Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: [WIP]/help wanted: browserpass-native messaging host for pass/password-store
To:
"emulti@disroot.org" <emulti@disroot.org>
Cc:
ports@openbsd.org
Date:
Mon, 7 Jul 2025 16:32:16 +0100

Download raw body.

Thread 
On 2025/07/07 23:16, emulti@disroot.org wrote:
> 
> On 2025/07/07 15:30, emulti@disroot.org wrote:
> >> 
> >> A browser plugin 'browserpass' exists for Firefox/Chromium that
> >> interfaces with the 'pass' password manager (password-store package).
> >> In my testing it is light and fast, and improvement on the likes of
> >> keepassxc-browser.
> >> 
> >> It requires a 'native messaging' binary written in Go, that supports
> >> pledge() on OpenBSD.
> >> 
> >> Upstream: https://github.com/browserpass/browserpass-native/
> >> 
> >> Installing manually was a bit of a pain, requiring patches to the
> >> provided Makefile to get around incompatibilities between sed and GNU
> >> sed, install and GNU install. 
> >> 
> >> I tried to use the MODULES= lang/go infrastructure in
> >> lang/go/go.port.mk, but no distribution file can be found:
> >> 
> >> ===>>  Checking files for browserpass-native-3.1.0
> >> >> Fetch
> >> >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip
> >> ftp: Error retrieving
> >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip:
> >> 404 Not Found ... 
> >> 
> >> I expected go to then head off and retrieve the distfile from github,
> >> as but it just cycles through the standard ftp.openbsd.org etcetera.
> >> So I fell back to using GH_ACCOUNT and friends.
> >> 
> >> I then tried building the port using this Makefile:
> >> 
> >> COMMENT=	Native Messaging host for the Browserpass browser
> >> plugin ONLY_FOR_ARCHS = amd64
> >> 
> >> DISTNAME=	browserpass-native-3.1.0
> >> CATEGORIES=	security
> >> EXTRACT_SUFX=	.zip
> >> HOMEPAGE=	https://github.com/browserpass/browserpass-native
> >> MAINTAINER=	Chris Billington <emulti@disroot.org>>
> >> 
> >> # ISC License
> >> PERMIT_PACKAGE=	Yes
> >> 
> >> # uses pledge()
> >> WANTLIB += c pthread
> >> 
> >> GH_ACCOUNT =            browserpass
> >> GH_PROJECT =            browserpass-native
> >> GH_TAGNAME =            3.1.0
> >> 
> >> #MODULES=	lang/go
> >> #MODGO_MODNAME = github.com/browserpass/browserpass-native
> >> #MODGO_VERSION = v3.1.0
> >> 
> >> RUN_DEPENDS=	
> >>                 
> >> USE_GMAKE=	Yes
> >> 
> >> #WRKDIST=        $
> >> #{WRKDIR}/github.com/browserpass/browserpass-native@$ {MODGO_VERSION}
> >> 
> >> .include <bsd.port.mk>>
> >> 
> >> Tarball of the WIP port is also attached.
> >> 
> >> 'make build' gives the following (ports tree is owned by
> >> myuser/wsrc):
> >> 
> >> $ make build
> >> ===>  Generating configure for browserpass-native-3.1.0
> >> ===>  Configuring for browserpass-native-3.1.0
> >> ===>  Building for browserpass-native-3.1.0
> >> env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64
> >> failed to initialize build cache
> >> at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build:
> >> mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied
> >> gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 *** Error 2
> >> in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069
> >> '/usr/ports/pobj/browserpass-native-3.1.0/.build_done':
> >> @cd /usr/ports/pobj/...) *** Error 2
> >> in /usr/ports/security/browserpass-native
> >> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build':
> >> @lock=browserpass-native-3.1.0...)
> >> 
> >> Running 'doas make build' works, but the cache is put in 
> >> /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be
> >> right.
> 
> > The distfile doesn't contain the other go modules used by
> > browserpass-native - "go build" as run by the upstream makefile tries
> > to download them, they need to be listed in the port makefile so this
> > can be handled by ports instead. (Ports aren't allowed to download
> > during build anyway - recommended that you build ports as the _pbuild
> > user which is done automatically if you set PORTS_PRIVSEP=Yes in
> > mk.conf and that user is blocked from network access by the default
> > pf.conf).
> >
> > As you saw, the normal ports infrastructure for handling go ports
> > doesn't work for browserpass-native with the v3 tagged version. I
> > think this is because something upstream isn't quite how go wants it
> > to be setup -
> > https://pkg.go.dev/github.com/browserpass/browserpass-native doesn't
> > show it either.
> 
> > You can generate a first cut at a port for the (much newer)
> > non-tagged version that does show up there quite easily - "portgen go
> > github.com/browserpass/browserpass-native". Though that's not very
> > helpful if you want the tagged version..
> >
> > (If things were setup how go wants them, I'd expect "portgen go
> > github.com/browserpass/browserpass-native/v3" to generate a port for
> > the tagged version, but that just fails at the moment).
> 
> Thanks Stuart. After setting up PRIVSEP I tried out portgen- very neat
> indeed!
> 
> I made the attached port with portgen from the non-tagged version on
> pkg.go.dev. It builds and installs fine, but the 'browser-files'
> firefox-host.json/chromium-host.json files that are supposed to be
> installed to /usr/local/lib don't seem to be installed. They
> exist in the distfile but not the package as built. Picking them out
> manually and copying them to the appropriate browser location, the
> package works fine. Is it necessary to add some kind of post-install
> step to extract them from the port Makefile, or somehow tag them for
> packaging?

yes, post-install then regen plist. I don't think it is worth trying
to use upstream's Makefile. to insert the binary path into the json
files you could do something like

.for i in chromium-host.json firefox-host.json
	sed 's|"path": ".*"|"path": "${TRUEPREFIX}/bin/browserpass-native"|' \
	    < ${WRKSRC}/browser-files/$i > ${PREFIX}/wherever/$i
.endfor

> tar.gz of the port files (still from mystuff/go) is attached.

: COMMENT =       Native Messaging host for the Browserpass browser plugin

please lower-case most of that; this would be alright:

COMMENT =       native messaging host for the Browserpass browser plugin

: MODGO_VERSION = v0.0.0-20250425203345-8419b15841c9
: DISTNAME =      browserpass-native-${MODGO_VERSION}
: PKGNAME =       browserpass-native-20250425203345

I suggest this so we don't need to use EPOCH if there's a later tagged
version that works properly with infrastructure

PKGNAME =       browserpass-native-0.20250425203345

(or just browserpass-native-0.20250425 would be fine too I think)

: CATEGORIES =    go

that's just a placeholder, please replace with the actual category that
you want

: Read ${LOCALBASE}/share/doc/pkg-readmes/browserpass-native for
: instructions on how to enable specific browsers to use the application,
: and add unveil() configuration to allow access to it.

DESCR wouldn't normally refer to the pkg-readme (pkg_add already tells
the user to read it).

> -- 
> Chris <emulti@disroot.org>