From 7f083ce825ac452c781bba9976138f249b1f7510 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:25 +0100 Subject: feat(pteid): bridge cartão de cidadão into Okular and LibreOffice flatpaks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both apps support digital signatures via NSS — Okular through Poppler, LibreOffice natively. Extend the pteid bridge to also register libpteidpkcs11.so in their per-flatpak ~/.pki/nssdb (single shared DB, unlike Mozilla's per-profile model). Refactored the script around two helpers (apply_override, register_in_profile) and two app tables (MOZILLA_APPS for per-profile, SHARED_NSS_APPS for single-DB). register_in_profile auto-creates the NSS DB with certutil -N if missing, since neither Okular nor LibreOffice initialise it on first run. --- README.md | 18 +++--- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl | 88 ++++++++++++++++---------- 2 files changed, 62 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index 906dd71..a03b228 100644 --- a/README.md +++ b/README.md @@ -75,15 +75,15 @@ chezmoi apply -v Everything is driven by [just](https://just.systems/) recipes against four parallel models: -| Directory | Managed by | Purpose | -| ----------------------------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `dot_*`, `private_dot_*` | chezmoi | Dotfiles deployed to `$HOME`. Prefixes: `dot_` → `.`, `private_` → `0600`, `executable_` → `+x`. | -| `meta/*.txt` | `just pkg-apply`, `just pkg-status` | Plain-text package lists (one per line, `#` comments). Groups: `base`, `dev`, `wayland`, etc. | -| `systemd-units/{system,user}/*.txt` | `just unit-apply`, `just unit-status` | Units to enable, split by scope. `system/` files pair by name with `meta/` groups (`system/base.txt` ↔ `meta/base.txt`); `user/` files are standalone. Recipe group token: `` / `system:` / `user:`. | -| `etc/` | `run_onchange_after_deploy-etc.sh.tmpl` | System-level configs deployed to `/etc/` via a chezmoi onchange hook. | -| `firefox/` | `run_onchange_after_deploy-firefox.sh.tmpl` | LibreWolf `user-overrides.js` + `userChrome.css` (kept under the familiar `firefox/` name). | -| (cartão de cidadão) | `run_onchange_after_deploy-pteid-pkcs11.sh.tmpl` | Bridges the `pt.gov.autenticacao` flatpak's PKCS#11 module into the NSS DB of every Mozilla-family flatpak we use (LibreWolf, Thunderbird) — `--filesystem` + `--socket=pcsc` override + `modutil -add` per profile. No-op unless `pt.gov.autenticacao` is installed. | -| (Thunderbird native editor) | `run_onchange_after_deploy-tb-eer.sh.tmpl` | Bridges `external-editor-revived` (host pacman package) into the Thunderbird flatpak: deploys a `flatpak-spawn --host` wrapper into the sandbox's `~/.mozilla/native-messaging-hosts/` and rewrites the manifest `path` to point at it. No-op unless TB flatpak + EER host package are both installed. | +| Directory | Managed by | Purpose | +| ----------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `dot_*`, `private_dot_*` | chezmoi | Dotfiles deployed to `$HOME`. Prefixes: `dot_` → `.`, `private_` → `0600`, `executable_` → `+x`. | +| `meta/*.txt` | `just pkg-apply`, `just pkg-status` | Plain-text package lists (one per line, `#` comments). Groups: `base`, `dev`, `wayland`, etc. | +| `systemd-units/{system,user}/*.txt` | `just unit-apply`, `just unit-status` | Units to enable, split by scope. `system/` files pair by name with `meta/` groups (`system/base.txt` ↔ `meta/base.txt`); `user/` files are standalone. Recipe group token: `` / `system:` / `user:`. | +| `etc/` | `run_onchange_after_deploy-etc.sh.tmpl` | System-level configs deployed to `/etc/` via a chezmoi onchange hook. | +| `firefox/` | `run_onchange_after_deploy-firefox.sh.tmpl` | LibreWolf `user-overrides.js` + `userChrome.css` (kept under the familiar `firefox/` name). | +| (cartão de cidadão) | `run_onchange_after_deploy-pteid-pkcs11.sh.tmpl` | Bridges the `pt.gov.autenticacao` flatpak's PKCS#11 module into the NSS DB of every flatpak that needs cartão de cidadão (LibreWolf, Thunderbird, Okular, LibreOffice) — `--filesystem` + `--socket=pcsc` override + `modutil -add` per NSS DB (per-profile for Mozilla apps, shared `~/.pki/nssdb` for Okular/LibreOffice). No-op unless `pt.gov.autenticacao` is installed. | +| (Thunderbird native editor) | `run_onchange_after_deploy-tb-eer.sh.tmpl` | Bridges `external-editor-revived` (host pacman package) into the Thunderbird flatpak: deploys a `flatpak-spawn --host` wrapper into the sandbox's `~/.mozilla/native-messaging-hosts/` and rewrites the manifest `path` to point at it. No-op unless TB flatpak + EER host package are both installed. | ## Recipes at a glance diff --git a/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl index 6046bec..13db657 100644 --- a/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl +++ b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl @@ -25,47 +25,65 @@ SO_DIR=$(dirname "$SO") SO_IN_SANDBOX="/run/host$SO" SO_DIR_IN_SANDBOX="/run/host$SO_DIR" -if ! command -v modutil >/dev/null 2>&1; then - echo "pteid-pkcs11: modutil not found (install nss); skipping NSS registration." >&2 - exit 0 +if ! command -v modutil >/dev/null 2>&1 || ! command -v certutil >/dev/null 2>&1; then + echo "pteid-pkcs11: modutil/certutil not found (install nss); skipping NSS registration." >&2 + exit 0 fi +apply_override() { + flatpak info --user "$1" >/dev/null 2>&1 || return 1 + flatpak override --user \ + --filesystem="$PTEID_LOC/files:ro" \ + --socket=pcsc \ + --env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \ + "$1" +} + +register_in_profile() { + prof="$1" + proc_name="$2" + [ -d "$prof" ] || return 0 + if [ ! -f "$prof/cert9.db" ]; then + certutil -N -d "sql:$prof" --empty-password >/dev/null 2>&1 || return 0 + fi + [ -f "$prof/cert9.db" ] || return 0 + if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then + return 0 + fi + if pgrep -u "$(id -u)" -x "$proc_name" >/dev/null 2>&1; then + echo "pteid-pkcs11: $proc_name is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2 + return 0 + fi + modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null + echo "pteid-pkcs11: registered $MODULE_NAME in ${prof#"$HOME/"}" +} + +# Mozilla-family flatpaks: per-profile NSS DBs under ~/.var/app//// # Each line: -# - profile_subdir is the directory under ~/.var/app// that holds the -# per-profile NSS DBs (cert9.db lives in each / underneath it) -# - process_name is the binary name to grep for to detect a running instance -APPS="\ +MOZILLA_APPS="\ io.gitlab.librewolf-community .librewolf librewolf org.mozilla.Thunderbird .thunderbird thunderbird" -echo "$APPS" | while IFS=' ' read -r app profile_subdir proc_name; do - [ -n "$app" ] || continue - flatpak info --user "$app" >/dev/null 2>&1 || continue - - flatpak override --user \ - --filesystem="$PTEID_LOC/files:ro" \ - --socket=pcsc \ - --env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \ - "$app" - - profiles_dir="$HOME/.var/app/$app/$profile_subdir" - [ -d "$profiles_dir" ] || continue +echo "$MOZILLA_APPS" | while IFS=' ' read -r app profile_subdir proc_name; do + [ -n "$app" ] || continue + apply_override "$app" || continue + profiles_dir="$HOME/.var/app/$app/$profile_subdir" + [ -d "$profiles_dir" ] || continue + for prof in "$profiles_dir"/*/; do + register_in_profile "$prof" "$proc_name" + done +done - registered=0 - for prof in "$profiles_dir"/*/; do - [ -f "$prof/cert9.db" ] || continue - if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then - continue - fi - if pgrep -u "$(id -u)" -x "$proc_name" >/dev/null 2>&1; then - echo "pteid-pkcs11: $proc_name is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2 - continue - fi - modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null - registered=$((registered + 1)) - done +# Shared-NSS flatpaks (Poppler/LibreOffice): single ~/.pki/nssdb inside the sandbox. +# Each line: +SHARED_NSS_APPS="\ +org.kde.okular okular +org.libreoffice.LibreOffice soffice.bin" - if [ "$registered" -gt 0 ]; then - echo "pteid-pkcs11: registered $MODULE_NAME in $registered $proc_name profile(s)." - fi +echo "$SHARED_NSS_APPS" | while IFS=' ' read -r app proc_name; do + [ -n "$app" ] || continue + apply_override "$app" || continue + prof="$HOME/.var/app/$app/.pki/nssdb" + mkdir -p "$prof" + register_in_profile "$prof/" "$proc_name" done -- cgit v1.3.1