-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Chromium snap package #82
Comments
Thanks for the report! I've tried to google around, and found this (see post 5): https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1741074 It seems you were on the right track trying to use snap's For a start you can try to put the binary in the same place as the json file (and update full path to it), but would be nice to figure out what is the proper location for the binary that would satisfy snap. I wonder if browserpass has to be distributed as a snap package? If there is anyone interested to maintain it, speak up, I'll help you compose the pkg! |
cc @meskes, have you had some experience with snap packages already, or you focus on Debian and not so much on Ubuntu? |
Personally I have not much experience with snap packages, sorry. My system is Debian and I mostly only use that. |
I copied the binary to the snap config folder Another problem now seems to be to get the passwords from the store. My store looks empty for chromium. Setting the custom store location in the extension options does not help. Maybe there are some additional permission issues. Either it cannot access the store location or the binary or both. |
Nice! Judging by these posts, you should create an interface to give access to your home directory. I think this access should be given to chromium, since it's the one initiating the request to browserpass to read your file system. Untested guess, maybe this will work? And make sure the path to your password store starts with |
Well it did not solve the problem, but it seems to be a guess in the right direction. Store is still empty, but I think the access to the home folder is indeed needed. Does the extension need access to the Offtopic: The |
No, but it needs access to browserpass-native/request/fetch.go Lines 130 to 134 in 45d63b9
|
Yeah, I also think that if there would be an error in finding the gpg binary, I would see some error. Maybe chromium needs access to the interfaces gpg-keys or gpg-public-keys? Unfortunately the chromium snap packaged does not support these interfaces (yet?).
|
Not at the time of building the list of passwords, we don't invoke Can you please show me a screenshot, how your popup looks like? I am surprised that you see an empty popup with no errors, we designed the native host to choke on anything and be very verbose about any error it sees. If you see no error, that means browserpass has access to So I wonder if access policy of snap somehow allows the process to see the folder, but prevents it from seeing any files inside of it, without throwing any errors about this... 🤔 Could you please also confirm that you see a successful response with 0 files when debugging the background script of our extension in chromium? Go to |
I ran into this also. Fwiw i got my logins to show up by putting the binary and a separate clone of my password repo into |
That will be because there isn't a usable gpg setup inside the snap container, and it has no way of talking to your usual setup. |
Yeah makes sense, I was thinking: would it be possible to do the decryption directly in go instead of relying on an external binary? That would also be nice on windows since gpg4windows is kind of a pain. |
Technically possible, but would require re-implementing much of gpg, including smartcard support - which rather defeats the point, and duplicates a ton of effort (along with additional risk of bugs in important places). Makes far more sense to simply fix the issues with using gpg from a snap-packaged browser, so that the normal gpg workflow can be followed. Re-implementing gpg in go is outside the scope of this project, and is not something we are ever likely to do. |
I don't really know anything about go or gpg, but wouldn't this do the trick? https://godoc.org/golang.org/x/crypto/openpgp But it's a fair point, that you don't want add all that complexity. |
It would do part of the job, but only part, and seems to lack all the smartcard operations.
Indeed. Better IMO to simply get gpg working, rather than trying to cram all that additional complexity and functionality into the native binary. One of our biggest considerations when designing the v3 native component was to go with something that was as simple as possible, in order to avoid needing users to upgrade it - because user upgrades of the native component are the most frustrating part of installation. Almost all of the app logic lives in the browser extension; the native bit mostly just lists files and calls gpg to decrypt them. |
I think the way it was designed to work is that the native messaging host is supposed to do all the "out of browser" work and talk to the browser extension, so we should find a way for the extension to be allowed to "talk" to the native messaging host. When that is fixed, whatever the host does should be of no concern to chromium/snap, thus access to files in the home dir ( @maximbaz mentioned this bug report which I think needs to be fixed first.
Actually I think the binary should be outside, or it will be in the same sandbox as chromium, not allowing it access to the home dir, or to run
Snaps can talk to each other but I think that doesn't fix native messaging, instead an interface might work, but I don't understand snaps enough to be sure, but that would just fix this project, not keepassx and other similar affected projects. |
Has anybody found a workaround? Apart from finding a sketchy PPA that allows installing Chromium as a .deb? |
Currently looking for a solution, too. So, can anyone figure a fix to support native messaging for the chromium snap package? Or do we need to build chromium from source or, like raxod502 said, find someone else who did it for us? |
Chromium stopped working across the board for me, possibly related to that drama where Google revoked Chromium's API keys a few months back. I switched to standard Chrome and it works fine for me. Google has an official |
Just run into similar issue, not sure what's the latest progress here, but just want to share a workaround I use inspired by trezord, which also suffers snap issues but from a different reason(udev rules instead of gpg). It seems that even though chromium extensions inside snap cannot run gpg outside of the sandbox, it can indeed issue TCP connections to localhost (and possibly to other addresses as well). So I've quickly hacked together a golang relayer that does the following job:
The prototype code lives in this repository, you can build it using the following steps with golang, git installed on your machine:
Now you need to copy Modify Now in a terminal window, launch the
For persistent solution, one can introduce a systemd script to run the server part as a daemon. I personally use such a systemd script:
Note that I put the server binary at Browserpass extension now works in chromium in a snap sandbox. I've tested this on Ubuntu 22.04, some particular steps might vary in different environments. Notice I've just spent an hour or two on this particular prototype, chances are it is not as robust as expected. Some might also consider this as insecure since a TCP connection must be established. So if you really want to use, do be as cautious as you can. But it does provide a viable way for browserpass to work in chromium under snap sandbox. We can discuss if it makes sense to proceed in this path here. I do suggest looking into the possibility, if |
General information
Downloaded and installed the most recent release (3.0.6)
$ browserpass --version
):Browserpass host app version: 3.0.6
$ git describe --always
):If you are getting an error immediately after opening popup, have you followed the Configure browsers documentation section?
Yes, and it worked in previous Chromium versions.
Exact steps to reproduce the problem
I used the extension with browserpass-native just fine on the most recent Chromium installed through the debian universe repository.
I updated to Ubuntu 19.10, Canonical is pushing snap packages increasingly hard. They have good reason not to want to support all the Chromium versions for all the supported Ubuntu versions, Chromium just has a lot of updates. So in 19.10, the chromium-browser debian package is a wrapper that downloads the snap package instead. Canonical is phasing out the regular debian package for all recent versions of Ubuntu soon. So bottom line the real debian package is removed and a snap is installed.
Links for reference:
Now when I use browserpass I get
I reinstalled all the components: extension, browserpass-native and configured the extension again (linked the JSON files etc.).
The same error occurs.
I tried linking the file in the snap's
.config
dir, because it seems obvious that the user.config
doesn't work for a snap.. Even tried the global setting, none of that worked. I suspect the extension is limited too much by the sandbox of the snap. If I had time, I would investigate more and perhaps make a PR, but I don't. But I thought reporting the issue is the least I can do.I checked if I could find a trustworthy repository for debian packages but didn't find any, I can only manually install deb packages, don't really want to be responsible for never forgetting to update it though.
What should happen?
Please make the extension work with browserpass-native, or the other way around, from within a snap. It's only a matter of time before more people will upgrade and be stuck with a snap. I would really like this to be working again, I use it a lot, it saves me tons of time copying pasting from the terminal.
What happened instead?
Well, nothing yet.. ;)
The text was updated successfully, but these errors were encountered: