You can now use
snap connect chromium:pcscd
As said in the previous comment, this should at least address 2.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
Eero, thanks for posting the way you got this working on #74.
1:
> /run/user/1000/doc/*/opensc-pkcs11.so mr,
Is it really necessary? The snaps do have access to /run/user/$UID/doc/,
as you can confirm by entering file:///run/user/1000/doc in the address
bar.
2:
> /run/pcscd/pcscd.comm wr,
This
The test snap does have the components I expected to be sufficient. I
don't know the reason of failure and haven't got the time to investigate
it in the short term, sorry.
** Changed in: chromium-browser (Ubuntu)
Status: In Progress => Triaged
--
You received this bug notification because
For some reason some binaries are no longer making it into the snap. :|
I'm investigating...
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor den
> Can you ascertain if your smart card is supported by OpenSC?
Yes, totally. It's a DNIe:
https://github.com/OpenSC/OpenSC/wiki/DNIe-(OpenDNIe)/dca4ae71aac1deb510df0d2b9afebb59afd07feb
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chro
Can you ascertain if your smart card is supported by OpenSC?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor denied when trying to load pkcs11 m
OK, now chromium starts, but when I try to access some website that
requires the certificate on my smartcard, it seems like it's doing
nothing to access the smartcard, so to speak.
Eveything works OK on my non-snaped Firefox.
--
You received this bug notification because you are a member of Desk
Parallel install is OK, I committed the fix for that weeks ago... In the
wrong branch. (:
Rebuilt now, with my limited connection I cannot donwload it to test it,
but I tested by making local changes by unsquashing and trying the snap.
Can you please give it another try and let me know? The revis
Hi! I wanted to try this. This is what I did:
$ sudo snap set system experimental.parallel-instances=true
$ snap refresh --beta snapd
$ sudo snap install --channel stable/pkcs chromium_pkcs
$ sudo snap connect chromium_pkcs:pcscd
But I get an error when trying to execute chromium:
$ chromium_pkc
Thanks Ludovic, so for those smart cards, the pcscd interface has been
merged in Snapd (but is apparently only available from 2.60.4 on, so
currently you need the beta channel of it), and so I update the test
case to a simpler:
--->
snap refresh --beta snapd
snap refresh --channel stable/pkcs chro
> Bear in mind that I was oblivious to the components involved until I
started looking at this bug and I still don't have a complete picture of
them. So please point out any mistake or omission you can find.
Your solution may/should work for smart cards that are supported by OpenSC.
But it will no
The snap on stable/pkcs has been built with (what I gather are) the
essential components — opensc-pkcs11, libpcsclite, and also a couple of
debugging utilities — for the most basic and supported smart cards. You
may want to test it, if so keep reading.
You would also need pcscd installed and start
** Also affects: chromium-browser (Ubuntu)
Importance: Undecided
Status: New
** Changed in: chromium-browser (Ubuntu)
Importance: Undecided => High
** Changed in: chromium-browser (Ubuntu)
Status: New => In Progress
** Changed in: chromium-browser (Ubuntu)
Assignee: (una
Adding my name to this as I use an old W10 laptop for accessing USGOV
sites until the issue is fixed.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor den
I was able to load the module libaetpkss from version 3.7.0 (instead of
the latest 3.8.0) to Snap Firefox just copying the shared library to my
home dir (where Firefox has access). It has to be the version 3.7.0 that
needs the legacy package libssl1.1
--
You received this bug notification because
I don't know if this could help someone but firefox from mozilla repositories
didn't worked for me neither (Kubuntu 22.10)
If I remember correctly I noticed that pcs package is not installed by default,
in addition the service pcsd didn't run by default, in this context firefox
can't add the mod
"If canonical wants to deploy ubuntu in enterprise with a lot of card reader
usages, this is a critical bug."
I agree.
The also need to keep in mind, that enterprises may also use smartcards for
login which implies pcscd
needs to be run as root as pam modules will need access to it, during log
Could there be a little bit more professional solution? If canonical
wants to deploy ubuntu in enterprise with a lot of card reader usages,
this is a critical bug.
In this case there should be maintained non-snap official firefox
package to workaround.
--
You received this bug notification becau
Also, you can install the regular Firefox following this instructions.
In this case, you will change the snap version for the .deb one. and it
contains instructions for avoiding the re-installation of Firefox snap
and for getting automated updates for the .deb version via unattended-
upgrades:
htt
"Is there a working work-around available?"
Yes, install the Debian FireFox-esr which does not use snap.
