From: Stuart Henderson Subject: Re: [WIP]/help wanted: browserpass-native messaging host for pass/password-store To: "emulti@disroot.org" Cc: ports@openbsd.org Date: Mon, 7 Jul 2025 16:32:16 +0100 On 2025/07/07 23:16, emulti@disroot.org wrote: > > On 2025/07/07 15:30, emulti@disroot.org wrote: > >> > >> A browser plugin 'browserpass' exists for Firefox/Chromium that > >> interfaces with the 'pass' password manager (password-store package). > >> In my testing it is light and fast, and improvement on the likes of > >> keepassxc-browser. > >> > >> It requires a 'native messaging' binary written in Go, that supports > >> pledge() on OpenBSD. > >> > >> Upstream: https://github.com/browserpass/browserpass-native/ > >> > >> Installing manually was a bit of a pain, requiring patches to the > >> provided Makefile to get around incompatibilities between sed and GNU > >> sed, install and GNU install. > >> > >> I tried to use the MODULES= lang/go infrastructure in > >> lang/go/go.port.mk, but no distribution file can be found: > >> > >> ===>> Checking files for browserpass-native-3.1.0 > >> >> Fetch > >> >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip > >> ftp: Error retrieving > >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip: > >> 404 Not Found ... > >> > >> I expected go to then head off and retrieve the distfile from github, > >> as but it just cycles through the standard ftp.openbsd.org etcetera. > >> So I fell back to using GH_ACCOUNT and friends. > >> > >> I then tried building the port using this Makefile: > >> > >> COMMENT= Native Messaging host for the Browserpass browser > >> plugin ONLY_FOR_ARCHS = amd64 > >> > >> DISTNAME= browserpass-native-3.1.0 > >> CATEGORIES= security > >> EXTRACT_SUFX= .zip > >> HOMEPAGE= https://github.com/browserpass/browserpass-native > >> MAINTAINER= Chris Billington > > >> > >> # ISC License > >> PERMIT_PACKAGE= Yes > >> > >> # uses pledge() > >> WANTLIB += c pthread > >> > >> GH_ACCOUNT = browserpass > >> GH_PROJECT = browserpass-native > >> GH_TAGNAME = 3.1.0 > >> > >> #MODULES= lang/go > >> #MODGO_MODNAME = github.com/browserpass/browserpass-native > >> #MODGO_VERSION = v3.1.0 > >> > >> RUN_DEPENDS= > >> > >> USE_GMAKE= Yes > >> > >> #WRKDIST= $ > >> #{WRKDIR}/github.com/browserpass/browserpass-native@$ {MODGO_VERSION} > >> > >> .include > > >> > >> Tarball of the WIP port is also attached. > >> > >> 'make build' gives the following (ports tree is owned by > >> myuser/wsrc): > >> > >> $ make build > >> ===> Generating configure for browserpass-native-3.1.0 > >> ===> Configuring for browserpass-native-3.1.0 > >> ===> Building for browserpass-native-3.1.0 > >> env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64 > >> failed to initialize build cache > >> at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build: > >> mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied > >> gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 *** Error 2 > >> in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069 > >> '/usr/ports/pobj/browserpass-native-3.1.0/.build_done': > >> @cd /usr/ports/pobj/...) *** Error 2 > >> in /usr/ports/security/browserpass-native > >> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build': > >> @lock=browserpass-native-3.1.0...) > >> > >> Running 'doas make build' works, but the cache is put in > >> /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be > >> right. > > > The distfile doesn't contain the other go modules used by > > browserpass-native - "go build" as run by the upstream makefile tries > > to download them, they need to be listed in the port makefile so this > > can be handled by ports instead. (Ports aren't allowed to download > > during build anyway - recommended that you build ports as the _pbuild > > user which is done automatically if you set PORTS_PRIVSEP=Yes in > > mk.conf and that user is blocked from network access by the default > > pf.conf). > > > > As you saw, the normal ports infrastructure for handling go ports > > doesn't work for browserpass-native with the v3 tagged version. I > > think this is because something upstream isn't quite how go wants it > > to be setup - > > https://pkg.go.dev/github.com/browserpass/browserpass-native doesn't > > show it either. > > > You can generate a first cut at a port for the (much newer) > > non-tagged version that does show up there quite easily - "portgen go > > github.com/browserpass/browserpass-native". Though that's not very > > helpful if you want the tagged version.. > > > > (If things were setup how go wants them, I'd expect "portgen go > > github.com/browserpass/browserpass-native/v3" to generate a port for > > the tagged version, but that just fails at the moment). > > Thanks Stuart. After setting up PRIVSEP I tried out portgen- very neat > indeed! > > I made the attached port with portgen from the non-tagged version on > pkg.go.dev. It builds and installs fine, but the 'browser-files' > firefox-host.json/chromium-host.json files that are supposed to be > installed to /usr/local/lib don't seem to be installed. They > exist in the distfile but not the package as built. Picking them out > manually and copying them to the appropriate browser location, the > package works fine. Is it necessary to add some kind of post-install > step to extract them from the port Makefile, or somehow tag them for > packaging? yes, post-install then regen plist. I don't think it is worth trying to use upstream's Makefile. to insert the binary path into the json files you could do something like .for i in chromium-host.json firefox-host.json sed 's|"path": ".*"|"path": "${TRUEPREFIX}/bin/browserpass-native"|' \ < ${WRKSRC}/browser-files/$i > ${PREFIX}/wherever/$i .endfor > tar.gz of the port files (still from mystuff/go) is attached. : COMMENT = Native Messaging host for the Browserpass browser plugin please lower-case most of that; this would be alright: COMMENT = native messaging host for the Browserpass browser plugin : MODGO_VERSION = v0.0.0-20250425203345-8419b15841c9 : DISTNAME = browserpass-native-${MODGO_VERSION} : PKGNAME = browserpass-native-20250425203345 I suggest this so we don't need to use EPOCH if there's a later tagged version that works properly with infrastructure PKGNAME = browserpass-native-0.20250425203345 (or just browserpass-native-0.20250425 would be fine too I think) : CATEGORIES = go that's just a placeholder, please replace with the actual category that you want : Read ${LOCALBASE}/share/doc/pkg-readmes/browserpass-native for : instructions on how to enable specific browsers to use the application, : and add unveil() configuration to allow access to it. DESCR wouldn't normally refer to the pkg-readme (pkg_add already tells the user to read it). > -- > Chris