Hi @jpl, I’ve followed your example (here), but I’m currently a bit stuck on Bitwarden system auth. Trying to unlock gives “an unexpected error has occured” popup (though it does unlock, strangely). Do I have to do something else with polkit policy file? Running that chcon command in live system also fails.
Looks like you found a better way to install Bitwarden than my hack to find the latest RPM on GitHub.
I haven’t seen the error popup you mentioned. I haven’t gotten around to working on it further, so I’m not even sure yet if it’s working with system auth, probably because I have it configured to only lock on restart. I also don’t know anything about the policy file or how important the chcon command is, sorry.
I suppose got it working just well enough for my uses and moved on, but I’m planning to get back to it as some point and turn it into a re-usable BlueBuild module. Let me know if you learn anything further and I can add any new steps to the module.
Looks like you found a better way to install Bitwarden than my hack to find the latest RPM on GitHub.
I actually tried your script, but for some reason local build failed with “read-only filesystem” during build.
Okay, I’ll see if I’d get any further on this.
Did you try to change where the RPM was being saved to? The environment inside the build steps isn’t really documented, and the only place I could find where the RPM file would be found was in root. I want to clean that up at some point.
Seeing as this is taking top spot in google search and there’s no definitive answer to this issue, I thought I’d chime in. I have tried both rpm-ostree install (layering) as well as custom build via bluebuild (preferred). However, in case of 1Password one issue always remained, browser extension and 1password always refused to talk to each other. Turns out it’s because of wrong UID/GID that is applied to 1password when built via bluebuild.
There’s a way topatch it manually via custom scripts, but thankfully ublue maintainers made a very simple way to install it correctly so that all features including fingerprint auth as well as browser extension work: bling | BlueBuild
In bluebuild recipe.yml you its as simple as this:
---
# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
# image will be published to ghcr.io/<user>/<name>
name: template
# description will be included in the image's metadata
description: This is my personal OS image.
# the base image to build on top of (FROM) and the version tag to use
base-image: ghcr.io/ublue-os/bluefin-dx
image-version: stable
# module configuration, executed in order
# you can include multiple instances of the same module
modules:
- type: files
files:
- source: system
destination: / # copies files/system/* (* means everything inside it) into your image's root folder /
- type: rpm-ostree
repos:
- https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo
optfix:
- brave.com
keys:
- https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
install:
- brave-browser
- type: bling
install:
- 1password
- type: signing # this sets up the proper policy & signing files for signed images to work fully
Just make sure to change base image to “distro” that you want it to base it off - bazzite/aurora/bluefin/silverblue-main etc.
This installs both Brave browser and 1password as system package. You can change Brave to any other browser of your choice of course.
As others mentioned bluebuild, if you still are unsure how to set it up, its pretty straightforward. Just follow this section in the docs How to set up a new repository | BlueBuild and then just edit recipe.yml in created github repository, check until build passes (you can watch it in github in same repository when you go to Github Actions tab) and when build passes, just rebase to your very own image as is described in your own repository’s README.md. That’s all.
Honestly I am a bit flabbergasted it took me so long to find working solution on google, even though its clearly documented in bluebuild docs, google failed to find it 
Anyway, I hope this helps someone to properly set up 1password on their immutable distros.
If anyone want to inspect what this bling does you can see it in ublue repo here:
github .com/blue-build/modules/blob/c0943c009d578214d8bd3d6f185a106420dc034e/modules/bling/installers/1password.sh (can’t post more than 2 links in a post so removethe space after github)
3 Likes
How is Bitwarden working out for you?
In case you or anyone else has this same problem, I spent hours today trying to get Bitwarden’s Firefox extension to unlock with biometrics when running Firefox under Flatpak and finally got a working solution.