Google for: Ubuntu firefox esr
https://ubuntuhandbook.org/index.php/2022/03/install-firefox-esr-
ubuntu/
--
You received this bug notification because you are a member of Desktop
Packages,
Problem to install/read Belgium e-Id. Is this the problem bug? Is there
a working work-around available?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor
Launchpad has imported 17 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=1734371.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://h
Thanks for the ldd output.
libpcsclite.so.1 is the lib to used the pcscd socket, and is used by modules
libstpkcs11.so, libeToken.so.10.7.77 and libopensc.so.8 (see below) It is not
used in libbit4xpki.so which may be a software pkcs11 or does not use pcscd.
libcrypto.so.1.1 is OpenSSL-1.1 a
It seems there is another smartcard model used by the Italian
government. I though this could be useful as another example:
$ ldd libstpkcs11.so
linux-vdso.so.1 (0x7ffe51f67000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x7f394c92a000)
libpcsclite
I did a quick search and found two deb packages at a Italian government
website containing libbit4xpki.so
This is the output from i386 and amd64 versions:
$ ldd libbit4xpki.so
linux-gate.so.1 (0xf7f7f000)
libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf7d87000)
libdl.so.2
Here is the output:
$ ldd /usr/lib/libeToken.so.10.7.77
linux-vdso.so.1 (0x7ffe6e5ae000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x7fa98abb3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fa98abae000)
libpcsclite.so.1 => /lib/x
So it appears that to load a PKCS11 module in snap packaged FireFox requires:
1) "/run/user/[0-9]*/** mr,"
2) "/run/pcscd/pcscd.comm rw," (if module uses pcscd)
3) absolute path (i.e. no symlinks) to the module
4) all libs the module may need to be in the snap base
To test if (4) is correc
https://launchpad.net/~liuck
Thank you very much! I managed to use my SafeNet eToken 5100 to login to a
Brazilian government website using your instructions!
In my case, I didn't need to install the libacsccid1 package, maybe that
is related to your smart card. I also didn't have any infinite cyc
This maybe the biggest problem:
"- /usr inside the snap is a bind-mount from /usr in the base snap, not on the
host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/**
rm,` to the apparmor profile doesn't work as you'd expect (see
https://github.com/snapcore/snapd/pull/1102
Thank you very much for documenting thoroughly your findings. These will
be useful to design and implement a proper solution to the problem.
In the meantime, a couple of comments:
- the apparmor profile will be overwritten every time the snap is
updated, so you will have to re-apply the changes
Guys, it works for me!
It's weird but somehow it works :-)
More than my previous not working comment
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/9
I have added:
- the libacsccid1 package
- rw access to the unix socket /run/pcscd/pcscd.comm in the apparmor profile
Su
** Also affects: firefox via
https://bugzilla.mozilla.org/show_bug.cgi?id=1734371
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
BTW: I succeed in my test and I checked my working ACR38 AC1038-based
Smart Card Reader with these commands:
# apt install libacsccid1 pcscd pcsc-tools opensc
# pcsc_scan
and in FF snap I cannot load /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
(thanks to
https://guide.debianizzati.org/index.php/C
https://launchpad.net/~liuck
You can test your reader/card with OpenSC without firefox.
see: "man pkcs11-tool" or "pkcs11-tool --help". "pkcs11-tool --test
--login" will try and read certificates and do sign/verify using
private keys. It may prompt for pin several times.
If you can also add --m
This problem is an Ubuntu/snap packaging issue. FF and Thunderbird both
allow the loading of PKCS11 modules as do other programs. But the snap
has not packaged these.
Access to smartcards is usually handled by PC/SC i.e. the pcscd daemon.
It provides locking access to the smartcards from multiple
https://launchpad.net/~dengert , https://launchpad.net/~tnetter
unfortunately my summary of @dengert instructions is nor a solution /
nor a workaround.
Following those steps I managed to add only one "security device", but
it does not work when accessing the website:
https://dichiarazioneprecompi
https://launchpad.net/~liuck can you give some more information:
What PKCS11 module are you using?
What version of Ubuntu?
From my testing with a fresh copy install of XUbuntu-22.04.1 as guest of
VirtualBox, the "/run/user/[0-9]*/** mr," appears to allow access to any
file in my /usr/run/1000
Many thanks to Luca Ferroni for summarizing a solution.
For users of European Patent Office smart cards seeing
Secure Connection Failed... Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
please see instructions posted by thomasip on Wed Aug 24, 2022 2:29 pm at:
https://forums.epo.org/new-version-of
Hi, this bug also affects me.
TLDR and as a confirm of the workaround, as root digit:
# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap
add "#include " in
/var/lib/snapd/apparmor/profiles/snap.firefox.firefox after #inc
After spending a week on this, I think I see the problem.
(1) pkcs11 modules are dynamically load by mozilla nss and need the
/etc/apparmor.d/abstractions/p11-kit as stated in previous comment.
(2) dynamically loaded modules may also load additional shared
libraries. So apparmor profiles are ne
Initial problem of:
Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400
audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap"
profile="snap.firefox.firefox"
name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
comm="firefox" requested_mask="m" denied_mask="m"
** Summary changed:
- apparmor denied when trying to load pkcs11 module for smart card
authentication
+ [snap] apparmor denied when trying to load pkcs11 module for smart card
authentication
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed
42 matches
Mail list logo