1Password with browser integration

I’m trying to install 1Password on Aurora and have it integrate with the Firefox extension. The .rpms were downloaded by adding 1Password’s own Fedora repo.

The desktop app works great via distrobox, but the browser extension does not. The integration fails with a “Connection problem ” message in the extension’s settings.

Screenshot_20251016_1101061442×640 123 KB

I tried replacing the distrobox installation with a raw rpm-ostree install, and the desktop app keeps working great but the browser integration still doesn’t.

What I have not yet tested is to install Firefox itself with rpm-ostree.

Searching for the issue I found a few posts; one was from 2023 about the helper binary having an invalid gid (which now resolves to the group onepassword), another was more recent but I don’t know enough about Universal Blue-specifics to know if it applies to my case.

Does anyone know how to get it running? 1Password itself seems to work, so for all I know this could just as well be Firefox having insufficient Flatpak privileges.

…is there a way to run a Flatpak and temporarily give it full permissions?

This script made it successfully connect, albeit with 1Password layered.

Screenshot_20251016_1215271443×641 118 KB

I think I’ll enjoy it for a bit before I start working on getting the distrobox installation back.

This is a bit of a sharp edge on Bazzite and Bluefin. While I successfully layered 1Password, I had a problem with the install at some point and needed to reinstall it. Well installing 1Password touches the PAM config. And I had changed my Linux password after I had installed 1Password. Layering undid these changes and left the PAM module in an invalid state. I wasn’t able to log in at all, and ended up having to reinstall. Not great while at work, during our busy period.

The story around this needs to be better. I mean I can just create my own derivative of Bluefin and Bazzite, but 1Password is such a common application mostly used by less technical users that in my opinion, there should be a better solution than this.

I thought of suggesting a ujust install-1Password command or something, but even that would likely cause my above problem?

There were some discussions about looking into systemd-sysext for some use cases. Not sure if that would be usable for 1Password. I have not heard anything about systemd-sysext here lately, so maybe it is no longer being considered for U-blue images. Anyone know about that?

We already have homebrew cask for 1password. Try if it works.

$ brew install --cask 1password-gui-linux
==> Downloading https://downloads.1password.com/linux/tar/stable/x86_64/1password-latest.tar.gz
################################################################################################################################################################################# 100.0%
Warning: No checksum defined for cask '1password-gui-linux', skipping verification.
==> Installing Cask 1password-gui-linux
==> Purging files for version 8.11.12 of Cask 1password-gui-linux
Error: No such file or directory @ rb_sysopen - /home/linuxbrew/.linuxbrew/Caskroom/1password-gui-linux/8.11.12/1password-8.11.12.x64/resources/1password.desktop

The latest version is 1password-8.11.14.x64.

I read up on how to make a quick cask, copied the one from the repo changed it to install 8.11.14.

This is from the browser integration log when the binary is overridden to be started via flatpak-spawn --host;

WARN  2025-10-17T07:43:44.390+00:00 main(ThreadId(1)) [1P:foundation/op-startup/src/linux.rs:20] Yama is absent or ptrace_scope is set to 0.
INFO  2025-10-17T07:43:44.392+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:269] Starting 1Password-BrowserSupport 8.11.14 production build no. 81114024.
ERROR 2025-10-17T07:43:44.392+00:00 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:99] process detected it was running without libc's security, aborting

I guess I don’t understand the problem. I use the 1password official flatpak and the official 1password plugin with Firefox without issue.

Yes, both work, but they do not work together. Does your browser plugin say “Integration Status: Connected ” in its settings?

The browser helper (normally /opt/1Password/1Password-BrowserSupport) is not included in the flatpak.

If you install 1Password with Flatpak, you’ll have access to all the features 1Password for Linux has to offer except:

* You won’t be able to unlock 1Password or 1Password CLI with system authentication.
* You won’t be able to use the SSH agent.
* You’ll need to lock and unlock 1Password in your browser separately from the app.

Unlocking with system authentication is a bigger thing than you’d expect when you have a fingerprint reader.

Did installing it via homebrew fix the integration for you?

No, I could not get it to work.

The Homebrew cask installs a script that works around the flatpak Firefox not being able to invoke the browser helper, by wrapping it with flatpak-spawn --host.

#!/bin/bash
if [ "${container-}" = flatpak ]; then
  flatpak-spawn --host /home/linuxbrew/.linuxbrew/bin/1Password-BrowserSupport "$@"
else
  exec /home/linuxbrew/.linuxbrew/bin/1Password-BrowserSupport "$@"
fi

I don’t know enough to say why, but when the browser plugin tries to call that script, it logs an error and aborts.

WARN  2025-10-19T20:07:10.723+00:00 main(ThreadId(1)) [1P:foundation/op-startup/src/linux.rs:20] Yama is absent or ptrace_scope is set to 0.
INFO  2025-10-19T20:07:10.725+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:269] Starting 1Password-BrowserSupport 8.11.14 production build no. 81114024.
ERROR 2025-10-19T20:07:10.725+00:00 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:99] process detected it was running without libc's security, aborting

The logs are at ~/.config/1Password/logs/BrowserSupport for those interested. I don’t know enough to understand what it means by “running without libc’s security”.

