From 55660f2aaca9333d7b2e19014032538bb00eea69 Mon Sep 17 00:00:00 2001 From: Peter Tillemans Date: Sun, 12 May 2024 01:15:55 +0200 Subject: [PATCH] add post about keepassxc and flatpaks --- .../blog/2024-05-12-keepassxc-and-flatpak.md | 158 ++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 content/blog/2024-05-12-keepassxc-and-flatpak.md diff --git a/content/blog/2024-05-12-keepassxc-and-flatpak.md b/content/blog/2024-05-12-keepassxc-and-flatpak.md new file mode 100644 index 0000000..c4318bc --- /dev/null +++ b/content/blog/2024-05-12-keepassxc-and-flatpak.md @@ -0,0 +1,158 @@ ++++ +title = "KeePassXC from flatpak" +date = 2024-05-12 ++++ + +# Table of Contents + +1. [KeePassXC from flatpak](#orgd08a78a) +2. [Allow access to the socket file](#orgfed6df2) +3. [keepassxc-proxy](#org95da879) +4. [Configure Chrome](#orgacf3b27) +5. [Configure Brave](#org93487a3) +6. [Configure Firefox](#org3956323) +7. [references](#org2844960) + + + + + +# KeePassXC from flatpak + +More and more browsers are coming packaged in containers like flatpak or snaps. Especially the ones of the chromium variety. + +Since browsers are at the best of times scary things with arbitrary code being executed in every webpage runnning them in a sandbox makes a lot of sense. + +However the sandbox also impacts communication with helpers like the password manager KeepassXC. + +In order to keep things reproducible on many machines, if we're going to fight with flatpak we might as well run keepassxc as a flatpak. + + $ flatpak install org.keepassxc.KeePassXC + + + + +# Allow access to the socket file + +Allow read-only access to the keepassxc socket at +$XDGRUNTIMEDIR/org.keepassxc.KeePassXC.BrowserServer:ro : + + $ flatpak override --user \ + --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro \ + com.google.Chrome + +this needs to be done for each flatpak application needing access to keepassxc. + + + + +# keepassxc-proxy + +There is a statically compiled rust based socket proxy. + +- [rust based keepassxc proxy](https://github.com/varjolintu/keepassxc-proxy-rust) + + It can be compiled with MUSL for a fully static executable. + + Place it together with the configuration file + + + + +# Configure Chrome + +The Chrome flatpak can be configured in the folder +\*~/.var/app/com.google.Chrome : + + ❯ ls .var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts + keepassxc-proxy org.keepassxc.keepassxc_browser.json + +the native messaging config file needs to be configured for the local +user: + + { + "allowed_origins": [ + "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/", + "chrome-extension://oboonakemofpalcgghocfoadofidjkkk/" + ], + "description": "KeePassXC integration with native messaging support", + "name": "org.keepassxc.keepassxc_browser", + "path": "/home/pti/.var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts/keepassxc-proxy", + "type": "stdio" + } + +and do not forget to give access to the socket + + $ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.google.Chrome + +Notes; + +- the **path** field needs to contain the full path including the username + AFAICT. +- The extension id can be stolen from the URL box when going into the + settings pane of the extension. It has changed in the past. + + + + +# Configure Brave + +we need again an **org.keepassxc.keepassxcbrowser.json** file in +**~/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/** +folder together with an executable version of the proxy compiled above. + + { + "allowed_origins": [ + "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/", + "chrome-extension://oboonakemofpalcgghocfoadofidjkkk/" + ], + "description": "KeePassXC integration with native messaging support", + "name": "org.keepassxc.keepassxc_browser", + "path": "/home/pti/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/keepassxc-proxy", + "type": "stdio" + } + +You can copy it from the Google Chrome config but do not forget to +update the path to the proxy. + +Now we still need to give access to brave to the keepassxc socket: + + $ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.brave.Browser + + + + +# Configure Firefox + +I have firefox running native on my laptop so these shenanigans are +not needed. However the example I based most of was for firefox so I +assume it works similar. Note that the native messaging file is +different for firefox. + + { + "allowed_extensions": [ + "keepassxc-browser@keepassxc.org" + ], + "description": "KeePassXC integration with native messaging support, workaround for flatpaked Firefox, see https://is.gd/flatpakFirefoxKPXC", + "name": "org.keepassxc.keepassxc_browser", + "path": "/home/pti/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/keepassxc-proxy", + "type": "stdio" + } + +it uses **allowedextensions** iso **allowedorigin** + +And give access to the socker file to firefox + + $ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro org.mozilla.firefox + + + + +# references + +- [post on discourse flathub](https://discourse.flathub.org/t/how-to-run-firefox-and-keepassxc-in-a-flatpak-and-get-the-keepassxc-browser-add-on-to-work/437) +- [rust based keepassxc proxy](https://github.com/varjolintu/keepassxc-proxy-rust) +- [Google Chrome documentation for Native Messaging](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging) +- [Github Issue on keepassxc](https://github.com/keepassxreboot/keepassxc-browser/issues/1631) +- [issue 1267 on keepassxc](https://github.com/keepassxreboot/keepassxc-browser/issues/1267) +