Keyring isn't suid on nixos

Hello @Savanni, @DAlperin,

thanks for your work/testing on it I have checked out the PR as well locally and I'm really happy to see that Browser Integration is working :+1

What doesn't work for me is System Authentication and SSH-Feature I also checked the logs but can't find anything outstanding. (attached - cat'ed together 15 files)

Logs in additional posts, I can now replicate the loss of the previous post - edit a post add to many line/length - you lose it lol (To long - pastebin: https://paste.debian.net/1235516/)

I can see the socket in "~/.1password/agent.sock. Also tried to debug it with netcat/socat and logs but I can't find something wrong.
Happy to see some progress going on here, and quite hupeful we can solve the rest together :)

Also two non-related things:

1. Is there a reason there isn't the right-click menu on the tray icon when Quick Access is configured? It would be so helpful if one and another does exclude the other
2. Is it desired that the tree dot menu is nested? (see screenshot)

Best Wishes and stay safe +1

Edit: KeyringHelper-Logs: https://paste.debian.net/1235517/ (Please fix your forum-software its really pain!)

Okay, as my post got lost somehow while editing I will write it again later :/

Hey Savanni,

I've checked out your PR and so far the browser integration is working fine :+1:
For system-integration like fingerprint-auth I see a shaking icon but noting in the cli-output or to report why it's not working:


INFO 2022-03-24T17:15:40.717 ThreadId(18) [client:typescript] Client starting.
INFO 2022-03-24T17:15:40.786 tokio-runtime-worker(ThreadId(3)) [1P:native-messaging/op-native-core-integration/src/lib.rs:281] Starting IPC listener on 1Password-BrowserSupport
INFO 2022-03-24T17:15:40.786 ThreadId(18) [1P:op-localization/src/lib.rs:186] system locale detected as 'en_US'
INFO 2022-03-24T17:15:40.786 ThreadId(18) [1P:op-localization/src/lib.rs:212] selected translations for EN_US based on detected locale en-US
INFO 2022-03-24T17:15:40.786 tokio-runtime-worker(ThreadId(3)) [1P:native-messaging/op-native-core-integration/src/lib.rs:293] Active native core integration is awaiting messages
INFO 2022-03-24T17:15:40.786 ThreadId(18) [status:op-app/src/app.rs:325] App::new(1Password for Linux/80600076 (EN_US), /home/$USER/.config/1Password/1password.sqlite)
INFO 2022-03-24T17:15:40.787 ThreadId(18) [1P:op-db/src/db.rs:120] Starting DB at version: 23
INFO 2022-03-24T17:15:40.788 ThreadId(18) [1P:ssh/op-ssh-config/src/lib.rs:206] agent not configured
ERROR 2022-03-24T17:15:40.788 ThreadId(18) [1P:ffi/core-node/src/lib.rs:65] Attempted to notify uninitialized App
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome-beta/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome-unstable/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/chromium/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/microsoft-edge-dev/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/vivaldi/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/vivaldi-snapshot/NativeMessagingHosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.mozilla/native-messaging-hosts/com.1password.1password.json
INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:83] Successfully installed all native messaging manifests.
INFO 2022-03-24T17:15:40.790 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-agent-controller/src/desktop.rs:285] SSH Agent has started.
[450618:0324/171540.856969:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
WARN 2022-03-24T17:15:41.055 op_executor:invocation_loop(ThreadId(22)) [1P:foundation/op-linux/src/kernel_keyring.rs:817] failed to initialize keyring helper, its functionality will be unavailable: Io(Error { kind: UnexpectedEof, message: "failed to fill whole buffer" })
INFO 2022-03-24T17:16:22.227 tokio-runtime-worker(ThreadId(8)) [1P:op-data-layer/src/load.rs:136] loaded 727 items in 11 vaults for account: xxx
INFO 2022-03-24T17:16:22.233 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/unlock.rs:80] Lock state changed: Unlocked
INFO 2022-03-24T17:16:23.662 tokio-runtime-worker(ThreadId(3)) [1P:op-syncer/src/sync_job.rs:276] synced account xxx (0.173358516s)
INFO 2022-03-24T17:16:23.663 tokio-runtime-worker(ThreadId(3)) [1P:op-data-layer/src/file.rs:608] find_and_complete_pending_uploads: 'xxx'
INFO 2022-03-24T17:16:24.167 tokio-runtime-worker(ThreadId(16)) [1P:op-data-layer/src/sync.rs:512] The B5 Notifier for (xxx) has connected, now monitoring for events.
INFO 2022-03-24T17:16:25.927 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/lock.rs:72] Lock state changed: Locked
INFO 2022-03-24T17:16:25.928 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/lock.rs:94] Locked. Reason: Manual.


