browserpass addon for FF

Matthias Apitz guru at
Mon Jul 3 19:03:13 UTC 2017

At the end of the day, I have now all the pieces together and using
GnuPG encrypted credential with FF works really fine; the credentials
are stored as a tree in the file system and access requires the 6 digit
PIN to unlock the secret key on the GnuPG-card. There is no way to use the
credentials meanwhile the laptop and GnuPG-card are not stolen together
*and* connected, i.e. the card is PIN unlocked.

I'm attaching a small how-to if someone else wants to wade through about
password-storage and browserpass.

Thanks for all helping hints.


How to use GnuPG-card with Firefox and credentials

We need as root some more ports:

# cd /usr/ports/sysutils/password-store
# make install clean
# cd /usr/ports/lang/go
# make install clean

The 'fdescfs' must be mounted:

# mount -t fdescfs null /dev/fd

and/or inserted into /etc/fstab as:

    fdescfs /dev/fd fdescfs rw 0 0

If 'fdescfs' is not mounted, the command 'pass init ...' will fail with:

$ pass init foo
Password store initialized for foo
/usr/local/bin/pass: línea 84: /dev/fd/62: No such file or directory

I've used to init the ~/.password-store (note 'guru at' is
not an email addr, but something which identifies the GnuPG secret key
stored on the GnuPG-card):

$ pass init guru at

Which gives:

$ ls -la ~/.password-store
total 48
drwx------    3 guru  wheel    512  3 jul.  08:19 .
drwxr-xr-x  248 guru  wheel  33792  3 jul.  08:12 ..
-rw-------    1 guru  wheel     17  3 jul.  08:17 .gpg-id
$ cat ~/.password-store/.gpg-id
guru at

Now we can insert userid/passwords into the tree of the ~/.password-store; note
the syntax Business/cheese-whiz-factory where 'Business' is some domain and
'cheese-whiz-factory' the userid in this:

$ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory: cheese
Retype password for Business/cheese-whiz-factory: cheese

$ pass
Password Store
└── Business
    └── cheese-whiz-factory.gpg

$ pass Business/cheese-whiz-factory  # this will ask for the PIN to unlock the GnuPG-card

The file 'Business/cheese-whiz-factory.gpg' contains the password 'cheese'
but GnuPG encrypted:

$ file ~/.password-store/Business/cheese-whiz-factory.gpg 
/home/guru/.password-store/Business/cheese-whiz-factory.gpg: PGP RSA encrypted session key - keyid: B6ECF161 C3A6C925 RSA (Encrypt or Sign) 4096b .

The 2nd part now is a bit tricky: the 'browserpass' mozialla add-on:

I followed a hint from from Boris Samorodov <bsam at> how to install 'browserpass'
directly from   

$ cd
$ go get -u
$ GOPATH=/home/guru/go export GOPATH
$ cd $GOPATH/src/
$ go build           [*]
$ ls -l
total 2884
-rwxr-xr-x  1 guru  wheel  2901409  3 jul.  13:02 browserpass
-rw-r--r--  1 guru  wheel      357  3 jul.  13:00 main.go

$ go install
$ ls -l $GOPATH/bin
total 2880
-rwxr-xr-x  1 guru  wheel  2901409  3 jul.  13:03 browserpass

so far so good, but:

Now the installation requires the integration with the browser through
some script ''; I looked for it and did:

$ bash src/

Select your browser:
1) Chrome
2) Chromium
3) Firefox
4) Vivaldi
1-4: 3

Installing Firefox host config
cp: /home/guru/go/src/ No such file or directory

Hmmm, where the hell is the *.json file we need?

$ find ~/go -name *.json

I fixed the above and copied over 

$ cp src/ /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json

and modified the 'path' in it to show:

$ cat /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json

  "name": "com.dannyvankooten.browserpass",
  "description": "Browserpass binary for the Firefox extension",
  "path": "/home/guru/go/src/",
  "type": "stdio",
  "allowed_extensions": [
     "browserpass at"

Maybe the exec /home/guru/go/src/
should be copied to some better place;

Now install the 'browserpass' add-on from:                   
(one must fake the User-agent string to, for example, Ubuntu)

this made the 'browserpass' add-on working in general, but the command chain
needs to know where the GNUPGHOME is, in my case GNUPGHOME=/home/guru/.gnupg-ccid,
because firefox starts /usr/local/bin/pass, which itself starts /usr/local/bin/gpg2
and this needs the correct GNUPGHOME env value; so I modified the FF icon to launch

    GNUPGHOME=/home/guru/.gnupg-ccid firefox %U

some more hints:

- I have not found a way to enter new user/password from the browser; I always
  do it from cmdline with

  $ pass insert

- if the 'username' contains blanks (or other shell meta chars), they must escaped as:

  $ pass insert ' Matthias'

- if there is no 'username', but only the password, just use

  $ pass insert
  $ pass insert

- XXX still todo: convert all old FF-credentials to the password-store (which is
  relatively easy: unload them to a file and build 'pass insert ....' commands;
  once done this, remove the credentials in FF; really! they are unsave there;

Matthias Apitz, ✉ guru at, ⌂  ☎ +49-176-38902045
Public GnuPG key:
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the freebsd-questions mailing list