Here’s a concise fix as a shell session:
$ mkdir $HOME/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts
$ cd $HOME/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts
$ cat <<EOF > com.8bit.bitwarden.json
{
"name": "com.8bit.bitwarden",
"description": "Bitwarden desktop <-> browser bridge",
"path": "$HOME/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/bitwarden-proxy.sh",
"type": "stdio",
"allowed_extensions": ["{446900e4-71c2-419f-a6a7-df9c091e268b}"]
}
EOF
$ cat <<EOF > bitwarden-proxy.sh
#!/bin/bash
flatpak-spawn --host /usr/lib/opt/Bitwarden/desktop_proxy "$@"
EOF
$ chmod +x bitwarden-proxy.sh
$ sudo flatpak override --talk-name=org.freedesktop.Flatpak org.mozilla.firefox
(That last command could be done without sudo through Flatseal if preferred. Also, feel free to change /usr/lib/opt/Bitwarden to /opt/Bitwarden, which should be a symlink made by Blue Build’s “optfix” step.)
In short, this configures Flatpak Firefox to be able to run Bitwarden’s desktop_proxy command via native messaging, which it is otherwise unable to do. Native messaging is how the extension talks to the desktop app to unlock via biometrics, as seen here.
I noticed that if I download and run Firefox outside of Flatpak, the Bitwarden extension seems to manage this by itself by creating $HOME/.mozilla/native-messaging-hosts/com.8bit.bitwarden.json which runs /usr/lib/opt/Bitwarden/desktop_proxy directly.
I don’t know Flatpak well enough, but there may be a simpler way to do this by allowing Flatpak Firefox to write to $HOME/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts (so it can setup the com.8bit.bitwarden.json file) and to run /usr/lib/opt/Bitwarden/desktop_proxy directly as well.
Hope this helps.
Tried adding that script proxy, still getting NativeMessaging port disconnected because of error: No such native application com.8bit.bitwarden
I’ll probably try to build image with Firefox from RPM and see if that helps anything.
I don’t know Flatpak well enough, but there may be a simpler way to do this by allowing Flatpak Firefox to write to
$HOME/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts(so it can setup thecom.8bit.bitwarden.jsonfile) and to run/usr/lib/opt/Bitwarden/desktop_proxydirectly as well.
I think .var/app/ is virtualized path for flatpak data and should be writable by default.
Currently, I’ve just set Firefox to access all user files. This results in extension successfully creating that json in $HOME/.mozilla/native-messaging-hosts but still fails with same error.
Okay, I’ve switched both Bitwarden and Firefox to RPM installation, and extension unlock with biometrics works perfectly fine with no extra scripts.
It’s too bad all these little details are not well understood (or at least not really documented anywhere) but I suppose over time Flatpak packagers will get better at all this. I saw discussions that the Flatpak for the Bitwarden desktop app would be getting fingerprint support in the near future, but couldn’t find any mention of the Firefox extension.
It took me quite a few hours of persistent searching and debugging to even learn that native messaging was the problem (actually I had never even heard of native messaging because I’m not a browser extension developer). It looks like a pretty clumsy way to get things done, but maybe that will improve over time as well.
1 Like
So guys, now that you gone through all of this what is your final analysis?
Is the architecture of browser extensions secure enough to warrant all the work you did?
Keying on your pretty clumsy comment here.
I can’t really speak to the security aspects, but presumably they’re the same as anyone using a regular non-Flatpak installation of Firefox.
I’m writing up a new post to summarize my experience in case it’s helpful to any other Bitwarden users. I don’t really know Flatpak very well, so it’s possible that all of this could have been simpler if I gave Firefox permissions to write to $HOME/.var/app/org.mozilla.firefox/.mozilla. After all, in non-Flatpak Firefox the Bitwarden plugin sets up the native messaging stuff automatically, since it’s allowed to write to $HOME/.mozilla. In fact, I think I’ll test that option now, since it would be a much simpler solution than the manual stuff I posted earlier.
1 Like
If It’s being installed into /opt, you may be able to use a filesystem override to give the flatpak access to bitwarden or whatever to the install directory in /opt.
I’m not sure if that is one of the protected dirs for flatpak.