Skip to main content
Sn0wCrack
June 12, 2024
Question

Flatpak Browser and Native Desktop App

  • June 12, 2024
  • 3 replies
  • 3622 views

Thought I would share this as I've managed to get the native desktop app working with my flatpak installation of Firefox.

I'm on Arch and using the version of 1Password from the AUR and the standard flatpak version of Firefox from flathub.

  • Add permissions to Firefox Flatpak via Flatseal:
    • Session Bus Talks: org.freedesktop.Flatpak
  • As root, create /etc/1password folder if it does not exist
  • As root, create /etc/1password/custom_allowed_browsers file if it does not exist
  • As root, edit /etc/1password/custom_allowed_browsers file and set content to: flatpak-session-helper
  • As user, create ~/.var/app/org.mozilla.firefox/data/bin folder if it does not exist
  • As user, create ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh file if it does not exist
  • As user, edit ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh and set content to: ``` #!/bin/bash

flatpak-spawn --host /opt/1Password/1Password-BrowserSupport "$@"

- As user, mark ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh as executable via `chmod +x ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh`
- As user, create ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts folder if it does not eixst
- As user, create ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json file if it does not exist
- As user, edit ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json and set content to:

{
"name": "com.1password.1password",
"description": "1Password BrowserSupport",
"path": "/home/{USERNAME}/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh",
"type": "stdio",
"allowed_extensions": [
"{0a75d802-9aed-41e7-8daa-24c067386e82}",
"{25fc87fa-4d31-4fee-b5c1-c32a7844c063}",
"{d634138d-c276-4fc8-924b-40a0ea21d284}"
]
}
```
Where {USERNAME} is the name of your user, essentially full path to the file we created before.
- Restart Firefox and 1Password

The above can be broken down into (mostly) the following commands:
```
sudo mkdir -p /etc/1password

sudo vim /etc/1password/custom_allowed_browsers

mkdir -p ~/.var/app/org.mozilla.firefox/data/bin

vim ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh

chmod +x ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh

mkdir -p ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts

vim ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json
```

I had also added xdg-run/1Password-BrowserSupport.sock, however it doesn't appear this socket file is actually needed for the extension to work from what I can tell so far.

This does somewhat break the isolation of Flatpak as it can now execute anything on the host via flatpak-spwan --host and there's no real easy way to whitelist specific host binaries that can run via Flatpak, kind of all or nothing annoyingly.

I also want to see if sometihng similar is possible for getting the Flatpak 1Password app communicating with a Flatpak browser, as KeePassXC has a kind of workaround for this that is similar.

This does somewhat break the isolation of Flatpak as it can now execute anything on the host via flatpak-spwan --host and there's no real easy way to whitelist specific host binaries that can run via Flatpak, kind of all or nothing annoyingly.

I also want to see if sometihng similar is possible for getting the Flatpak 1Password app communicating with a Flatpak browser, as KeePassXC has a kind of workaround for this that is similar.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

3 replies

Sn0wCrack
Sn0wCrackAuthor
June 13, 2024

I've attempted with the Flatpak version of 1Password and unfortunately seems like a no-go due to 1Password's security.

The further I got was adaptting the KeePassXC script:

```

!/bin/bash

Adapted from: https://github.com/keepassxreboot/keepassxc-browser/issues/1631#issuecomment-1153736766

APP_REF="com.onepassword.OnePassword/x86_64/stable"

for inst in "${HOME}/.local/share/flatpak" "/var/lib/flatpak"; do
if [ -d "${inst}/app/${APP_REF}" ]; then
FLATPAK_INST="${inst}"
break
fi
done
[ -z "${FLATPAK_INST}" ] && exit 1

APP_PATH="${FLATPAK_INST}/app/${APP_REF}/active"

RUNTIME_REF=$(awk -F'=' '$1=="runtime" { print $2 }' < "${APP_PATH}/metadata")
RUNTIME_PATH="${FLATPAK_INST}/runtime/${RUNTIME_REF}/active"

exec flatpak-spawn \
--env=LD_LIBRARY_PATH="/app/lib:${APP_PATH}" \
--app-path="${APP_PATH}/files" \
--usr-path="${RUNTIME_PATH}/files" \
-- /app/1Password/1Password-BrowserSupport "$@"
```

This will execute the Browser Support application, but it bails out due to not running under the correct libc, I imagine it detects the fact the load path has changed and nopes out.

Error for reference is:

process detected it was running without libc's security, aborting

September 20, 2024

Hey! I've made the whole process a bit more scriptable: https://gist.github.com/FlyinPancake/f4ff2318de48ae8dae6226384af953f5

March 21, 2025

I wrote a shell script to automatically add support for any Flatpak browser, based on either Chromium or Firefox. https://gist.github.com/LinuxSBC/7c39374130d2d443871ddde64cba18a3

Comment on the Gist if you have a browser that is still not integrating and I'll work on adding support for it.

Tom
March 21, 2025

Maybe @flyinpancake and @LinuxSBC should get together with @Sn0wCrack and just create a repository instead of endless gists? Just so as a community you can work together and provide this community with a single (and up to date) link (and you never know, maybe someone from the 1P team joins as well?)

Given the recent talk here on hijacking browser extensions that would make sure your script is also viable for validation of the extensions (good on you to have them properly whitelisted, but how would someone go about validating them)?

Keep up the good work, kudos for contributing!

Sn0wCrack
Sn0wCrackAuthor
March 21, 2025

This is probably the best I've seen the script is fully automated and works on both Firefox and Chrome browsers under Flatpak.

The extension whitelist is a requirement essentially of a custom native messaging file, and there's not really a need to modify that list unless 1Passwors publishes a new extension.

Hopefully this shouldn't be needed in the near future anyways as a major focus of the next xdg-desktop-portal release does appear to be native messaging and there's a lot of movement around a new PR for it's implementation.