[Desktop] Secure saved credentials.

[bedhub]

This is a subtask of #3444 for the desktop client to secure the stored credentials with a device key.
There should be only the option "Automatic" which creates a key, encrypts the credentials and stores that key in the secure storage of the device. As discussed in #3444 there should be no other biometric or system password option.

Implementation hints
Usually the keychain should be unlocked after the user logged in to their accounts but we have to consider the case that the keychain is still locked. In that case we need to show a dialog to prompt for unlocking the keychain.

There is currently a problem when using keytar because the cancel path is broken: atom/node-keytar#422

We like to replace keytar with electrons api anyway so we need to do this task first:
#3676

[ganthern]

the electron part is blocked on this (#3676 (comment)) unless we do something stupid like open an invisible BrowserWindow as soon as app is ready (which could even be too late since we want encryption pretty early).

[ganthern]

Testing

• log in with the old client, save the credentials, update tutanota and then check that the credentials still work.
  • Cancellation on Linux:
    • run gnome-keyring-daemon -f -r
    • run client, cancel all the prompts
    • no error should be shown (besides "secure storage not available")
    • try to use saved credentials, another prompt should be shown, cancel, should see no error
    • try to use saved credentials, unlock prompt, should be logged in
    • log out, try to use credentials again, they should unlock you
  • Cancellation on macOS:
    • Run client, unlock all prompts
    • open Keychain Access, find tutanota-credentials entry in login keychain, change its properties to not always unlock for the app and to ask password each time
    • open client again, try to log in and cancel, should see no error
    • log in and unlock prompt
    • log out, log in, should see prompt again and it should let you log in again
• on linux, delete all credentials, then restart tutanota, then lock the login key chain (using seahorse). Login and make sure the credentials get stored and are available after another restart.
• on mac, delete all credentials, then restart tutanota, then lock the login key chain (using keychain access). Login and make sure the credentials get stored and are available after another restart.

[charlag]

I couldn't get it to work yet. Here's what I did:

• run gnome-keyring-daemon -f -r to effectively "lock" the keychain
• Start the app
• See keyring prompt, cancel it
• See another keyring prompt, cancel it
• client shows "could not access secret storage" dialog, see from output that client treats it like cancellation (like it should)
• try to select stored credentials
• See 2 other prompts and cancel them
• client output "key credentials-device-lock-key not found, generating a new one" which shouldn't actually happen. Also 2 error dialogs (native and in app)