Table of Content

• Table of Content
• CLI for the KDE Wallet
  • Download
  • Ingredients
    • Wishlist
• Packaging
  • Dependencies
• Language Bindings
  • C binding
  • Python binding (external)
  • Shell binding
  • Python example (contrib)
• Security
• Users
• ChangeLog

Homepage of the Command-Line Interface to the KDE Wallet. Get the Logo (SVG).

CLI for the KDE Wallet

What's it? A command-line interface to the KDE Wallet, for KDE 3, KDE 4 and KF5 (so shell scripts, Python, etc. do not need to use DCOP or D-Bus directly to access it to store passwords, instead being able to call this convenient wrapper). KF5 does come with a kwallet-query utility, however, it requires the caller to know the name of the default wallet, which most scripts won’t know, and lacks kwalletcli’s extra utilities.

Please read the wlog entry announcing kwalletcli public beta test for some more background information. Currently, only the default wallet is supported; while the CLI itself could be enhanced by a selection, the utilities also provided cannot really expose this functionality.

kwalletcli is OSI Certified

Download

Current version: kwalletcli 3.03 (2021-01-25)

• SHA256 (kwalletcli-3.03.tar.gz) = f228e5b179f6eb92289b9635382e676990dd58cd193ce42b61d3150c8a06b12d
• RMD160 (kwalletcli-3.03.tar.gz) = 5369b1058870014f3a14cff6d9cf514a9cee0539
• TIGER (kwalletcli-3.03.tar.gz) = 0ec20533474f86924fd0e235ff8d60e9c948e91cd1bb4c61
• 2659416923 65189 /MirOS/dist/hosted/kwalletcli/kwalletcli-3.03.tar.gz
• MD5 (kwalletcli-3.03.tar.gz) = ef98d7a9a8702d555135cd2c372a15ab
• Mirrors
• Germany
• Japan

Ingredients

The kwalletcli distfile provides a number of things:

• A LICENCE file. kwalletcli is covered by The MirOS Licence (HTML transcript with inofficial German translation); the logo is additionally restricted by the Terms and Conditions of the GNU LGPL v3+ (both licences are OSI certified, DFSG free, etc.)
• An SVG logo and a few compiled PNG versions.
• The CLI itself (binary). The manual page (HTML): kwalletcli(1)
• An ssh-askpass(1) alike tool called kwalletaskpass(1), which provides some kind of SSO by storing the SSH private key passphrase in the KDE Wallet (mksh(1) script)
• An pinentry alike tool called pinentry-kwallet(1) which provides some kind of SSO by storing pinentry replies, once given (it calls the original pinentry-{qt,gtk,curses} as coprocess), in the KDE Wallet and providing them to e.g. the GnuPG agent (mksh script)
• A pinentry (Assuan protocol) client called kwalletcli_getpin(1) which is used to request information from the user which is not yet stored in the KDE Wallet, as well as confirmation whether it should be stored there (script) and serves as generic pinentry/Assuan client as well

Wishlist

Possible extensions include gnome-keyring bindings as well as some for the new KDE/GNOME intra-desktop keyring/wallet standard talking D-Bus instead of using the libkwalletclient convenience libraries; support for selecting a non-default keyring; more utilities on top of kwalletcli(1) (e.g. a libpurple plugin, and means for M*zilla Firef*x, Opera and other desktop software to use it to store passwords in the Wallet).

Bring Qt and KDE projects to agree about KWallet::Wallet::openWallet vs. QApplication::desktop()->screen()->winId() deprecation!

Packaging

Debian has a kwalletcli (KDE 4) package from squeeze to jessie. The lenny-backports repository contains a kwalletcli (KDE 3) package. Debian stretch and newer ship a kwalletcli compiled for KF5; KDE 3/4 packages are available from the “WTF” APT repository (not official Debian). It is also packaged for Arch Linux, Slackware, several Gentoo portage overlays, in home:syeg on the OpenSuSE buildservice (various RPMs), for Chakra Linux, RHEL, and Fedora. Suggested packaging: various BSDs’ ports framework (MidnightBSD provides KDE anyway, others will also do), etc. — If the KDE (upstream) project desires, they may include it (under the licence included) in their framework and ship it by default.

Dependencies

Either Qt3 and KDE3, or Qt4 and KDE4, or Qt5 and KF5, development headers and libraries, and the matching compiler (gcc/g++ is tested, others are not). Either MirMake (MirBSD make(1)) or GNU make. For the scripts, mksh R38+ is a run-time dependency. The manpages require nroff/gnroff and the -mdoc macropackage to compile. The HTML manpages can only be re-made on MirBSD.

Language Bindings

C binding

See the source file kwalletcli.h for details. This is the source-level C binding API (function kw_io() and a couple of return value definitions) that can be re-used. There is no C++ binding, because the high-level KWallet API is already C++, although, for ease of use, the C binding can be used from others' C++ code as well.

Python binding (external)

There's a sample Python 2 binding (we don't know which exact minimum version is required) contributed to the Gajim source code (dual-licenced under the same licence as Gajim (GPLv3 only), as well as the same licence (MirBSD) as kwalletcli). The binding was originally written by the author of kwalletcli as well.

• initial submission
• the code (used to be maintained inside the Gajim repository, as most prominent user of it; bugfixed by Yann “asterix” Leboulanger once already, thanks!; now removed because Gajim switched to libsecret to access more different wallet types)
• usage example (again, Gajim code)

Note that the Python binding uses subprocess.Popen() and the Shell binding to do the actual work.

