Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add 1password #65

Merged
merged 6 commits into from
Mar 20, 2023
Merged

feat: add 1password #65

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ed79ace
feat: add 1password
castrojo Mar 19, 2023
caf1d6f
feat: add 1password integration script
castrojo Mar 19, 2023
4ca62d1
feat: add 1password desktop file
castrojo Mar 19, 2023
28b90fc
Update usr/share/applications/1password.desktop
castrojo Mar 19, 2023
a633b66
Merge branch 'main' into castrojo-patch-3
marcoceppi Mar 20, 2023
f124447
Update Containerfile
castrojo Mar 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,15 @@ COPY --from=cgr.dev/chainguard/cosign:latest /usr/bin/cosign /usr/bin/cosign
RUN curl -Lo ./kind "https://kind.sigs.k8s.io/dl/v0.17.0/kind-$(uname)-amd64"
RUN chmod +x ./kind
RUN mv ./kind /usr/bin/kind

# Install 1Password via Tarball
RUN curl -sSO https://downloads.1password.com/linux/tar/stable/x86_64/1password-latest.tar.gz && \
tar -xf 1password-latest.tar.gz && \
rm 1password-latest.tar.gz && \
mkdir -p /usr/1Password && \
mv 1password-*/* /usr/1Password && \
sh /usr/libexec/1password-after-install.sh \
castrojo marked this conversation as resolved.
Show resolved Hide resolved
&& \
rm -rf /var/* /tmp/* && \
ostree container commit

58 changes: 58 additions & 0 deletions usr/libexec/1password-after-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/bin/sh
set -eu

installFiles() {
CWD=$(pwd)
cd /usr/1Password/

# Fill in policy kit file with a list of (the first 10) human users of the system.
export POLICY_OWNERS
POLICY_OWNERS="$(cut -d: -f1,3 /etc/passwd | grep -E ':[0-9]{4}$' | cut -d: -f1 | head -n 10 | sed 's/^/unix-user:/' | tr '\n' ' ')"
eval "cat <<EOF
$(cat ./com.1password.1Password.policy.tpl)
EOF" > ./com.1password.1Password.policy

# Install policy kit file for system unlock
install -Dm0644 ./com.1password.1Password.policy -t /usr/share/polkit-1/actions/

# Install examples
install -Dm0644 ./resources/custom_allowed_browsers -t /usr/share/doc/1password/examples/

# chrome-sandbox requires the setuid bit to be specifically set.
# See https://github.com/electron/electron/issues/17972
chmod 4755 ./chrome-sandbox

GROUP_NAME="onepassword"

# Setup the Core App Integration helper binary with the correct permissions and group
if [ ! "$(getent group "${GROUP_NAME}")" ]; then
groupadd "${GROUP_NAME}"
fi

HELPER_PATH="./1Password-KeyringHelper"
BROWSER_SUPPORT_PATH="./1Password-BrowserSupport"

chgrp "${GROUP_NAME}" $HELPER_PATH
# The binary requires setuid so it may interact with the Kernel keyring facilities
chmod u+s $HELPER_PATH
chmod g+s $HELPER_PATH

# This gives no extra permissions to the binary. It only hardens it against environmental tampering.
chgrp "${GROUP_NAME}" $BROWSER_SUPPORT_PATH
chmod g+s $BROWSER_SUPPORT_PATH

# Restore previous directory
cd "$CWD"

# Register path symlink
ln -sf /usr/1Password/1password /usr/bin/1password
}

if [ "$(id -u)" -ne 0 ]; then
echo "You must be running as root to run 1Password's post-installation process"
exit
fi

installFiles

exit 0