Chris Billington wrote:
> On Mon, 7 Jul 2025 16:32:16 +0100
> Stuart Henderson <stu@spacehopper.org> wrote:
> 
>> On 2025/07/07 23:16, emulti@disroot.org wrote:
>>>
>>> On 2025/07/07 15:30, emulti@disroot.org wrote:
>>>>>
>>>>> A browser plugin 'browserpass' exists for Firefox/Chromium that
>>>>> interfaces with the 'pass' password manager (password-store
>>>>> package). In my testing it is light and fast, and improvement on
>>>>> the likes of keepassxc-browser.
>>>>>
>>>>> It requires a 'native messaging' binary written in Go, that
>>>>> supports pledge() on OpenBSD.
>>>>>
>>>>> Upstream: https://github.com/browserpass/browserpass-native/
>>>>>
>>>>> Installing manually was a bit of a pain, requiring patches to the
>>>>> provided Makefile to get around incompatibilities between sed
>>>>> and GNU sed, install and GNU install.
>>>>>
>>>>> I tried to use the MODULES= lang/go infrastructure in
>>>>> lang/go/go.port.mk, but no distribution file can be found:
>>>>>
>>>>> ===>>  Checking files for browserpass-native-3.1.0
>>>>>>> Fetch
>>>>>>> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip
>>>>> ftp: Error retrieving
>>>>> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip:
>>>>> 404 Not Found ...
>>>>>
>>>>> I expected go to then head off and retrieve the distfile from
>>>>> github, as but it just cycles through the standard
>>>>> ftp.openbsd.org etcetera. So I fell back to using GH_ACCOUNT and
>>>>> friends.
>>>>>
>>>>> I then tried building the port using this Makefile:
>>>>>
>>>>> COMMENT=	Native Messaging host for the Browserpass browser
>>>>> plugin ONLY_FOR_ARCHS = amd64
>>>>>
>>>>> DISTNAME=	browserpass-native-3.1.0
>>>>> CATEGORIES=	security
>>>>> EXTRACT_SUFX=	.zip
>>>>> HOMEPAGE=
>>>>> https://github.com/browserpass/browserpass-native
>>>>> MAINTAINER=	Chris Billington <emulti@disroot.org>>
>>>>>
>>>>> # ISC License
>>>>> PERMIT_PACKAGE=	Yes
>>>>>
>>>>> # uses pledge()
>>>>> WANTLIB += c pthread
>>>>>
>>>>> GH_ACCOUNT =            browserpass
>>>>> GH_PROJECT =            browserpass-native
>>>>> GH_TAGNAME =            3.1.0
>>>>>
>>>>> #MODULES=	lang/go
>>>>> #MODGO_MODNAME = github.com/browserpass/browserpass-native
>>>>> #MODGO_VERSION = v3.1.0
>>>>>
>>>>> RUN_DEPENDS=	
>>>>>                  
>>>>> USE_GMAKE=	Yes
>>>>>
>>>>> #WRKDIST=        $
>>>>> #{WRKDIR}/github.com/browserpass/browserpass-native@$
>>>>> #{MODGO_VERSION}
>>>>>
>>>>> .include <bsd.port.mk>>
>>>>>
>>>>> Tarball of the WIP port is also attached.
>>>>>
>>>>> 'make build' gives the following (ports tree is owned by
>>>>> myuser/wsrc):
>>>>>
>>>>> $ make build
>>>>> ===>  Generating configure for browserpass-native-3.1.0
>>>>> ===>  Configuring for browserpass-native-3.1.0
>>>>> ===>  Building for browserpass-native-3.1.0
>>>>> env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64
>>>>> failed to initialize build cache
>>>>> at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build:
>>>>> mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied
>>>>> gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 ***
>>>>> Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069
>>>>> '/usr/ports/pobj/browserpass-native-3.1.0/.build_done':
>>>>> @cd /usr/ports/pobj/...) *** Error 2
>>>>> in /usr/ports/security/browserpass-native
>>>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build':
>>>>> @lock=browserpass-native-3.1.0...)
>>>>>
>>>>> Running 'doas make build' works, but the cache is put in
>>>>> /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be
>>>>> right.
>>>
>>>> The distfile doesn't contain the other go modules used by
>>>> browserpass-native - "go build" as run by the upstream makefile
>>>> tries to download them, they need to be listed in the port
>>>> makefile so this can be handled by ports instead. (Ports aren't
>>>> allowed to download during build anyway - recommended that you
>>>> build ports as the _pbuild user which is done automatically if
>>>> you set PORTS_PRIVSEP=Yes in mk.conf and that user is blocked
>>>> from network access by the default pf.conf).
>>>>
>>>> As you saw, the normal ports infrastructure for handling go ports
