000c1130, {0x2, {0xc000366228, 0x10, 0x12}, {0xc000366240, 0x10, 0x12}, ...}, ...})
/home/runner/work/goldwarden/goldwarden/agent/vault/vault.go:82 +0x165
github.com/quexten/goldwarden/agent/bitwarden.DoFullSync({0x9f1248, 0xc0006a80f0}, 0xc0001b0230, 0xd04178?, 0xc00045bc48, 0x1)
/home/runner/work/goldwarden/goldwarden/agent/bitwarden/sync.go:72 +0x6c5
github.com/quexten/goldwarden/agent/actions.handleUnlockVault({0xc00011a678?, {0x8?, 0xc0002b8005?, 0xa?}}, 0xc0001856c0, 0xc0001b0230, 0xc0002ba143?)
/home/runner/work/goldwarden/goldwarden/agent/actions/vault.go:78 +0x42e
github.com/quexten/goldwarden/agent.serveAgentSession({0x9f35f0, 0xc000292018}, {0x0?, 0x0?}, 0x0?, 0x0?)
/home/runner/work/goldwarden/goldwarden/agent/unixsocketagent.go:67 +0x252
created by github.com/quexten/goldwarden/agent.StartUnixAgent.func8
/home/runner/work/goldwarden/goldwarden/agent/unixsocketagent.go:283 +0x55
quitting goldwarden daemon
daemon running
Exception in thread Thread-1 (unlock):
Traceback (most recent call last):
File "/usr/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
self.run()
File "/usr/lib/python3.11/threading.py", line 982, in run
self._target(*self._args, **self._kwargs)
File "/app/bin/goldwarden.py", line 83, in unlock
raise Exception("Failed to initialize repository, err", result.stderr)
Exception: ('Failed to initialize repository, err', 'Flatpak Config directory: /home/#MYUSER#/.var/app/com.quexten.Goldwarden/config/goldwarden.json\npanic: interface conversion: interface {} is nil, not messages.IPCMessage\n\ngoroutine 1 [running]:\ngithub.com/quexten/goldwarden/client.UnixSocketClient.SendToAgent({0x0?}, {0x8ba120, 0xd04178})\n\t/home/runner/work/goldwarden/goldwarden/client/unixsocketclient.go:63 +0x269\ngithub.com/quexten/goldwarden/cmd.glob..func23(0xc95a60?, {0x92c626?, 0x0?, 0x0?})\n\t/home/runner/work/goldwarden/goldwarden/cmd/vault.go:24 +0x3a\ngithub.com/spf13/cobra.(*Command).execute(0xc95a60, {0xd04178, 0x0, 0x0})\n\t/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:987 +0xa91\ngithub.com/spf13/cobra.(*Command).ExecuteC(0xc93ac0)\n\t/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x425\ngithub.com/spf13/cobra.(*Command).Execute(...)\n\t/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039\ngithub.com/quexten/goldwarden/cmd.Execute({0x0, 0x0, {0x0, 0x0}, 0x0, {0xc000168140, 0x45}, 0x0, 0x0, {0x0, ...}, ...})\n\t/home/runner/work/goldwarden/goldwarden/cmd/root.go:35 +0x1fb\nmain.main()\n\t/home/runner/work/goldwarden/goldwarden/main.go:83 +0x978\n')
I use latest vaultwarden release as server.
OS: Manjaro Gnome
Enabled device=all for fido2 (nitrokey 3A)
while troubleshooting #35
I noticed I am unable to access my Bitwarden vault anymore.
goldwarden vault status
{
"locked": false ,
"loginEntries": 0 ,
"noteEntries": 0 ,
"lastSynced": "1969-12-31 19:00:00 -0500 EST",
"websocketConnected": false ,
"pinSet": false ,
"loggedIn": false
}
goldwarden vault login --email [email protected]
Login failed: No pin set. Set a pin first!
