Flatpak package [Planned]

WhyNotHugo
WhyNotHugo
Community Member

Hi! Flatpak is a package management system for Linux, that's supported across a variety of distributions.

It provides some pretty good isolation for desktop apps, which I personally appreciate due to the added security (it's not absolute isolation, but at least processes can't read freely read one's home filesystem without approval and other enhancements).

I've been thinking about creating a package with 1Password, would you guys be okay with that being submitted to Flathub?

Basically the descriptor for the package has this format, and merely fetches the source from your site:

app-id: org.onepassword.onepassword
runtime: org.freedesktop.Platform
runtime-version: '20.08'
sdk: org.freedesktop.Sdk
command: /app/squashfs-root/1password
modules:
  - name: 1password
    buildsystem: simple
    build-commands:
      - chmod +x 1password-0.9.5-2.AppImage
      - ./1password-0.9.5-2.AppImage --appimage-extract
      - cp -r squashfs-root/ /app
      # - install -D 1password-0.9.5-2.AppImage /app/bin/1password
    sources:
      - type: file
        url: https://downloads.1password.com/linux/appimage/1password-0.9.5-2.AppImage
        sha512: 6bfc61c9da5cca90279664ab7aab0cb30569720fb9bd168accc65068b570e11ba5c59942d19d88baa7c42dd4d647686b9480bd1d957df956dff2562b9846a5b0
finish-args:
  - --socket=x11
  - --share=network

Note: this is just and example and doesn't yet work.
It's just to kind reflect how the package is generated. Also, this still fails due to some SUID error with a bundled helper.


1Password Version: 0.9.5-2.AppImage
Extension Version: n/a
OS Version: ArchLinux
Sync Type: n/a
Referrer: forum-search:flatpak

Comments

  • MikeT
    edited November 2020

    Hi @WhyNotHugo,

    Thanks for taking the time to write in and for helping us with Flatpak, it is appreciated!

    We do have plans to support Flatpak and Flathub, we've mentioned this a while ago in a thread here.

    We just need time to set it all up to automate this in-house. We've just finished adding AUR support recently after adding Snap and we're working to add more including Flatpak.

    According to Flathub here, they'd prefer that we do this as transferring ownership can be a bit problematic. So, let me nudge our team and see if we can do something sooner rather than later.

    ref: dev/core/core#2453

  • WhyNotHugo
    WhyNotHugo
    Community Member

    Thanks for your reply!

    Seems like I missed the above link, thanks for pointing it out.

    I take if you'd rather submit this yourselves rather than go through the transfer process then. If I manage to get a working flatpak descriptor then, I'll just go ahead and post it here so you guy can handle is as you prefer.

    Thanks, cheers!

  • Thanks a ton for that @WhyNotHugo -- you can certainly post the flatpak descriptor here and we can grab the reigns and take it from there. 😊

  • WhyNotHugo
    WhyNotHugo
    Community Member

    Kinda forgot about this. I've a working package -- mostly the metadata is missing, which I'm sure you'd prefer to fill in yourselves anyway:

    com.1password.1Password.yml:

    app-id: org.onepassword.onepassword
    base: org.electronjs.Electron2.BaseApp
    base-version: '20.08'
    runtime: org.freedesktop.Platform
    runtime-version: '20.08'
    sdk: org.freedesktop.Sdk
    command: 1password
    rename-desktop-file: 1password.desktop
    rename-icon: 1password
    finish-args:
      # 1Password is X11-only, so we can skip the Wayland socket for now. 🤞
      - --socket=x11
      - --share=network
      # I think it shows notifications sometimes? If not, remove this:
      - --talk-name=org.freedesktop.Notifications
      # Required to avoid asking for a 2FA token on every run:
      - --talk-name=org.freedesktop.secrets
      - --filesystem=xdg-run/1Password-BrowserSupport.sock
      # TODO: There's a dbus-socket for desktops with a tray icon thingy.
      #       That should be exposed too.
    modules:
      - name: 1password
        buildsystem: simple
        build-commands:
          - ar x 1password-*.deb
          - rm -f 1password-*.deb
          - tar xf data.tar.xz
          - rm -f control.tar.gz data.tar.xz debian-binary
          - cp -r usr/* opt/* /app
          - cp -r usr/* opt/* /
          - chmod -R a-s,go+rX,go-w /app/1Password
          # Original path here points to /opt/1Password:
          - sed -i 's|Exec=.*|Exec=1password %U|' /app/share/applications/1password.desktop
          - install -Dm755 1password.sh /app/bin/1password
          - install -Dm644 org.onepassword.onepassword.appdata.xml /app/share/appdata/org.onepassword.onepassword.appdata.xml
        sources:
          - type: file
            only-arches:
              - x86_64
            url: https://downloads.1password.com/linux/debian/pool/main/1/1password/1password-0.9.12-2.deb
            sha256: e27b0055eb9a55af081160fb7a270db1ba806483328a8161d68a0dc2d913ff84
          - type: script
            dest-filename: 1password.sh
            commands:
              # Share a TMPDIR, so that multiple instance can figure out there's
              # already one running.
              - export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"
              # This script is required to work around a lack of SUID sandbox helper:
              - exec zypak-wrapper /app/1Password/1password "$@"
          - type: file
            path: org.onepassword.onepassword.appdata.xml
    

    org.onepassword.onepassword.appdata.xml:

    <?xml version="1.0" encoding="UTF-8"?>
    <component type="desktop">
      <id>org.onepassword.onepassword</id>
      <name>1Password for Linux</name>
      <project_license>XXX</project_license>
      <developer_name>XXXX</developer_name>
      <summary>XXXXX</summary>
      <metadata_license>CC0-1.0</metadata_license>
      <url type="homepage">https://1password.com/</url>
      <url type="bugtracker">https://github.com/flathub/org.onepassword.onepassword/issues</url>
      <description>
        <p>
          XXXXX
        </p>
      </description>
      <screenshots>
        <image type="source">https://us.v-cdn.net/5020219/uploads/editor/1g/883ixuqsk6tc.png</image>
        <image type="source">https://us.v-cdn.net/5020219/uploads/editor/ae/cmnoxgrdxdp8.png</image>
        <image type="source">https://us.v-cdn.net/5020219/uploads/editor/zc/196a8xd2cohr.png</image>
      </screenshots>
      <releases>
        <release version="0.9.12" date="2021-02-09"/>
      </releases>
      <content_rating type="oars-1.1">
        <content_attribute id="violence-cartoon">none</content_attribute>
        <content_attribute id="violence-fantasy">none</content_attribute>
        <content_attribute id="violence-realistic">none</content_attribute>
        <content_attribute id="violence-bloodshed">none</content_attribute>
        <content_attribute id="violence-sexual">none</content_attribute>
        <content_attribute id="violence-desecration">none</content_attribute>
        <content_attribute id="violence-slavery">none</content_attribute>
        <content_attribute id="violence-worship">none</content_attribute>
        <content_attribute id="drugs-alcohol">none</content_attribute>
        <content_attribute id="drugs-narcotics">none</content_attribute>
        <content_attribute id="drugs-tobacco">none</content_attribute>
        <content_attribute id="sex-nudity">none</content_attribute>
        <content_attribute id="sex-themes">none</content_attribute>
        <content_attribute id="sex-homosexuality">none</content_attribute>
        <content_attribute id="sex-prostitution">none</content_attribute>
        <content_attribute id="sex-adultery">none</content_attribute>
        <content_attribute id="sex-appearance">none</content_attribute>
        <content_attribute id="language-profanity">none</content_attribute>
        <content_attribute id="language-humor">none</content_attribute>
        <content_attribute id="language-discrimination">none</content_attribute>
        <content_attribute id="social-chat">intense</content_attribute>
        <content_attribute id="social-info">none</content_attribute>
        <content_attribute id="social-audio">intense</content_attribute>
        <content_attribute id="social-location">none</content_attribute>
        <content_attribute id="social-contacts">intense</content_attribute>
        <content_attribute id="money-purchasing">none</content_attribute>
        <content_attribute id="money-gambling">none</content_attribute>
      </content_rating>
      <update_contact>XXX@XXX.com</update_contact>
    </component>
    
    

    Caveats:

    • App descriptor parts can't start with numbers, hence the name onepassword.
    • I don't use any "application tray" service, so I haven't tested that. I know another D-Bus socket needs to be exposed, but I'm not keen to include extra tweaks I can't test on my setup.

    You can build+install this by running:

    flatpak-builder --user --install build-dir com.1password.1Password.yml --force-clean
    

    And run with:

    flatpak run org.onepassword.onepassword
    
  • WhyNotHugo
    WhyNotHugo
    Community Member

    In case you want to submit this to Flathub, here's the relevant docs: https://github.com/flathub/flathub/wiki/App-Submission

  • Thanks so much, @whynothugo! I'll bring this to the attention of the Development team. :chuffed::+1:

  • vincent_chernin
    vincent_chernin
    Community Member

    Recently electron-builder got experimental support for flatpak. Flathub integration is not built in yet but perhaps soon. Using electron-builder instead of repackaging the .deb may now be a viable option for building the 1password flatpak.

    https://github.com/electron-userland/electron-builder/pull/5711

  • Oooh, very cool - thanks so much @vincent_chernin! :love: I'll pass this along to the Dev team to take a gander at. :smile:

  • WhyNotHugo
    WhyNotHugo
    Community Member

    Have you guys had any chance to look into this?

