On Mon, 7 Jul 2025 16:32:16 +0100
Stuart Henderson <stu@spacehopper.org> wrote:

> On 2025/07/07 23:16, emulti@disroot.org wrote:
> > 
> > On 2025/07/07 15:30, emulti@disroot.org wrote:
> > >> 
> > >> A browser plugin 'browserpass' exists for Firefox/Chromium that
> > >> interfaces with the 'pass' password manager (password-store
> > >> package). In my testing it is light and fast, and improvement on
> > >> the likes of keepassxc-browser.
> > >> 
> > >> It requires a 'native messaging' binary written in Go, that
> > >> supports pledge() on OpenBSD.
> > >> 
> > >> Upstream: https://github.com/browserpass/browserpass-native/
> > >> 
> > >> Installing manually was a bit of a pain, requiring patches to the
> > >> provided Makefile to get around incompatibilities between sed
> > >> and GNU sed, install and GNU install. 
> > >> 
> > >> I tried to use the MODULES= lang/go infrastructure in
> > >> lang/go/go.port.mk, but no distribution file can be found:
> > >> 
> > >> ===>>  Checking files for browserpass-native-3.1.0
> > >> >> Fetch
> > >> >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip
> > >> ftp: Error retrieving
> > >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip:
> > >> 404 Not Found ... 
> > >> 
> > >> I expected go to then head off and retrieve the distfile from
> > >> github, as but it just cycles through the standard
> > >> ftp.openbsd.org etcetera. So I fell back to using GH_ACCOUNT and
> > >> friends.
> > >> 
> > >> I then tried building the port using this Makefile:
> > >> 
> > >> COMMENT=	Native Messaging host for the Browserpass browser
> > >> plugin ONLY_FOR_ARCHS = amd64
> > >> 
> > >> DISTNAME=	browserpass-native-3.1.0
> > >> CATEGORIES=	security
> > >> EXTRACT_SUFX=	.zip
> > >> HOMEPAGE=
> > >> https://github.com/browserpass/browserpass-native
> > >> MAINTAINER=	Chris Billington <emulti@disroot.org>>
> > >> 
> > >> # ISC License
> > >> PERMIT_PACKAGE=	Yes
> > >> 
> > >> # uses pledge()
> > >> WANTLIB += c pthread
> > >> 
> > >> GH_ACCOUNT =            browserpass
> > >> GH_PROJECT =            browserpass-native
> > >> GH_TAGNAME =            3.1.0
> > >> 
> > >> #MODULES=	lang/go
> > >> #MODGO_MODNAME = github.com/browserpass/browserpass-native
> > >> #MODGO_VERSION = v3.1.0
> > >> 
> > >> RUN_DEPENDS=	
> > >>                 
> > >> USE_GMAKE=	Yes
> > >> 
> > >> #WRKDIST=        $
> > >> #{WRKDIR}/github.com/browserpass/browserpass-native@$
> > >> #{MODGO_VERSION}
> > >> 
> > >> .include <bsd.port.mk>>
> > >> 
> > >> Tarball of the WIP port is also attached.
> > >> 
> > >> 'make build' gives the following (ports tree is owned by
> > >> myuser/wsrc):
> > >> 
> > >> $ make build
> > >> ===>  Generating configure for browserpass-native-3.1.0
> > >> ===>  Configuring for browserpass-native-3.1.0
> > >> ===>  Building for browserpass-native-3.1.0
> > >> env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64
> > >> failed to initialize build cache
> > >> at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build:
> > >> mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied
> > >> gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 ***
> > >> Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069
> > >> '/usr/ports/pobj/browserpass-native-3.1.0/.build_done':
> > >> @cd /usr/ports/pobj/...) *** Error 2
> > >> in /usr/ports/security/browserpass-native
> > >> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build':
> > >> @lock=browserpass-native-3.1.0...)
> > >> 
> > >> Running 'doas make build' works, but the cache is put in 
> > >> /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be
> > >> right.
> > 
> > > The distfile doesn't contain the other go modules used by
> > > browserpass-native - "go build" as run by the upstream makefile
> > > tries to download them, they need to be listed in the port
> > > makefile so this can be handled by ports instead. (Ports aren't
> > > allowed to download during build anyway - recommended that you
> > > build ports as the _pbuild user which is done automatically if