Shell binding

The kwalletcli(1) manpage provides a documentation of the shell binding. The other utilities part of the distribution, as well as the Python binding, serve as usage examples.

Python example (contrib)

This is a user-contributed example in Python, submitted by Stephen McIntosh:

import kwalletbinding as kw
def operation():
    op = raw_input("Add or Read? ")
    return op
def addpass():
    kw.kwallet_put('kdewalletcli',
      raw_input("Name: "),
      raw_input("Password: "))
    print("...\nDone!")
def getpass():
    readpass = kw.kwallet_get('kdewalletcli',
      raw_input("Name: "))
    print "...\nThe password is: " + readpass

if kw.kwallet_available():
    op = operation()
    if op.lower() == "add":
        addpass()
    else:
        getpass()
else:
    print "KDE Wallet not available!"

(edited slightly for legibility)

Security

Passwords can, of course, only be accessed if the KDE Wallet is opened. Hence, the on-disc security of the passwords is the same as for all other applications using it. We make no statement on its security (the GnuPG mailing lists have some flamewars about it), but if this is “enough” for you (or, if you are a company sysadmin, your boss), you're welcome. On the other hand, since the KDE pop-up will only show “kwalletcli”, not the application/script using it, when it asks whether access to the Wallet is to be permitted, password stealing by untrusted-local applications is easier (but if you have these, you have totally different problems anyway). Hence, we suggest to “allow always” access for kwalletcli(1) and take the usual care when installing and running applications from third parties.

If you turn “iodebug” in pinentry-kwallet on, it will log the entire dialogue with both parent and co-process, including passwords, to a file in your home directory. (This can only be done by editing the script directly, which is why we refrain from warning the user in a dialogue, as an attacker can also remove that warning.)

Users

The “Gajim” Jabber client supported kwalletcli, by means of the Python binding, for storing Jabber passwords in the KDE Wallet in an encrypted manner, from version 0.13 (committed after some discussion; Gajim already supported gnome-keyring) to 0.16.9, when they switched to another keyring-abstracting library.

ChangeLog

kwalletcli 3.03

• Use ${PKG_CONFIG} instead of hard-coding pkg-config for KF5 build to allow cross-compiling; thanks Helmut Grohne!
• Update manpages to latest portmdoc
• Small metadata updates and warning fixes

kwalletcli 3.02

• Fix over-britpicking in manpages (a computer program is, unlike a youth programme or TV schedule, not spelt “programme”)
• Make the manpages compatible with recent GNU groff releases

kwalletcli 3.01

• Improve kwalletcli(1) manpage, adding an example of using it directly from the command line, and emphasising that only the default Wallet can be addressed; hopefully, this implies strongly enough that the folder/entry structure is inside the Wallet; requested by Tomas Pospisek

kwalletcli 3.00

• Merge back from Debian packaging: add CXXFLAGS to CXX link invocation
• Make the manual pages more portable (add our portmdoc)
• Do not close stdin/stdout/stderr when calling other utilities
• Add KF5 (KDE 5) and Qt5 support
• Apply spelling fixes suggested by lintian

kwalletcli 2.12

• Remove unused code from BSDmakefile, for better portability
• Apply patches from Timo Weingärtner to add recognition for git's question and ssh-agent-filter's confirmation
• Whitespace cleanup; add list of contributors to LICENCE file

kwalletcli 2.11

• Correct exit code for when the read routines die
• Catch signals and terminate gracefully
• Better protocol compliance
• Be more strict when parsing commands
• Quell warning for “GETINFO version”
• Prevent converting underscores into accelerator markings
• Document currently used exit codes
• Add CAVEATS to manual pages

kwalletcli 2.10

• In pinentry-kwallet(1), replace with the slave immediately if $DISPLAY is unset or empty (as we cannot contact the KDE Wallet in that case, anyway). Fixes another case of spurious “Do you want to store … in the KDE Wallet?” questions.
• Fix mis-read in recursive call case (parent, not slave).
• Align look and feel of fallbacks (both xmessage and TUI) with default pinentry GUI style
• kwalletcli_getpin(1) new options -m (message, with one button); -Y OK and -N Cancel (set button labels)
• Security fix in kwalletcli_getpin(1): tty I/O now properly disables echoing input when asking for a passphrase
• After scanning through ssh(1) and ssh-askpass(1) source, teach kwalletaskpass(1) to use boolean queries for some whitelisted strings and check it works with confirmation (Debian #603910)
• Store negative replies to “Do you want to store X in the KDE Wallet?” as “blacklist” in the wallet in kwalletaskpass(1) and pinentry-kwallet(1) to avoid asking the user every time
• Document limits and raise kwalletcli(1) -P limit
• Have kwalletcli(1) convert passwords from/to proper UTF-8 for Qt

kwalletcli 2.03

• Fix building the kwalletcli binary with indirect linking; patch from Felix Geyer <debfx＠Debian derivate from Canonical that cannot be named.com>
• In kwalletaskpass(1), do not even attempt to call kwalletcli(1) if $DISPLAY is unset or empty, it will not be able to communicate with it anyway. Fixes spurious “Do you want to store … in the KDE Wallet?” questions when logged in via ssh(1).
• Small documentation improvements, mostly re. $DISPLAY