    The above manifest that I wrote works fine. I've been using it to build+install locally, just updating the version from time to time. Basically a proper description is missing, and that can be pushed to Flathub (or your own repository, if you prefer).

    If you'd like some help setting up some form of pipeline, I'm available for consulting ont this kind of topic: hugo@barrera.io.

  • Hey there, @WhyNotHugo,

    After investigating what we would need to add to a Flatpak configuration, we found that some of our flagship features like system authentication and browser integration can't currently work inside a Flatpak sandbox due to some allowed syscall restrictions. We have opened a GitHub issue to ask their team about what it would take to support this. Since we don't want to ship an application to our users missing large features, we will be holding off on a Flatpak package until something is worked out here, sorry.

  • WhyNotHugo
    WhyNotHugo
    Community Member

    I understand the issues, but it seems a shame to take an "all or nothing" approach like this. 1P is something that's under continuous development, and nobody expects it to be absolutely perfect. An okay package is better than no perfect package.

    In the end, you just force the end users (like myself) to package it manually, and the features will be absent anyway -- but with a lot of extra burden on the users for installation.

    I'll say it also seems a bit silly to block this just due to the lack of access to the kernel keyring, when other very silly security issues exist. For example, even the latest version runs only via XWayland, which means any other XWayland application can snoop into what 1P is rendering and doing (these include things like Skype, Zoom, Steam games, etc). That's even if the snooping application is properly containerised/isolated.

    I've pointed this out before, but even the latest version still has this issue (the lack of native Wayland support is also evident if you use 1P on a host with a hidpi display -- where it will render very blurry).

    Do you have any objections submitting a community-maintained Flatpak package? Or should each user be forced to package 1P themselves?

  • James.Dressel_1P
    edited May 2021

    Thanks Hugo,

    Please don't submit a community-maintained package. Now that we're past the linux release, most of the team will be taking off tomorrow. Next week we're going to do some brainstorming on how we could integrate a flatpack release into our build and deploy system.

  • jmanes
    jmanes
    Community Member

    Thought I'd chime in here!

    I am a flatpak fan, and I have been waiting on a 1Password release on flathub. I'd enjoy getting something even if it is more limited than what you would get with a normal .rpm or .deb style install.

    That being said, I've been patient and will continue to be. I am happy that the folks at 1Password have given Linux any attention at all! Thanks for your hard work thus far. I'll be waiting on that sweet sweet flatpak release!

  • k4n30
    k4n30
    Community Member

    Going to raise my hand and agree as well.

    I'd like something (anything) that works, even if it's lacking in features. My "native" OS packaging install broke a long time ago (https://1password.community/discussion/118182/glibc-requirements-changed) and it increasingly looks like it wont be fixed and filed under the "It's not a supported OS" response at some stage (which let's be honest, it isn't). I would be fine if it never worked on my OS (but it did way back in the beta/pre release days), so it just rubs more salt into the wound, that it no longer works.

    I'm currently using the 1PasswordX extension in Firefox, but we all know it's inferior to the Linux application, and I'd prefer to keep my browser & password manager separate, so I don't care about autofill etc. they are just nice to haves (for most users). It's painful to have to open 1PasswordX to search for a password for MS teams (which is a flatpak) and copy and paste it out of my browser extension into the relevant app.

    Side note: MS Teams & OS choice (Amazon Linux) are mandated for work. At home I run 1Password for Linux running natively on a "current" OS (but would much prefer flatpak), so I could use it on more devices (Fedora silverblue for example).

  • WhyNotHugo
    WhyNotHugo
    Community Member

    Sure thing, I won't! Happy to hear it'll be under consideration.

  • Blake
    edited May 2021

    Thanks Hugo!

    We will circle-back here once we have concrete plans for how we can get a FlatPak release pushed into the world -- for now, just hang tight! 😊

  • Hi, everyone. I wanted to come back to this thread one last time. We actually announced Flatpak support back in August!

    https://1password.community/discussion/123068/1password-8-beta-8-2-2-6

    We're keeping these up to date on both our beta channel and our stable channel:

    flatpak install https://downloads.1password.com/linux/flatpak/1Password-beta.flatpakref
    flatpak install https://downloads.1password.com/linux/flatpak/1Password.flatpakref
    

    Have fun!

This discussion has been closed.