If I modify that helper script to run the rpm-ostree-installed /opt/1Password/1Password-BrowserHelper instead of the Homebrew binary and make no other changes, it immediately works without needing a browser restart;

WARN  2025-10-19T20:08:07.913+00:00 main(ThreadId(1)) [1P:foundation/op-startup/src/linux.rs:20] Yama is absent or ptrace_scope is set to 0.
INFO  2025-10-19T20:08:07.914+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:269] Starting 1Password-BrowserSupport 8.11.14 production build no. 81114024.
INFO  2025-10-19T20:08:07.914+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:44] Verifying browser "/usr/libexec/flatpak-session-helper"
INFO  2025-10-19T20:08:07.924+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:58] Browser "/usr/libexec/flatpak-session-helper" verified successfully
INFO  2025-10-19T20:08:07.924+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support-lib/src/communication_logic.rs:153] Starting SLS communication (attempting connection to desktop app)
INFO  2025-10-19T20:08:07.925+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support-lib/src/communication_logic.rs:215] Connected to the desktop app

So there’s something that differs between the two binaries. For all I know it may even be the path. What I do see is that the 1Password-BrowserHelper from rpm-ostree is setgid.

$ stat /home/linuxbrew/.linuxbrew/Caskroom/1password-gui-linux-zor/8.11.14/1password-8.11.14.x64/1Password-BrowserSupport 
  File: /home/linuxbrew/.linuxbrew/Caskroom/1password-gui-linux-zor/8.11.14/1password-8.11.14.x64/1Password-BrowserSupport
  Size: 57595656        Blocks: 112496     IO Block: 4096   regular file
Device: 0,55    Inode: 2267724     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: ( 1000/  zorael)   Gid: ( 1000/  zorael)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2025-10-19 22:06:37.159913089 +0200
Modify: 2025-10-10 16:42:31.000000000 +0200
Change: 2025-10-19 22:02:37.406107478 +0200
 Birth: 2025-10-19 22:02:37.375391761 +0200

$ stat /opt/1Password/1Password-BrowserSupport 
  File: /opt/1Password/1Password-BrowserSupport
  Size: 57595656        Blocks: 112496     IO Block: 4096   regular file
Device: 0,40    Inode: 147803      Links: 1
Access: (2755/-rwxr-sr-x)  Uid: (    0/    root)   Gid: ( 1002/onepassword)
Context: system_u:object_r:usr_t:s0
Access: 1970-01-01 01:00:00.000000000 +0100
Modify: 1970-01-01 01:00:00.000000000 +0100
Change: 1970-01-01 01:00:00.000000000 +0100
 Birth: -

But even if I copy the /opt/1Password binary into the Homebrew installation with sudo cp -a to preserve the setgid, I still get errors and it still doesn’t work.

WARN  2025-10-19T20:39:18.120+00:00 main(ThreadId(1)) [1P:foundation/op-startup/src/linux.rs:20] Yama is absent or ptrace_scope is set to 0.
INFO  2025-10-19T20:39:18.121+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:269] Starting 1Password-BrowserSupport 8.11.14 production build no. 81114024.
INFO  2025-10-19T20:39:18.121+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:44] Verifying browser "/usr/libexec/flatpak-session-helper"
WARN  2025-10-19T20:39:18.128+00:00 main(ThreadId(1)) [1P:foundation/op-sys-info/src/process_information/linux.rs:331] binary permission verification failed for /var/home/linuxbrew/.linuxbrew/Caskroom/1password-gui-linux-zor/8.11.14/1password-8.11.14.x64
ERROR 2025-10-19T20:39:18.164+00:00 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:302] Browser support error: BrowserProcessVerification(BinaryPermissions), happened in: native-messaging/op-browser-support/src/browser_verification/linux.rs:53
        Additional error context: Failed to verify browser permissions

I cannot say whether the browser helper in /opt/1Password can speak to the Homebrew installation of the GUI, as starting the GUI via Homebrew seems to make it fall back to /opt/1Password/1Password instead if it’s available.

So there’s something that’s different between /opt/1Password/1Password-BrowserSupport and /home/linuxbrew/.linuxbrew/Caskroom/1password-gui-linux-zor/8.11.14/1password-8.11.14.x64 that makes 1Password abort trying to invoke the latter with “process detected it was running without libc’s security”.

It is possible it may behave slightly differently if there is no installation via rpm-ostree.

If you want to test this, the way to see if it works is to run both the GUI and the browser with the extension added, then right-click the extension icon on the toolbar and pick Settings. The very first General screen will say whether or not the two successfully connected to each other. If they didn’t, there are the logs.

$ brew install --cask zorael/tap/1password-gui-linux-zor 
$ brew install --cask zorael/tap/1password-flatpak-browser-integration-zor 

(I think those are the commands but I am really new to Homebrew, so maybe not. Here are the casks.)

The wrapper script is at ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh, and again, logs are at ~/.config/1Password/logs/BrowserSupport.

A data point in support of this: if I replace the Homebrew-installed browser helper binary with a symbol link to the rpm-ostree one in /opt, the browser extension can successfully connect to the GUI app.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.