Thanks for keeping up, I'm happy to see this in NixOS soon :)

Best wishes and stay safe :+1

Edit: Two little findings not related to this maybe you can tell me where to place them/forward them:

Is there a reason I loose my right click menu on the tray Icon when I enable Quick-Access on left click?
Is the nesting of the three dot menu (see screenshot) intended? (its not nice to use I would say :D)

Edit 2: I tried to use the new ssh-feature and it seems to be also not working? for me at least (using the 8.6 release from your PR) there is is a socket showing up in users-".1password" directory:

"srw------- 0 sebtm 24 Mar 17:39  /home/sebtm/.1password/agent.sock"

but when I connect via ssh somewhere I'm not offered anything by 1Password (which is running) an see "Permission denied (publickey)." (like without a key)

I tried to interact with the socket with netcat/socat but I don't get any responses/see anything from there. In the logs I found:


ERROR 2022-03-24T17:41:11.143 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection
ERROR 2022-03-24T17:41:11.143 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
INFO 2022-03-24T17:41:17.773 tokio-runtime-worker(ThreadId(2)) [1P:ui/op-settings-ui/src/save.rs:792] Error parsing Keyboard Shortcut: Keyboard Shortcut: Control + ControlLeft []
INFO 2022-03-24T17:41:18.243 tokio-runtime-worker(ThreadId(2)) [1P:ui/op-settings-ui/src/save.rs:792] Error parsing Keyboard Shortcut: Keyboard Shortcut: Control + Shift + ShiftLeft []
INFO 2022-03-24T17:41:18.745 ThreadId(18) [client:typescript] Settings file changed.
INFO 2022-03-24T17:41:29.756 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/frontend.rs:24] Front end event: window closed
INFO 2022-03-24T17:42:25.652 tokio-runtime-worker(ThreadId(16)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting.
INFO 2022-03-24T17:42:25.652 tokio-runtime-worker(ThreadId(16)) [1P:native-messaging/op-native-core-integration/src/lib.rs:307] Extension connection accepted.
WARN 2022-03-24T17:57:55.971 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:252] failed to receive agent request (Io(Io { kind: Other, inner: "<redacted>" })), replying with SSH_AGENT_FAILURE
WARN 2022-03-24T17:57:55.971 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:261] failed to receive agent request(Io(Os { code: 32, kind: BrokenPipe, message: "Broken pipe" })), dropping client


I have also some recurring errors/logs with just one line created:

```
ERROR 2022-03-24T17:33:10.334 ThreadId(28) [1P:op-auto-lock/src/linux.rs:397] A Connection Error ocurred: XcbConnectionError
ERROR 2022-03-24T17:33:10.334 ThreadId(28) [1P:op-auto-lock/src/linux.rs:397] A Connection Error ocurred: XcbConnectionError
ERROR 2022-03-24T17:33:10.334 ThreadId(28) [1P:op-auto-lock/src/linux.rs:397] A Connection Error ocurred: XcbConnectionError

ERROR 2022-03-24T17:15:36.189 tokio-runtime-worker(ThreadId(8)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection
ERROR 2022-03-24T17:15:36.189 tokio-runtime-worker(ThreadId(8)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
```


INFO 2022-03-24T17:24:11.717 ThreadId(18) [client:typescript] 1Password is already running, closing.
(I guess when I open it via rofi when in tray)

But all in all, I'm sure we will find solutions for it and get 1Password one better ;)

This might want to get documented somewhere, in order to make the polkit integration work I had to override the module package to (pkgs._1password-gui.override ({ polkitPolicyOwners = ["dovalperin"]; })) which makes sense in retrospect but was momentarily confusing. Otherwise it is working perfectly so far!

Absolutely, and it is great to see it working for you! It's working for me, too, and it is definitely improving my life.

I am almost certain that somewhere in our code, we have hard-coded the path to the 1password executable. Probably not something you can fix from outside. I'll keep investigating, especially since I'll need to solve the this same problem for flatpak ASAP.

@Savanni it works! This is extremely exciting, thank you so much for all your work on this problem. This will improve my daily workflow exponentially. I'll keep thinking up a solution for the inability of the browser to start the 1password daemon, but like I said, that is nothing but an extremely minor inconvenience.

Is it ok if I reach out here if I find any bugs in my testing over the next few days?

Thank you so much again.

No worries! I appreciate all the work you have put into it. I saw the 8.6 PR merged so I'm excited to see the module go upstream! Until then I'll pull your module locally and give it a go!

Not being able to start 1password from the browser is a small price to pay, having it work together once it's started is amazing. Maybe I'll delegate starting the 1password app to systemd so it will always be running.

I'll give it a try later today hopefully and let you know how it goes. Thank you so much again.

Hey, @DAlperin. 8.6 is now stable and I have an pull request up to get the upgrade into NixOS unstable channel.

https://github.com/NixOS/nixpkgs/pull/164468

Additionally, I have a commit up, which depends on the 8.6 MR, that has browser integration mostly working (except for a bug where the browser isn't able to start 1password, but can delegate authentication to 1password if the desktop app has already been launched).

https://github.com/savannidgerinel/nixpkgs/tree/savanni/1password-browsersupport

At the moment, we're waiting for the first one to get reviewed and merged and then the second one is good to go.

Finally, I'm really sorry for leaving you hanging for so long. Somehow I never saw this message, which probably means that I mass deleted notifications at the wrong time.

Do you mind sharing exactly what the libudev error is? (I can't quite afford to switch to the beta right now since I rely on 1password so heavily, I can probably spin up a vm later)

@Savanni this might be a completely wrong (and definitely hacky) idea but what if you added this to the install script to bring libudev into scope specifically?

ln -s ${lib.getLib systemd}/lib/libudev.so $out/share/lib/libudev.so.0