> > > you set PORTS_PRIVSEP=Yes in mk.conf and that user is blocked
> > > from network access by the default pf.conf).
> > >
> > > As you saw, the normal ports infrastructure for handling go ports
> > > doesn't work for browserpass-native with the v3 tagged version. I
> > > think this is because something upstream isn't quite how go wants
> > > it to be setup -
> > > https://pkg.go.dev/github.com/browserpass/browserpass-native
> > > doesn't show it either.
> > 
> > > You can generate a first cut at a port for the (much newer)
> > > non-tagged version that does show up there quite easily -
> > > "portgen go github.com/browserpass/browserpass-native". Though
> > > that's not very helpful if you want the tagged version..
> > >
> > > (If things were setup how go wants them, I'd expect "portgen go
> > > github.com/browserpass/browserpass-native/v3" to generate a port
> > > for the tagged version, but that just fails at the moment).
> > 
> > Thanks Stuart. After setting up PRIVSEP I tried out portgen- very
> > neat indeed!
> > 
> > I made the attached port with portgen from the non-tagged version on
> > pkg.go.dev. It builds and installs fine, but the 'browser-files'
> > firefox-host.json/chromium-host.json files that are supposed to be
> > installed to /usr/local/lib don't seem to be installed. They
> > exist in the distfile but not the package as built. Picking them out
> > manually and copying them to the appropriate browser location, the
> > package works fine. Is it necessary to add some kind of post-install
> > step to extract them from the port Makefile, or somehow tag them for
> > packaging?
> 
> yes, post-install then regen plist. I don't think it is worth trying
> to use upstream's Makefile. to insert the binary path into the json
> files you could do something like
> 
> .for i in chromium-host.json firefox-host.json
> 	sed 's|"path": ".*"|"path": "$
> {TRUEPREFIX}/bin/browserpass-native"|' \ < ${WRKSRC}/browser-files/$i
> > ${PREFIX}/wherever/$i .endfor
> 
> > tar.gz of the port files (still from mystuff/go) is attached.
> 
> : COMMENT =       Native Messaging host for the Browserpass browser
> plugin
> 
> please lower-case most of that; this would be alright:
> 
> COMMENT =       native messaging host for the Browserpass browser
> plugin
> 
> : MODGO_VERSION = v0.0.0-20250425203345-8419b15841c9
> : DISTNAME =      browserpass-native-${MODGO_VERSION}
> : PKGNAME =       browserpass-native-20250425203345
> 
> I suggest this so we don't need to use EPOCH if there's a later tagged
> version that works properly with infrastructure
> 
> PKGNAME =       browserpass-native-0.20250425203345
> 
> (or just browserpass-native-0.20250425 would be fine too I think)
> 
> : CATEGORIES =    go
> 
> that's just a placeholder, please replace with the actual category
> that you want
> 
> : Read ${LOCALBASE}/share/doc/pkg-readmes/browserpass-native for
> : instructions on how to enable specific
> browsers to use the application, and add unveil() configuration to
> allow access to it.
> 
> DESCR wouldn't normally refer to the pkg-readme (pkg_add already tells
> the user to read it).
> 
> > -- 
> > Chris <emulti@disroot.org>
> 
> 

Have implemented your suggested changes and added the post-install
actions.

For the Category, I am suggesting 'security' as that is where keepassxc
and password-store live. Is that OK?

I have chosen to put the firefox-host.json and chromium-host.json files
in ${LOCALBASE}/share/examples/browserpass-native/ rather than
cluttering up ../lib

When they are copied to the user's browser native-messaging directories,
I found the {firefox,chromium}-hosts.json file needs to be
com.github.browserpass.native.json in both cases, probably because
it is some kind of standard.

I hope this port is a useful alternative to heavier stuff like
keepassxc/keepassxc-browser. The pass ecosystem seems quite active, and
this messaging application has pledge support.

Port files attached for your comments.

-- 
Chris Billington 

• browserpass-native.tar.gz (3K)