From: Chris Billington Subject: security/browserpass-native (was Re: [WIP]/help wanted: browserpass-native messaging host for pass/password-store) To: Stuart Henderson Cc: ports@openbsd.org Date: Thu, 25 Sep 2025 10:50:03 +0800 On Mon, 7 Jul 2025 11:05:19 +0100 Stuart Henderson wrote: > On 2025/07/07 15:30, emulti@disroot.org wrote: > > > > A browser plugin 'browserpass' exists for Firefox/Chromium that > > interfaces with the 'pass' password manager (password-store > > package). In my testing it is light and fast, and improvement on > > the likes of keepassxc-browser. > > > > It requires a 'native messaging' binary written in Go, that supports > > pledge() on OpenBSD. > > > > Upstream: https://github.com/browserpass/browserpass-native/ > > > > Installing manually was a bit of a pain, requiring patches to the > > provided Makefile to get around incompatibilities between sed and > > GNU sed, install and GNU install. > > > > I tried to use the MODULES= lang/go infrastructure in > > lang/go/go.port.mk, but no distribution file can be found: > > > > ===> Checking files for browserpass-native-3.1.0 > > >> Fetch > > >> https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip > > ftp: Error retrieving > > https://proxy.golang.org/github.com/browserpass/browserpass-native/@v/v3.1.0.zip: > > 404 Not Found ... > > > > I expected go to then head off and retrieve the distfile from > > github, as but it just cycles through the standard ftp.openbsd.org > > etcetera. So I fell back to using GH_ACCOUNT and friends. > > > > I then tried building the port using this Makefile: > > > > COMMENT= Native Messaging host for the Browserpass browser > > plugin ONLY_FOR_ARCHS = amd64 > > > > DISTNAME= browserpass-native-3.1.0 > > CATEGORIES= security > > EXTRACT_SUFX= .zip > > HOMEPAGE= https://github.com/browserpass/browserpass-native > > MAINTAINER= Chris Billington > > > > # ISC License > > PERMIT_PACKAGE= Yes > > > > # uses pledge() > > WANTLIB += c pthread > > > > GH_ACCOUNT = browserpass > > GH_PROJECT = browserpass-native > > GH_TAGNAME = 3.1.0 > > > > #MODULES= lang/go > > #MODGO_MODNAME = github.com/browserpass/browserpass-native > > #MODGO_VERSION = v3.1.0 > > > > RUN_DEPENDS= > > > > USE_GMAKE= Yes > > > > #WRKDIST= $ > > #{WRKDIR}/github.com/browserpass/browserpass-native@$ > > #{MODGO_VERSION} > > > > .include > > > > Tarball of the WIP port is also attached. > > > > 'make build' gives the following (ports tree is owned by > > myuser/wsrc): > > > > $ make build > > ===> Generating configure for browserpass-native-3.1.0 > > ===> Configuring for browserpass-native-3.1.0 > > ===> Building for browserpass-native-3.1.0 > > env GOOS=openbsd GOARCH=amd64 go build -o browserpass-openbsd64 > > failed to initialize build cache > > at /browserpass-native-3.1.0_writes_to_HOME/.cache/go-build: > > mkdir /browserpass-native-3.1.0_writes_to_HOME: permission denied > > gmake: *** [Makefile:48: browserpass-openbsd64] Error 1 *** Error 2 > > in . (/usr/ports/infrastructure/mk/bsd.port.mk:3069 > > '/usr/ports/pobj/browserpass-native-3.1.0/.build_done': > > @cd /usr/ports/pobj/...) *** Error 2 > > in /usr/ports/security/browserpass-native > > (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'build': > > @lock=browserpass-native-3.1.0...) > > > > Running 'doas make build' works, but the cache is put in > > /browserpass-native-3.1.0_writes_to_HOME/ which I'm sure can't be > > right. > > The distfile doesn't contain the other go modules used by > browserpass-native - "go build" as run by the upstream makefile tries > to download them, they need to be listed in the port makefile so this > can be handled by ports instead. (Ports aren't allowed to download > during build anyway - recommended that you build ports as the _pbuild > user which is done automatically if you set PORTS_PRIVSEP=Yes in > mk.conf and that user is blocked from network access by the default > pf.conf). > > As you saw, the normal ports infrastructure for handling go ports > doesn't work for browserpass-native with the v3 tagged version. I > think this is because something upstream isn't quite how go wants it > to be setup - > https://pkg.go.dev/github.com/browserpass/browserpass-native doesn't > show it either. > > You can generate a first cut at a port for the (much newer) > non-tagged version that does show up there quite easily - "portgen go > github.com/browserpass/browserpass-native". Though that's not very > helpful if you want the tagged version.. > > (If things were setup how go wants them, I'd expect "portgen go > github.com/browserpass/browserpass-native/v3" to generate a port for > the tagged version, but that just fails at the moment). > Hi Stuart, I contacted the upstream developer and worked with him to get a stable release cached on https://pkg.go.dev/github.com/browserpass/browserpass-native/v3 He has made a new release v3.1.2 incorporating a few documentation updates. The prior issue I encountered seems to be that tags need a 'v' prefix, and stable releases greater than v1 require a module name suffix /v in go.mod. A port based on the latest release (browserpass-native-3.1.2) is attached for review. I have been using browserpass-native with security/password-store and the browserpass extension for about 3 months without issues. It is lightweight with only a few dependencies. Would you be willing to import it to the tree? I'm happy to maintain it though without commit privilege. -- Chris Billington