╭─zany130@garuda in ~ via v3.11.6 took 4ms
╰─λ goldwarden vault pin set
Pin updating failed: pinentry: unexpected response: "S ERROR gtk2.isatty 83918950
pacman -Qi goldwarden
Name : goldwarden
Version : 0.2.6-1
flatpak info com.quexten.Goldwarden
Goldwarden - A Bitwarden compatible desktop client
ID: com.quexten.Goldwarden
Ref: app/com.quexten.Goldwarden/x86_64/test
Arch: x86_64
Branch: test
Version: 0.2.5
License: MIT
Origin: goldwarden-origin
Collection: org.flathub.Test.Build72997
Installation: user
Installed: 9.5 MB
Runtime: org.gnome.Platform/x86_64/45
Sdk: org.gnome.Sdk/x86_64/45
Commit: 193d26166b1d679d17ae26799cbbb9ef5c4a6e636d3b48b6014505088386adb5
Subject: Update com.quexten.Goldwarden.yml to v0.2.5 (2a8452e2)
Date: 2023-12-28 22:31:43 +0000
Operating System: Garuda Linux
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.113.0
Qt Version: 5.15.11
Kernel Version: 6.6.8-1-cachyos (64-bit)
Graphics Platform: Wayland
Processors: 12 × AMD Ryzen 5 5600X 6-Core Processor
Memory: 31.3 GiB of RAM
Graphics Processor: AMD Radeon RX 6700 XT
Great project would mostly solve https://community.bitwarden.com/t/support-for-libsecrets-dbus-api
However, when trying to get this setup, I got
goldwarden vault login --email ************
Login failed: Could not login: could not pre-login: Post "/accounts/prelogin": unsupported protocol scheme ""
goldwarden daemonize
[INF] [12:45] [Goldwarden > Agent] >>> Agent listening on /home/zany130/.goldwarden.sock...
[INF] [12:45] [Goldwarden > SSH] >>> SSH Agent listening on /home/zany130/.goldwarden-ssh-agent.sock
[INF] [12:47] [Goldwarden > Systemauth] >>> Asking for pin |Unlock Goldwarden|Enter the vault PIN|
[INF] [12:47] [Goldwarden > Systemauth] >>> Got pin from user
[ERR] [12:50] [Goldwarden > Bitwarden API] >>> Could not get auth request: Get "/auth-requests/": unsupported protocol scheme ""
built from latest git
some sys info
inxi -b
System:
Host: Garuda-Linux Kernel: 6.5.2-273-tkg-bore-eevdf arch: x86_64 bits: 64
Desktop: KDE Plasma v: 5.27.7 Distro: Garuda Linux
Machine:
Type: Desktop Mobo: ASRock model: X470 Taichi serial: <superuser required>
UEFI: American Megatrends v: P5.10 date: 10/20/2022
CPU:
Info: 6-core AMD Ryzen 5 5600X [MT MCP] speed (MHz): avg: 3602
min/max: 550/4651
Graphics:
Device-1: AMD Navi 22 [Radeon RX 6700/6700 XT/6750 XT / 6800M/6850M XT]
driver: amdgpu v: kernel
Display: wayland server: X.org v: 1.21.1.8 with: Xwayland v: 23.2.0
compositor: kwin_wayland driver: X: loaded: amdgpu
unloaded: modesetting,radeon dri: radeonsi gpu: amdgpu resolution:
1: 2048x864 2: 1536x864 3: 1536x864
API: OpenGL v: 4.6 Mesa 23.1.7-arch1.1 renderer: AMD Radeon RX 6700 XT
(navi22 LLVM 16.0.6 DRM 3.54 6.5.2-273-tkg-bore-eevdf)
Network:
Device-1: Intel Dual Band Wireless-AC 3168NGW [Stone Peak] driver: iwlwifi
Device-2: Intel I211 Gigabit Network driver: igb
Drives:
Local Storage: total: 2.96 TiB used: 2.33 TiB (78.7%)
Info:
Processes: 556 Uptime: 1h 13m Memory: total: 32 GiB available: 31.26 GiB
used: 11.46 GiB (36.7%) Shell: fish inxi: 3.3.29
I noticed that the commands on the Getting Started page do not properly reference the vault
command.
E.g.:
goldwarden set pin
, but the command that I had to use was goldwarden vault pin set
.goldwarden login --email <email>
, but I had to use goldwarden vault login --email <email>
Installed version:
Use prf for fido2 single sign on
So, the workflow is - as far as I can tell - the same: Boot -> enter password/(pin) 1x -> use system auth (all the time)
Something must be wrong with my setup then. For me, whenever the vault auto locks, i have to type the pin again. I'll test more thoroughly and let you know
Originally posted by @mufeedali in #46 (reply in thread)
Hey, its me again!
I think the browser biometrics do not work in goldwarden
(in contrast to bw-bio-handler
, where they work flawlessly).
One part of the problem could be (just a guess, though) that you set the AppID to com.8bit.bitwarden
here, but to com.quexten.bw-bio-handler
here.
But sadly, this doesn't seem to fix it for me, the BW chromium addon always tells me that "the browser integration in the Bitwarden Desktop app has not been activated", which is why I didn't open a PR for this yet.
Do you maybe have an idea what else the underlying problem could be?
I tried it out and it worked! The only problem I'm finding now is that my vault keeps getting corrupted like in this issue: https://github.com/quexten/goldwarden/issues/38. The vault purge and log in step fixed it, but I had to do it 2 or 3 times.
Originally posted by @Anthony-Fiddes in #37 (comment)
We could implement system wide passkey support using a virtual ctap2 authenticator such as:
https://github.com/r4gus/keylib
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.