On Thu, 06 Nov 2025 at 02:58:02 -0300, Cristiano Nunes wrote:
After adding the following lines to the file
`/etc/apparmor.d/usr.bin.papers` and reloading AppArmor, digital
signing works correctly:
owner @{HOME}/.pki/** lrk,
/sys/devices/** r,
/run/pcscd/pcscd.comm rw,
This indicates that the issue lies in the AppArmor profile rather than
in the Papers application itself.
The AppArmor profile is part of the papers package, though, so
reassigning to a package that doesn't contain the AppArmor profile
doesn't really make sense.
If you change these lines to
audit owner @{HOME}/.pki/** lrk,
audit /sys/devices/** r,
audit /run/pcscd/pcscd.comm rw,
and reboot (or reload AppArmor), then try to sign something, what
accesses get logged to the audit log?
I agree with commenters on the Ubuntu bug that "/sys/devices/** r,"
seems like overly broad access, but probably it can be narrowed down
somewhat.
Ideally the apparmor package would have an abstraction for "access to
smart cards" or similar, which papers' profile could "include" instead
of having to know all the details of how smart cards are accessed.
smcv
