From 79d68fcc03c1639c1f13343b4b7d5f9f06274295 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:25 +0100
Subject: feat(thunderbird): migrate to flatpak with NMH + PKCS#11 bridges
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).

Three cross-sandbox glue points handled in repo:

- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
  ~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
  over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
  cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
  external-editor-revived's native messaging host into the sandbox via
  a flatpak-spawn --host wrapper + relocated manifest

Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.

Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
---
 run_onchange_after_deploy-tb-eer.sh.tmpl | 77 ++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 run_onchange_after_deploy-tb-eer.sh.tmpl

(limited to 'run_onchange_after_deploy-tb-eer.sh.tmpl')

diff --git a/run_onchange_after_deploy-tb-eer.sh.tmpl b/run_onchange_after_deploy-tb-eer.sh.tmpl
new file mode 100644
index 0000000..3622e67
--- /dev/null
+++ b/run_onchange_after_deploy-tb-eer.sh.tmpl
@@ -0,0 +1,77 @@
+#!/bin/sh
+# Bridge the External Editor Revived native messaging host into the
+# org.mozilla.Thunderbird flatpak. The host binary stays installed via
+# pacman (`external-editor-revived`); we relocate the manifest into the
+# sandbox and replace its binary path with a wrapper that re-enters the
+# host via flatpak-spawn.
+#
+# Idempotent. Re-runs on script changes or whenever the host-side manifest
+# content changes.
+#
+# host manifest hash: {{ output "sh" "-c" "for p in /usr/lib/mozilla/native-messaging-hosts/external_editor_revived.json /usr/lib/thunderbird/native-messaging-hosts/external_editor_revived.json; do [ -f \"$p\" ] && sha256sum \"$p\" && break; done; true" | sha256sum }}
+set -eu
+
+TB_APP=org.mozilla.Thunderbird
+MANIFEST_NAME=external_editor_revived.json
+WRAPPER_NAME=external_editor_revived.sh
+HOST_BINARY=/usr/lib/external-editor-revived/external-editor-revived
+
+flatpak info --user "$TB_APP" >/dev/null 2>&1 || exit 0
+
+# Locate the host-side manifest. Different PKGBUILDs have used different
+# install dirs; prefer the canonical mozilla path, fall back to TB-specific.
+HOST_MANIFEST=
+for candidate in \
+  /usr/lib/mozilla/native-messaging-hosts/$MANIFEST_NAME \
+  /usr/lib/thunderbird/native-messaging-hosts/$MANIFEST_NAME \
+  /usr/lib64/mozilla/native-messaging-hosts/$MANIFEST_NAME; do
+  if [ -f "$candidate" ]; then
+    HOST_MANIFEST=$candidate
+    break
+  fi
+done
+[ -n "$HOST_MANIFEST" ] || {
+  echo "tb-eer: external-editor-revived manifest not found on host; install the package or skip TB native editor." >&2
+  exit 0
+}
+
+[ -x "$HOST_BINARY" ] || {
+  echo "tb-eer: $HOST_BINARY not executable on host; skipping." >&2
+  exit 0
+}
+
+# Allow flatpak-spawn --host from inside the sandbox.
+flatpak override --user --talk-name=org.freedesktop.Flatpak "$TB_APP"
+
+# In-sandbox path the manifest will reference. TB looks for user manifests
+# at $HOME/.mozilla/native-messaging-hosts/ from inside its sandbox; from
+# outside that maps to ~/.var/app/$TB_APP/.mozilla/native-messaging-hosts/.
+SANDBOX_NMH_DIR="$HOME/.mozilla/native-messaging-hosts"
+HOST_NMH_DIR="$HOME/.var/app/$TB_APP/.mozilla/native-messaging-hosts"
+mkdir -p "$HOST_NMH_DIR"
+
+# Wrapper that re-enters the host to invoke the real binary.
+WRAPPER_HOST_PATH="$HOST_NMH_DIR/$WRAPPER_NAME"
+WRAPPER_SANDBOX_PATH="$SANDBOX_NMH_DIR/$WRAPPER_NAME"
+cat >"$WRAPPER_HOST_PATH" <<EOF
+#!/bin/sh
+exec flatpak-spawn --host "$HOST_BINARY" "\$@"
+EOF
+chmod +x "$WRAPPER_HOST_PATH"
+
+# Rewrite the manifest's "path" field to point at the wrapper as seen from
+# inside the sandbox.
+TARGET_MANIFEST="$HOST_NMH_DIR/$MANIFEST_NAME"
+if command -v jq >/dev/null 2>&1; then
+  jq --arg p "$WRAPPER_SANDBOX_PATH" '.path = $p' "$HOST_MANIFEST" >"$TARGET_MANIFEST.tmp"
+  mv "$TARGET_MANIFEST.tmp" "$TARGET_MANIFEST"
+else
+  # Fallback: simple sed on the "path": "..." line. Brittle if the file
+  # ever becomes minified or contains escaped quotes — jq is preferred.
+  escaped=$(printf '%s' "$WRAPPER_SANDBOX_PATH" | sed 's/[\/&]/\\&/g')
+  sed -E "s|(\"path\"[[:space:]]*:[[:space:]]*\")[^\"]*(\")|\1$escaped\2|" \
+    "$HOST_MANIFEST" >"$TARGET_MANIFEST.tmp"
+  mv "$TARGET_MANIFEST.tmp" "$TARGET_MANIFEST"
+fi
+
+echo "tb-eer: External Editor Revived bridged into $TB_APP."
-- 
cgit v1.3.1