From: Chris Billington Subject: Re: [WIP]/help wanted: browserpass-native messaging host for pass/password-store To: Stuart Henderson Cc: ports@openbsd.org Date: Tue, 8 Jul 2025 12:21:16 +0800 On Mon, 7 Jul 2025 16:32:16 +0100 Stuart Henderson wrote: > On 2025/07/07 23:16, emulti@disroot.org wrote: > > > > On 2025/07/07 15:30, emulti@disroot.org wrote: > > >> > > >> A browser plugin 'browserpass' exists for Firefox/Chromium that > > >> interfaces with the 'pass' password manager (password-store > > >> package). In my testing it is light and fast, and improvement on > > >> the likes of keepassxc-browser. > > >> > > >> It requires a 'native messaging' binary written in Go, that > > >> supports pledge() on OpenBSD. > > >> > > >> Upstream: https://github.com/browserpass/browserpass-native/ > > >> > > >> Installing manually was a bit of a pain, requiring patches to the > > >> provided Makefile to get around incompatibilities between sed > > >> and GNU sed, install and GNU install. > > >> > > >> I tried to use the MODULES= lang/go infrastructure in > > >> lang/go/go.port.mk, but no distribution file can be found: > > >> > > >> ===>> Checking files for browserpass-native-3.1.0 > > >> >> Fetch > > >> >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip > > >> ftp: Error retrieving > > >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip: > > >> 404 Not Found ... > > >> > > >> I expected go to then head off and retrieve the distfile from > > >> github, as but it just cycles through the standard > > >> ftp.openbsd.org etcetera. So I fell back to using GH_ACCOUNT and > > >> friends. > > >> > > >> I then tried building the port using this Makefile: > > >> > > >> COMMENT= Native Messaging host for the Browserpass browser > > >> plugin ONLY_FOR_ARCHS = amd64 > > >> > > >> DISTNAME= browserpass-native-3.1.0 > > >> CATEGORIES= security > > >> EXTRACT_SUFX= .zip > > >> HOMEPAGE= > > >> https://github.com/browserpass/browserpass-native > > >> MAINTAINER= Chris Billington > > > >> > > >> # ISC License > > >> PERMIT_PACKAGE= Yes > > >> > > >> # uses pledge() > > >> WANTLIB += c pthread > > >> > > >> GH_ACCOUNT = browserpass > > >> GH_PROJECT = browserpass-native > > >> GH_TAGNAME = 3.1.0 > > >> > > >> #MODULES= lang/go > > >> #MODGO_MODNAME = github.com/browserpass/browserpass-native > > >> #MODGO_VERSION = v3.1.0 > > >> > > >> RUN_DEPENDS= > > >> > > >> USE_GMAKE= Yes > > >> > > >> #WRKDIST= $ > > >> #{WRKDIR}/github.com/browserpass/browserpass-native@$ > > >> #{MODGO_VERSION} > > >> > > >> .include > > > >> > > >> Tarball of the WIP port is also attached. > > >> > > >> 'make build' gives the following (ports tree is owned by > > >> myuser/wsrc): > > >> > > >> $ make build > > >> ===> Generating configure for browserpass-native-3.1.0 > > >> ===> Configuring for browserpass-native-3.1.0 > > >> ===> Building for browserpass-native-3.1.0 > > >> env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64 > > >> failed to initialize build cache > > >> at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build: > > >> mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied > > >> gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 *** > > >> Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069 > > >> '/usr/ports/pobj/browserpass-native-3.1.0/.build_done': > > >> @cd /usr/ports/pobj/...) *** Error 2 > > >> in /usr/ports/security/browserpass-native > > >> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build': > > >> @lock=browserpass-native-3.1.0...) > > >> > > >> Running 'doas make build' works, but the cache is put in > > >> /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be > > >> right. > > > > > The distfile doesn't contain the other go modules used by > > > browserpass-native - "go build" as run by the upstream makefile > > > tries to download them, they need to be listed in the port > > > makefile so this can be handled by ports instead. (Ports aren't > > > allowed to download during build anyway - recommended that you > > > build ports as the _pbuild user which is done automatically if > > > you set PORTS_PRIVSEP=Yes in mk.conf and that user is blocked > > > from network access by the default pf.conf). > > > > > > As you saw, the normal ports infrastructure for handling go ports > > > doesn't work for browserpass-native with the v3 tagged version. I > > > think this is because something upstream isn't quite how go wants > > > it to be setup - > > > https://pkg.go.dev/github.com/browserpass/browserpass-native > > > doesn't show it either. > > > > > You can generate a first cut at a port for the (much newer) > > > non-tagged version that does show up there quite easily - > > > "portgen go github.com/browserpass/browserpass-native". Though > > > that's not very helpful if you want the tagged version.. > > > > > > (If things were setup how go wants them, I'd expect "portgen go > > > github.com/browserpass/browserpass-native/v3" to generate a port > > > for the tagged version, but that just fails at the moment). > > > > Thanks Stuart. After setting up PRIVSEP I tried out portgen- very > > neat indeed! > > > > I made the attached port with portgen from the non-tagged version on > > pkg.go.dev. It builds and installs fine, but the 'browser-files' > > firefox-host.json/chromium-host.json files that are supposed to be > > installed to /usr/local/lib don't seem to be installed. They > > exist in the distfile but not the package as built. Picking them out > > manually and copying them to the appropriate browser location, the > > package works fine. Is it necessary to add some kind of post-install > > step to extract them from the port Makefile, or somehow tag them for > > packaging? > > yes, post-install then regen plist. I don't think it is worth trying > to use upstream's Makefile. to insert the binary path into the json > files you could do something like > > .for i in chromium-host.json firefox-host.json > sed 's|"path": ".*"|"path": "$ > {TRUEPREFIX}/bin/browserpass-native"|' \ < ${WRKSRC}/browser-files/$i > > ${PREFIX}/wherever/$i .endfor > > > tar.gz of the port files (still from mystuff/go) is attached. > > : COMMENT = Native Messaging host for the Browserpass browser > plugin > > please lower-case most of that; this would be alright: > > COMMENT = native messaging host for the Browserpass browser > plugin > > : MODGO_VERSION = v0.0.0-20250425203345-8419b15841c9 > : DISTNAME = browserpass-native-${MODGO_VERSION} > : PKGNAME = browserpass-native-20250425203345 > > I suggest this so we don't need to use EPOCH if there's a later tagged > version that works properly with infrastructure > > PKGNAME = browserpass-native-0.20250425203345 > > (or just browserpass-native-0.20250425 would be fine too I think) > > : CATEGORIES = go > > that's just a placeholder, please replace with the actual category > that you want > > : Read ${LOCALBASE}/share/doc/pkg-readmes/browserpass-native for > : instructions on how to enable specific > browsers to use the application, and add unveil() configuration to > allow access to it. > > DESCR wouldn't normally refer to the pkg-readme (pkg_add already tells > the user to read it). > > > -- > > Chris > > Have implemented your suggested changes and added the post-install actions. For the Category, I am suggesting 'security' as that is where keepassxc and password-store live. Is that OK? I have chosen to put the firefox-host.json and chromium-host.json files in ${LOCALBASE}/share/examples/browserpass-native/ rather than cluttering up ../lib When they are copied to the user's browser native-messaging directories, I found the {firefox,chromium}-hosts.json file needs to be com.github.browserpass.native.json in both cases, probably because it is some kind of standard. I hope this port is a useful alternative to heavier stuff like keepassxc/keepassxc-browser. The pass ecosystem seems quite active, and this messaging application has pledge support. Port files attached for your comments. -- Chris Billington