>>>> doesn't work for browserpass-native with the v3 tagged version. I
>>>> think this is because something upstream isn't quite how go wants
>>>> it to be setup -
>>>> https://pkg.go.dev/github.com/browserpass/browserpass-native
>>>> doesn't show it either.
>>>
>>>> You can generate a first cut at a port for the (much newer)
>>>> non-tagged version that does show up there quite easily -
>>>> "portgen go github.com/browserpass/browserpass-native". Though
>>>> that's not very helpful if you want the tagged version..
>>>>
>>>> (If things were setup how go wants them, I'd expect "portgen go
>>>> github.com/browserpass/browserpass-native/v3" to generate a port
>>>> for the tagged version, but that just fails at the moment).
>>>
>>> Thanks Stuart. After setting up PRIVSEP I tried out portgen- very
>>> neat indeed!
>>>
>>> I made the attached port with portgen from the non-tagged version on
>>> pkg.go.dev. It builds and installs fine, but the 'browser-files'
>>> firefox-host.json/chromium-host.json files that are supposed to be
>>> installed to /usr/local/lib don't seem to be installed. They
>>> exist in the distfile but not the package as built. Picking them out
>>> manually and copying them to the appropriate browser location, the
>>> package works fine. Is it necessary to add some kind of post-install
>>> step to extract them from the port Makefile, or somehow tag them for
>>> packaging?
>>
>> yes, post-install then regen plist. I don't think it is worth trying
>> to use upstream's Makefile. to insert the binary path into the json
>> files you could do something like
>>
>> .for i in chromium-host.json firefox-host.json
>> 	sed 's|"path": ".*"|"path": "$
>> {TRUEPREFIX}/bin/browserpass-native"|' \ < ${WRKSRC}/browser-files/$i
>>> ${PREFIX}/wherever/$i .endfor
>>
>>> tar.gz of the port files (still from mystuff/go) is attached.
>>
>> : COMMENT =       Native Messaging host for the Browserpass browser
>> plugin
>>
>> please lower-case most of that; this would be alright:
>>
>> COMMENT =       native messaging host for the Browserpass browser
>> plugin
>>
>> : MODGO_VERSION = v0.0.0-20250425203345-8419b15841c9
>> : DISTNAME =      browserpass-native-${MODGO_VERSION}
>> : PKGNAME =       browserpass-native-20250425203345
>>
>> I suggest this so we don't need to use EPOCH if there's a later tagged
>> version that works properly with infrastructure
>>
>> PKGNAME =       browserpass-native-0.20250425203345
>>
>> (or just browserpass-native-0.20250425 would be fine too I think)
>>
>> : CATEGORIES =    go
>>
>> that's just a placeholder, please replace with the actual category
>> that you want
>>
>> : Read ${LOCALBASE}/share/doc/pkg-readmes/browserpass-native for
>> : instructions on how to enable specific
>> browsers to use the application, and add unveil() configuration to
>> allow access to it.
>>
>> DESCR wouldn't normally refer to the pkg-readme (pkg_add already tells
>> the user to read it).
>>
>>> -- 
>>> Chris <emulti@disroot.org>
>>
>>
> 
> Have implemented your suggested changes and added the post-install
> actions.
> 
> For the Category, I am suggesting 'security' as that is where keepassxc
> and password-store live. Is that OK?
> 
> I have chosen to put the firefox-host.json and chromium-host.json files
> in ${LOCALBASE}/share/examples/browserpass-native/ rather than
> cluttering up ../lib
> 
> When they are copied to the user's browser native-messaging directories,
> I found the {firefox,chromium}-hosts.json file needs to be
> com.github.browserpass.native.json in both cases, probably because
> it is some kind of standard.
> 
> I hope this port is a useful alternative to heavier stuff like
> keepassxc/keepassxc-browser. The pass ecosystem seems quite active, and
> this messaging application has pledge support.
> 
> Port files attached for your comments.
> 

I attach a slightly updated version of the proposed port, with 
information added to the README about unlocking the password store 
directly from the browser extension.

--
Chris <emulti@disroot.org>

• browserpass-native.tar.gz (3K)