From ea49cbf65de1b3561512c1760f33792c9dc3f424 Mon Sep 17 00:00:00 2001 From: Marco Trevisan Date: Wed, 22 Nov 2023 20:07:54 +0100 Subject: [PATCH 1/3] snap: Do not require password-manager-service The snap uses now a local and confined password manager, so it won't ever try to access to the system one. As per this disable the plug that could be a security hole. --- snap/snapcraft.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 3c800122ec..8936c071c3 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -69,7 +69,6 @@ apps: - network - network-bind - network-observe - - password-manager-service - pulseaudio - removable-media - screen-inhibit-control From b81b81140cb1eea36360c66ad006b3d3f9e2f93b Mon Sep 17 00:00:00 2001 From: Marco Trevisan Date: Wed, 22 Nov 2023 20:10:44 +0100 Subject: [PATCH 2/3] snap: Use libsecret storage in all the environments When mailspring is confined it will only be able to access to the password storage via libsecret and that will save the data locally using the file storage. As per this, don't make electron to use some other passwor storage backend when running in different desktop environments. --- snap/snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 8936c071c3..841dcb168c 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -45,7 +45,7 @@ parts: apps: mailspring: - command: usr/bin/mailspring --no-sandbox + command: usr/bin/mailspring --no-sandbox --password-store=gnome-libsecret common-id: mailspring desktop: usr/share/applications/Mailspring.desktop extensions: [gnome] From 10dd8c93641599b1a9d33164a178689519dbd911 Mon Sep 17 00:00:00 2001 From: Marco Trevisan Date: Wed, 22 Nov 2023 20:14:16 +0100 Subject: [PATCH 3/3] snap: Force using the file secret backend everywhere This is already the case for the snap in most scenarios, but in some this could not happen if no secret portal is available in the system. In such cases, let's still force using a local secret backend. --- snap/snapcraft.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 841dcb168c..26516c2f70 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -56,6 +56,9 @@ apps: TMPDIR: $XDG_RUNTIME_DIR # Fallback to XWayland if running in a Wayland session. DISABLE_WAYLAND: 1 + # Force using the libsecret local backend in all the cases, even if no + # portal is detected. + SECRET_BACKEND: file plugs: - avahi-observe - browser-support