PlakarKorp · omar-polo · Oct 7, 2025
diff --git a/pledge.go b/pledge.go
@@ -0,0 +1,6 @@
+//go:build !openbsd
+
+package s3
+
+func Unveil(string, string) error { return nil }
+func Pledge(string) error         { return nil }
diff --git a/pledge_openbsd.go b/pledge_openbsd.go
@@ -0,0 +1,13 @@
+//go:build openbsd
+
+package s3
+
+import "golang.org/x/sys/unix"
+
+func Unveil(path, perm string) error {
+	return unix.Unveil(path, perm)
+}
+
+func Pledge(promises string) error {
+	return unix.PledgePromises(promises)
+}
diff --git a/plugin/storage/main.go b/plugin/storage/main.go
@@ -1,12 +1,34 @@
 package main
 
 import (
+	"log"
 	"os"
+	"runtime"
 
 	sdk "github.com/PlakarKorp/go-kloset-sdk"
+	s3 "github.com/PlakarKorp/integration-s3"
 	"github.com/PlakarKorp/integration-s3/storage"
 )
 
 func main() {
+	// golang stdlib tries to open cert files at "well known"
+	// locations.  On OpenBSD, we only really have
+	// /etc/ssl/cert.pem, so that's a safe guess, but attempt to
+	// respect SSL_CERT_FILE if set.
+	if runtime.GOOS == "openbsd" {
+		cert, ok := os.LookupEnv("SSL_CERT_FILE")
+		if !ok {
+			cert = "/etc/ssl/cert.pem"
+			os.Setenv("SSL_CERT_FILE", cert)
+		}
+
+		if err := s3.Unveil(cert, "r"); err != nil {
+			log.Fatalln("unveil /etc/ssl/cert.pem:", err)
+		}
+		if err := s3.Pledge("stdio rpath inet dns"); err != nil {
+			log.Fatalln("pledge:", err)
+		}
+	}
+
 	sdk.EntrypointStorage(os.Args, storage.NewStore)
 }