Table of Content

• CLI for the KDE Wallet
• • Download
  • Ingredients
  • • Wishlist
• Packaging
• • Dependencies
• Language Bindings
• • C binding
  • Python binding (external)
  • Shell binding
• Security
• Users

Homepage of the Command-Line Interface to the KDE Wallet. Get the Logo (SVG).

CLI for the KDE Wallet

What's it? A command-line interface to the KDE Wallet, for KDE 3 and KDE 4 both (so shell scripts, Python, etc. do not need to use DCOP or D-Bus to access it to store passwords). Please read the wlog entry announcing kwalletcli public beta test for some more background information. Currently, only the default wallet is supported; while the CLI itself could be enhanced by a selection, the utilities also provided cannot really expose this functionality.

kwalletcli is OSI Certified

Download

Current version: kwalletcli 2.02 (2010-03-03)

• RMD160 (kwalletcli-2.02.tar.gz) = cd16f18f043f6e69bb880c2195f8d5cf55d56c74
• TIGER (kwalletcli-2.02.tar.gz) = 718648351d8ae808300ae0055c86f23b87a49ac2fe79d23e
• 319340280 56900 /MirOS/dist/hosted/kwalletcli/kwalletcli-2.02.tar.gz
• MD5 (kwalletcli-2.02.tar.gz) = 015252dcec6ce2db3a335e8a6c57b469
• Mirrors
• Germany
• Japan

Ingredients

The kwalletcli distfile provides a number of things:

• A LICENCE file. kwalletcli is covered by The MirOS Licence; the logo is additionally LGPL v3+ (both OSI certified, DFSG free, etc.)
• An SVG logo and a few compiled PNG versions.
• The CLI itself (binary). The manual page (HTML): kwalletcli(1)
• An ssh-askpass(1) alike tool called kwalletaskpass(1), which provides some kind of SSO by storing the SSH private key passphrase in the KDE Wallet (mksh(1) script)
• An pinentry alike tool called pinentry-kwallet(1) which provides some kind of SSO by storing pinentry replies, once given (it calls the original pinentry-{qt,gtk,curses} as coprocess), in the KDE Wallet and providing them to e.g. the GnuPG agent (mksh script)
• A pinentry (Assuan protocol) client called kwalletcli_getpin(1) which is used to request information from the user which is not yet stored in the KDE Wallet, as well as confirmation whether it should be stored there (script)

Wishlist

Possible extensions include gnome-keyring bindings as well as some for the new KDE/GNOME intra-desktop keyring/wallet standard talking D-Bus instead of using the libkwalletclient convenience libraries; support for selecting a non-default keyring; more utilities on top of kwalletcli(1) (e.g. a libpurple plugin, and means for M*zilla Firef*x to use it to store passwords in the Wallet).

Packaging

Debian has a kwalletcli (KDE 4) package in squeeze/sid, and it will be released with Debian 6.0 when it's ready. The backports repository will soon contain a kwalletcli (KDE 3) package for lenny.

Suggested packaging: MidnightBSD mports (for they provide KDE anyway), OpenSuSE Build Service (RPM for many platforms), etc.
If KDE (upstream) desires, they may include it (under The MirOS Licence) in their distribution, even.

Dependencies

Either Qt3 and KDE3, or Qt4 and KDE4, development headers and libraries, and the matching compiler (gcc/g++ is tested, others are not). Either MirMake (MirBSD make(1)) or GNU make. For the scripts, mksh R38+ is a run-time dependency. The manpages require nroff/gnroff and the -mdoc macropackage to compile. The HTML manpages can only be re-made on MirBSD.

Language Bindings

C binding

See the source file kwalletcli.h for details. This is the source-level C binding API (function kw_io() and a couple of return value definitions) that can be re-used. There is no C++ binding, because the high-level KWallet API is already C++, although, for ease of use, the C binding can be used from others' C++ code as well.

Python binding (external)

There's a sample Python 2 binding (we don't know which exact minimum version is required) contributed to the Gajim source code (dual-licenced under the same licence as Gajim (GPLv3 only), as well as the same licence (MirOS) as kwalletcli). The binding was originally written by the author of kwalletcli, sponsored by tarent GmbH, as well.

• initial submission
• the code (maintained inside the Gajim repository, as most prominent user of it; bugfixed by Yann “asterix” Leboulanger once already, thanks!
• usage example (again, Gajim code)

Note that the Python binding uses subprocess.Popen() and the Shell binding to do the actual work.

Shell binding

The kwalletcli(1) manpage provides a documentation of the shell binding. The other utilities part of the distribution, as well as the Python binding, serve as usage examples.

Security

Passwords can, of course, only be accessed if the KDE Wallet is opened. Hence, the on-disc security of the passwords is the same as for all other applications using it. We make no statement on its security (the GnuPG mailing lists have some flamewars about it), but if this is “enough” for you (or, if you are a company sysadmin, your boss), you're welcome. On the other hand, since the KDE pop-up will only show “kwalletcli”, not the application/script using it, when it asks whether access to the Wallet is to be permitted, password stealing by untrusted-local applications is easier (but if you have these, you have totally different problems anyway). Hence, we suggest to “allow always” access for kwalletcli(1) and take the usual care when installing and running applications from third parties.

If you turn “iodebug” in pinentry-kwallet on, it will log the entire dialogue with both parent and co-process, including passwords, to a file in your home directory. (This can only be done by editing the script directly.)

Users

The Gajim Jabber client supports kwalletcli, by means of the Python binding, for storing Jabber passwords in the KDE Wallet in an encrypted manner, since version 0.13 (committed after some discussion; Gajim already supported gnome-keyring though).

tarent GmbH, which sponsored development of kwalletcli, has been using it to make the live of its employees on their GNU/Linux desktops easier, since mid-2009.