From: Chris Billington Subject: Re: [WIP]/help wanted: browserpass-native messaging host for pass/password-store To: Stuart Henderson Cc: ports@openbsd.org Date: Wed, 9 Jul 2025 13:27:16 +0800 Chris Billington wrote: > On Mon, 7 Jul 2025 16:32:16 +0100 > Stuart Henderson wrote: > >> On 2025/07/07 23:16, emulti@disroot.org wrote: >>> >>> On 2025/07/07 15:30, emulti@disroot.org wrote: >>>>> >>>>> A browser plugin 'browserpass' exists for Firefox/Chromium that >>>>> interfaces with the 'pass' password manager (password-store >>>>> package). In my testing it is light and fast, and improvement on >>>>> the likes of keepassxc-browser. >>>>> >>>>> It requires a 'native messaging' binary written in Go, that >>>>> supports pledge() on OpenBSD. >>>>> >>>>> Upstream: https://github.com/browserpass/browserpass-native/ >>>>> >>>>> Installing manually was a bit of a pain, requiring patches to the >>>>> provided Makefile to get around incompatibilities between sed >>>>> and GNU sed, install and GNU install. >>>>> >>>>> I tried to use the MODULES= lang/go infrastructure in >>>>> lang/go/go.port.mk, but no distribution file can be found: >>>>> >>>>> ===>> Checking files for browserpass-native-3.1.0 >>>>>>> Fetch >>>>>>> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip >>>>> ftp: Error retrieving >>>>> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip: >>>>> 404 Not Found ... >>>>> >>>>> I expected go to then head off and retrieve the distfile from >>>>> github, as but it just cycles through the standard >>>>> ftp.openbsd.org etcetera. So I fell back to using GH_ACCOUNT and >>>>> friends. >>>>> >>>>> I then tried building the port using this Makefile: >>>>> >>>>> COMMENT= Native Messaging host for the Browserpass browser >>>>> plugin ONLY_FOR_ARCHS = amd64 >>>>> >>>>> DISTNAME= browserpass-native-3.1.0 >>>>> CATEGORIES= security >>>>> EXTRACT_SUFX= .zip >>>>> HOMEPAGE= >>>>> https://github.com/browserpass/browserpass-native >>>>> MAINTAINER= Chris Billington > >>>>> >>>>> # ISC License >>>>> PERMIT_PACKAGE= Yes >>>>> >>>>> # uses pledge() >>>>> WANTLIB += c pthread >>>>> >>>>> GH_ACCOUNT = browserpass >>>>> GH_PROJECT = browserpass-native >>>>> GH_TAGNAME = 3.1.0 >>>>> >>>>> #MODULES= lang/go >>>>> #MODGO_MODNAME = github.com/browserpass/browserpass-native >>>>> #MODGO_VERSION = v3.1.0 >>>>> >>>>> RUN_DEPENDS= >>>>> >>>>> USE_GMAKE= Yes >>>>> >>>>> #WRKDIST= $ >>>>> #{WRKDIR}/github.com/browserpass/browserpass-native@$ >>>>> #{MODGO_VERSION} >>>>> >>>>> .include > >>>>> >>>>> Tarball of the WIP port is also attached. >>>>> >>>>> 'make build' gives the following (ports tree is owned by >>>>> myuser/wsrc): >>>>> >>>>> $ make build >>>>> ===> Generating configure for browserpass-native-3.1.0 >>>>> ===> Configuring for browserpass-native-3.1.0 >>>>> ===> Building for browserpass-native-3.1.0 >>>>> env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64 >>>>> failed to initialize build cache >>>>> at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build: >>>>> mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied >>>>> gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 *** >>>>> Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069 >>>>> '/usr/ports/pobj/browserpass-native-3.1.0/.build_done': >>>>> @cd /usr/ports/pobj/...) *** Error 2 >>>>> in /usr/ports/security/browserpass-native >>>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build': >>>>> @lock=browserpass-native-3.1.0...) >>>>> >>>>> Running 'doas make build' works, but the cache is put in >>>>> /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be >>>>> right. >>> >>>> The distfile doesn't contain the other go modules used by >>>> browserpass-native - "go build" as run by the upstream makefile >>>> tries to download them, they need to be listed in the port >>>> makefile so this can be handled by ports instead. (Ports aren't >>>> allowed to download during build anyway - recommended that you >>>> build ports as the _pbuild user which is done automatically if >>>> you set PORTS_PRIVSEP=Yes in mk.conf and that user is blocked >>>> from network access by the default pf.conf). >>>> >>>> As you saw, the normal ports infrastructure for handling go ports >>>> doesn't work for browserpass-native with the v3 tagged version. I >>>> think this is because something upstream isn't quite how go wants >>>> it to be setup - >>>> https://pkg.go.dev/github.com/browserpass/browserpass-native >>>> doesn't show it either. >>> >>>> You can generate a first cut at a port for the (much newer) >>>> non-tagged version that does show up there quite easily - >>>> "portgen go github.com/browserpass/browserpass-native". Though >>>> that's not very helpful if you want the tagged version.. >>>> >>>> (If things were setup how go wants them, I'd expect "portgen go >>>> github.com/browserpass/browserpass-native/v3" to generate a port >>>> for the tagged version, but that just fails at the moment). >>> >>> Thanks Stuart. After setting up PRIVSEP I tried out portgen- very >>> neat indeed! >>> >>> I made the attached port with portgen from the non-tagged version on >>> pkg.go.dev. It builds and installs fine, but the 'browser-files' >>> firefox-host.json/chromium-host.json files that are supposed to be >>> installed to /usr/local/lib don't seem to be installed. They >>> exist in the distfile but not the package as built. Picking them out >>> manually and copying them to the appropriate browser location, the >>> package works fine. Is it necessary to add some kind of post-install >>> step to extract them from the port Makefile, or somehow tag them for >>> packaging? >> >> yes, post-install then regen plist. I don't think it is worth trying >> to use upstream's Makefile. to insert the binary path into the json >> files you could do something like >> >> .for i in chromium-host.json firefox-host.json >> sed 's|"path": ".*"|"path": "$ >> {TRUEPREFIX}/bin/browserpass-native"|' \ < ${WRKSRC}/browser-files/$i >>> ${PREFIX}/wherever/$i .endfor >> >>> tar.gz of the port files (still from mystuff/go) is attached. >> >> : COMMENT = Native Messaging host for the Browserpass browser >> plugin >> >> please lower-case most of that; this would be alright: >> >> COMMENT = native messaging host for the Browserpass browser >> plugin >> >> : MODGO_VERSION = v0.0.0-20250425203345-8419b15841c9 >> : DISTNAME = browserpass-native-${MODGO_VERSION} >> : PKGNAME = browserpass-native-20250425203345 >> >> I suggest this so we don't need to use EPOCH if there's a later tagged >> version that works properly with infrastructure >> >> PKGNAME = browserpass-native-0.20250425203345 >> >> (or just browserpass-native-0.20250425 would be fine too I think) >> >> : CATEGORIES = go >> >> that's just a placeholder, please replace with the actual category >> that you want >> >> : Read ${LOCALBASE}/share/doc/pkg-readmes/browserpass-native for >> : instructions on how to enable specific >> browsers to use the application, and add unveil() configuration to >> allow access to it. >> >> DESCR wouldn't normally refer to the pkg-readme (pkg_add already tells >> the user to read it). >> >>> -- >>> Chris >> >> > > Have implemented your suggested changes and added the post-install > actions. > > For the Category, I am suggesting 'security' as that is where keepassxc > and password-store live. Is that OK? > > I have chosen to put the firefox-host.json and chromium-host.json files > in ${LOCALBASE}/share/examples/browserpass-native/ rather than > cluttering up ../lib > > When they are copied to the user's browser native-messaging directories, > I found the {firefox,chromium}-hosts.json file needs to be > com.github.browserpass.native.json in both cases, probably because > it is some kind of standard. > > I hope this port is a useful alternative to heavier stuff like > keepassxc/keepassxc-browser. The pass ecosystem seems quite active, and > this messaging application has pledge support. > > Port files attached for your comments. > I attach a slightly updated version of the proposed port, with information added to the README about unlocking the password store directly from the browser extension. -- Chris