add post about keepassxc and flatpaks

This commit is contained in:
Peter Tillemans 2024-05-12 01:15:55 +02:00
parent 29dab702ea
commit 55660f2aac

View file

@ -0,0 +1,158 @@
+++
title = "KeePassXC from flatpak"
date = 2024-05-12
+++
# Table of Contents
1. [KeePassXC from flatpak](#orgd08a78a)
2. [Allow access to the socket file](#orgfed6df2)
3. [keepassxc-proxy](#org95da879)
4. [Configure Chrome](#orgacf3b27)
5. [Configure Brave](#org93487a3)
6. [Configure Firefox](#org3956323)
7. [references](#org2844960)
<a id="orgd08a78a"></a>
# KeePassXC from flatpak
More and more browsers are coming packaged in containers like flatpak or snaps. Especially the ones of the chromium variety.
Since browsers are at the best of times scary things with arbitrary code being executed in every webpage runnning them in a sandbox makes a lot of sense.
However the sandbox also impacts communication with helpers like the password manager KeepassXC.
In order to keep things reproducible on many machines, if we're going to fight with flatpak we might as well run keepassxc as a flatpak.
$ flatpak install org.keepassxc.KeePassXC
<a id="orgfed6df2"></a>
# Allow access to the socket file
Allow read-only access to the keepassxc socket at
$XDG<sub>RUNTIME</sub><sub>DIR</sub>/org.keepassxc.KeePassXC.BrowserServer:ro :
$ flatpak override --user \
--filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro \
com.google.Chrome
this needs to be done for each flatpak application needing access to keepassxc.
<a id="org95da879"></a>
# keepassxc-proxy
There is a statically compiled rust based socket proxy.
- [rust based keepassxc proxy](https://github.com/varjolintu/keepassxc-proxy-rust)
It can be compiled with MUSL for a fully static executable.
Place it together with the configuration file
<a id="orgacf3b27"></a>
# Configure Chrome
The Chrome flatpak can be configured in the folder
\*~/.var/app/com.google.Chrome :
ls .var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts
keepassxc-proxy org.keepassxc.keepassxc_browser.json
the native messaging config file needs to be configured for the local
user:
{
"allowed_origins": [
"chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
"chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
],
"description": "KeePassXC integration with native messaging support",
"name": "org.keepassxc.keepassxc_browser",
"path": "/home/pti/.var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts/keepassxc-proxy",
"type": "stdio"
}
and do not forget to give access to the socket
$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.google.Chrome
Notes;
- the **path** field needs to contain the full path including the username
AFAICT.
- The extension id can be stolen from the URL box when going into the
settings pane of the extension. It has changed in the past.
<a id="org93487a3"></a>
# Configure Brave
we need again an **org.keepassxc.keepassxc<sub>browser.json</sub>** file in
**~/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/**
folder together with an executable version of the proxy compiled above.
{
"allowed_origins": [
"chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
"chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
],
"description": "KeePassXC integration with native messaging support",
"name": "org.keepassxc.keepassxc_browser",
"path": "/home/pti/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/keepassxc-proxy",
"type": "stdio"
}
You can copy it from the Google Chrome config but do not forget to
update the path to the proxy.
Now we still need to give access to brave to the keepassxc socket:
$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.brave.Browser
<a id="org3956323"></a>
# Configure Firefox
I have firefox running native on my laptop so these shenanigans are
not needed. However the example I based most of was for firefox so I
assume it works similar. Note that the native messaging file is
different for firefox.
{
"allowed_extensions": [
"keepassxc-browser@keepassxc.org"
],
"description": "KeePassXC integration with native messaging support, workaround for flatpaked Firefox, see https://is.gd/flatpakFirefoxKPXC",
"name": "org.keepassxc.keepassxc_browser",
"path": "/home/pti/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/keepassxc-proxy",
"type": "stdio"
}
it uses **allowed<sub>extensions</sub>** iso **allowed<sub>origin</sub>**
And give access to the socker file to firefox
$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro org.mozilla.firefox
<a id="org2844960"></a>
# references
- [post on discourse flathub](https://discourse.flathub.org/t/how-to-run-firefox-and-keepassxc-in-a-flatpak-and-get-the-keepassxc-browser-add-on-to-work/437)
- [rust based keepassxc proxy](https://github.com/varjolintu/keepassxc-proxy-rust)
- [Google Chrome documentation for Native Messaging](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging)
- [Github Issue on keepassxc](https://github.com/keepassxreboot/keepassxc-browser/issues/1631)
- [issue 1267 on keepassxc](https://github.com/keepassxreboot/keepassxc-browser/issues/1267)