ProtonMail Bridge 3.14 fails to start on Nixos unstable with Qt 6.8

[michelealbrigo]

Describe the bug

Apparently protonmail-bridge-gui has issues on systems with Qt 6.8 (i.e. recent unstable builds). The Proton team already knows it (ProtonMail/proton-bridge#500) but they do seem to put the Qt update high on the priority list, citing distribution support. Opening this issue for all those wondering if it's their problem or if it's a wider / not-strictly-Nixos-related issue.

Also: would it be possible to "wrap the package" in a way that its dependencies (Qt 6.7) are met nonetheless? I do not know the inner workings of Nixos enough to have an answer to this myself.

Steps To Reproduce

Steps to reproduce the behavior:

1. grab a Nixos Unstable and update it to current
2. install protonmail-bridge-gui
3. open it

Expected behavior

ProtonMail bridge GUI working as usual (starting up, ending up in tray, serving mail to local mail clients).

Screenshots

Additional context

Trying to setup a workaround based on the CLI package, will add info to this issue on the result.

Notify maintainers

@daniel-fahey

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.11.4, NixOS, 24.11 (Vicuna), 24.11pre694395.4c2fcb090b1f`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.24.9`
 - channels(root): `"nixos"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

---

Add a 👍 reaction to issues you find important.

[michelealbrigo]

On further investigation on the cli-based workaround, posting this to save time to anybody trying this very same route, I am stuck with protonmail-bridge --cli saving the vault key with different metadata from what protonmail-bridge --noninteractive apparently expects, so whenever a custom-made user service unit fires up the noninteractive process, it can't decrypt its vault and declares it corrupted, thus wiping it and starting with no account configured. Same system as above, gnome-keyring configured and detected by protonmail-bridge at launch. Seahorse can't edit those fields (so I can't start it as cli-interactive, log in, sync, shut down, edit the entry, start as non-interactive service).

This is --cli:

...and this is what --noninteractive expects, does not find, and creates for the new vault:

[michelealbrigo]

CLI-based workaround completed while #350283 gets merged:

1. Ensure you have gnome-keyring working, and install the CLI tools to access it, along with the CLI version of bridge:

home-manager.users.youruser = { lib, ... }: {
  services.gnome-keyring.enable = true;
};
services.gnome.gnome-keyring.enable = true;
environment.system-packages = with pkgs; {
  libsecret
  protonmail-bridge
};

2. Start the interactive session with protonmail-bridge --cli, login and let it sync. Grab the mail client passwords (IMAP/SMTP) for your account, then exit the interactive session.
   Before starting the non-interactive session, use this command:

secret-tool store --label='protonmail/bridge-v3/users/bridge-vault-key' label 'Proton Mail Bridge Credentials' server 'protonmail/bridge-v3/users/bridge-vault-key' username 'bridge-vault-key'

...and provide as password the same value you get in the entry you can already find in Seahorse (Gnome Keyring tool). You'll end up with two different entries with the same vault key.

Now you can run the non-interactive session without having your account wiped because it can't find a vault key.

3. In case you want to run it as a service, on user login:

systemd.user.services = {
  protonmail-bridge = {
    after = [ "network.target" ];
    description = "ProtonMail Bridge";
    enable = true;
    serviceConfig = {
      Type = "simple";
      ExecStart = ''${pkgs.protonmail-bridge}/bin/protonmail-bridge --noninteractive'';
    };
    unitConfig.ConditionUser = "youruser";
      wantedBy = [ "default.target" ];
    };
};

[daniel-fahey]

@michelealbrigo may be easier to use https://search.nixos.org/options?channel=unstable&query=services.protonmail-bridge

[michelealbrigo]

@michelealbrigo may be easier to use https://search.nixos.org/options?channel=unstable&query=services.protonmail-bridge

I've looked into that, but I could not figure out how to make it log into my account (in hindsight, maybe let it start, then stop it manually, so the lock file gets removed, then start it in CLI, log-in, exit and finally start it again as a system, eventually with the same keyring hack I described before).