blob: 13db6579994832cc28e5cee2d86c4a9818a18a02 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
#!/bin/sh
# Bridge the pt.gov.autenticacao flatpak's PKCS#11 module into the NSS
# database of every Mozilla-family flatpak we use, so cartão de cidadão
# authentication / S/MIME signing works despite cross-sandbox isolation.
#
# Idempotent. Re-runs whenever this script or the pt.gov.autenticacao entry
# in meta/flatpak.txt changes.
#
# pteid entry hash: {{ output "sh" "-c" (printf "grep '^pt\\.gov\\.autenticacao' %q/meta/flatpak.txt 2>/dev/null || true" .chezmoi.sourceDir) | sha256sum }}
set -eu
PTEID_APP=pt.gov.autenticacao
MODULE_NAME=pteid-mw
flatpak info --user "$PTEID_APP" >/dev/null 2>&1 || exit 0
PTEID_LOC=$(flatpak info --user --show-location "$PTEID_APP" 2>/dev/null)
[ -d "$PTEID_LOC/files" ] || exit 0
SO=$(find "$PTEID_LOC/files" -name 'libpteidpkcs11.so' -type f 2>/dev/null | head -1)
[ -n "$SO" ] && [ -f "$SO" ] || exit 0
SO_DIR=$(dirname "$SO")
# flatpak --filesystem mounts host paths under /run/host inside the sandbox.
SO_IN_SANDBOX="/run/host$SO"
SO_DIR_IN_SANDBOX="/run/host$SO_DIR"
if ! command -v modutil >/dev/null 2>&1 || ! command -v certutil >/dev/null 2>&1; then
echo "pteid-pkcs11: modutil/certutil not found (install nss); skipping NSS registration." >&2
exit 0
fi
apply_override() {
flatpak info --user "$1" >/dev/null 2>&1 || return 1
flatpak override --user \
--filesystem="$PTEID_LOC/files:ro" \
--socket=pcsc \
--env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \
"$1"
}
register_in_profile() {
prof="$1"
proc_name="$2"
[ -d "$prof" ] || return 0
if [ ! -f "$prof/cert9.db" ]; then
certutil -N -d "sql:$prof" --empty-password >/dev/null 2>&1 || return 0
fi
[ -f "$prof/cert9.db" ] || return 0
if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then
return 0
fi
if pgrep -u "$(id -u)" -x "$proc_name" >/dev/null 2>&1; then
echo "pteid-pkcs11: $proc_name is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2
return 0
fi
modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null
echo "pteid-pkcs11: registered $MODULE_NAME in ${prof#"$HOME/"}"
}
# Mozilla-family flatpaks: per-profile NSS DBs under ~/.var/app/<id>/<profile_subdir>/<profile>/
# Each line: <flatpak_app_id> <profile_subdir> <process_name>
MOZILLA_APPS="\
io.gitlab.librewolf-community .librewolf librewolf
org.mozilla.Thunderbird .thunderbird thunderbird"
echo "$MOZILLA_APPS" | while IFS=' ' read -r app profile_subdir proc_name; do
[ -n "$app" ] || continue
apply_override "$app" || continue
profiles_dir="$HOME/.var/app/$app/$profile_subdir"
[ -d "$profiles_dir" ] || continue
for prof in "$profiles_dir"/*/; do
register_in_profile "$prof" "$proc_name"
done
done
# Shared-NSS flatpaks (Poppler/LibreOffice): single ~/.pki/nssdb inside the sandbox.
# Each line: <flatpak_app_id> <process_name>
SHARED_NSS_APPS="\
org.kde.okular okular
org.libreoffice.LibreOffice soffice.bin"
echo "$SHARED_NSS_APPS" | while IFS=' ' read -r app proc_name; do
[ -n "$app" ] || continue
apply_override "$app" || continue
prof="$HOME/.var/app/$app/.pki/nssdb"
mkdir -p "$prof"
register_in_profile "$prof/" "$proc_name"
done
|
