Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Flatpak Browser and Native Desktop App
Thought I would share this as I've managed to get the native desktop app working with my flatpak installation of Firefox.
I'm on Arch and using the version of 1Password from the AUR and the standard flatpak version of Firefox from flathub.
- Add permissions to Firefox Flatpak via Flatseal:
- Session Bus Talks: org.freedesktop.Flatpak
- As root, create /etc/1password folder if it does not exist
- As root, create /etc/1password/custom_allowed_browsers file if it does not exist
- As root, edit /etc/1password/custom_allowed_browsers file and set content to:
flatpak-session-helper - As user, create ~/.var/app/org.mozilla.firefox/data/bin folder if it does not exist
- As user, create ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh file if it does not exist
- As user, edit ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh and set content to: ``` #!/bin/bash
flatpak-spawn --host /opt/1Password/1Password-BrowserSupport "$@"
- As user, mark ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh as executable via `chmod +x ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh`
- As user, create ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts folder if it does not eixst
- As user, create ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json file if it does not exist
- As user, edit ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json and set content to:
{
"name": "com.1password.1password",
"description": "1Password BrowserSupport",
"path": "/home/{USERNAME}/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh",
"type": "stdio",
"allowed_extensions": [
"{0a75d802-9aed-41e7-8daa-24c067386e82}",
"{25fc87fa-4d31-4fee-b5c1-c32a7844c063}",
"{d634138d-c276-4fc8-924b-40a0ea21d284}"
]
}
```
Where {USERNAME} is the name of your user, essentially full path to the file we created before.
- Restart Firefox and 1Password
The above can be broken down into (mostly) the following commands:
```
sudo mkdir -p /etc/1password
sudo vim /etc/1password/custom_allowed_browsers
mkdir -p ~/.var/app/org.mozilla.firefox/data/bin
vim ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh
chmod +x ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh
mkdir -p ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts
vim ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json
```
I had also added xdg-run/1Password-BrowserSupport.sock, however it doesn't appear this socket file is actually needed for the extension to work from what I can tell so far.
This does somewhat break the isolation of Flatpak as it can now execute anything on the host via flatpak-spwan --host and there's no real easy way to whitelist specific host binaries that can run via Flatpak, kind of all or nothing annoyingly.
I also want to see if sometihng similar is possible for getting the Flatpak 1Password app communicating with a Flatpak browser, as KeePassXC has a kind of workaround for this that is similar.
This does somewhat break the isolation of Flatpak as it can now execute anything on the host via flatpak-spwan --host and there's no real easy way to whitelist specific host binaries that can run via Flatpak, kind of all or nothing annoyingly.
I also want to see if sometihng similar is possible for getting the Flatpak 1Password app communicating with a Flatpak browser, as KeePassXC has a kind of workaround for this that is similar.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
8 Replies
I wrote a shell script to automatically add support for any Flatpak browser, based on either Chromium or Firefox. https://gist.github.com/LinuxSBC/7c39374130d2d443871ddde64cba18a3
Comment on the Gist if you have a browser that is still not integrating and I'll work on adding support for it.
Maybe flyinpancake and LinuxSBC should get together with Sn0wCrack and just create a repository instead of endless gists? Just so as a community you can work together and provide this community with a single (and up to date) link (and you never know, maybe someone from the 1P team joins as well?)
Given the recent talk here on hijacking browser extensions that would make sure your script is also viable for validation of the extensions (good on you to have them properly whitelisted, but how would someone go about validating them)?
Keep up the good work, kudos for contributing!
Hey! I've made the whole process a bit more scriptable: https://gist.github.com/FlyinPancake/f4ff2318de48ae8dae6226384af953f5
I've attempted with the Flatpak version of 1Password and unfortunately seems like a no-go due to 1Password's security.
The further I got was adaptting the KeePassXC script:
```
!/bin/bash
Adapted from: https://github.com/keepassxreboot/keepassxc-browser/issues/1631#issuecomment-1153736766
APP_REF="com.onepassword.OnePassword/x86_64/stable"
for inst in "${HOME}/.local/share/flatpak" "/var/lib/flatpak"; do
if [ -d "${inst}/app/${APP_REF}" ]; then
FLATPAK_INST="${inst}"
break
fi
done
[ -z "${FLATPAK_INST}" ] && exit 1APP_PATH="${FLATPAK_INST}/app/${APP_REF}/active"
RUNTIME_REF=$(awk -F'=' '$1=="runtime" { print $2 }' < "${APP_PATH}/metadata")
RUNTIME_PATH="${FLATPAK_INST}/runtime/${RUNTIME_REF}/active"exec flatpak-spawn \
--env=LD_LIBRARY_PATH="/app/lib:${APP_PATH}" \
--app-path="${APP_PATH}/files" \
--usr-path="${RUNTIME_PATH}/files" \
-- /app/1Password/1Password-BrowserSupport "$@"
```This will execute the Browser Support application, but it bails out due to not running under the correct libc, I imagine it detects the fact the load path has changed and nopes out.
Error for reference is:
process detected it was running without libc's security, aborting
