https://bugs.kde.org/show_bug.cgi?id=510008
Bug ID: 510008
Summary: Make Flatpak Okular sign PDFs with Belgian eID (again)
Classification: Applications
Product: okular
Version First 25.08.0
Reported In:
Platform: Flatpak
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: PDF backend
Assignee: okular-de...@kde.org
Reporter: rob...@riemann.cc
Target Milestone: ---
Dears,
Before I used Kinoite with Flatpak Okular (from Fedora flathub repo), I managed
to sign documents with my Belgian eID card. However, given the sandboxing of
flatpak apps, this is broken currently on my Fedora Kinoite laptop.
~~~
Okular - View and annotate documents
ID: org.kde.okular
Ref: app/org.kde.okular/x86_64/stable
Arch: x86_64
Branch: stable
Version: 25.08.0
License: GPL-2.0+ and GFDL-1.3
Origin: fedora
Collection:
Installation: system
Installed: 223.7 MB
Runtime: org.fedoraproject.KDE6Platform/x86_64/f42
Sdk: org.fedoraproject.KDE6Sdk/x86_64/f42
Commit: 39b38c2dde46e7c745cc5c40df4dc4eef1d85997b156b4012d0e9c1cd94d9ea3
Subject: Export org.kde.okular
Date: 2025-08-15 21:43:35 +0000
Alt-id: a95b3cd8893041e487347faa2ca7c43ce2c40bcc8533bdc0ea1abf52cb50b9db
~~~
The Belgian eID is recognised on the host with `pdfsig`:
~~~
pdfsig -backend NSS -list-nicks
Certificate nicknames available:
BELPIC:Authentication
BELPIC:Signature
~~~
I understand that the configuration relies on p11kit modules:
~~~
cat /usr/share/p11-kit/modules/beid.module
module: beidpkcs11.so
~~~
Then, flatpaks should rely on p11kit-client to interact with certs from the
host. Reference:
https://gist.github.com/jmpolom/cbecace9c56f6de72df9c129058caff2
https://github.com/p11-glue/p11-kit/issues/68
So I have run on my host the following setup commands:
~~~
systemctl --user enable --now p11-kit-server.socket
flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 org.kde.okular
# reboot – just in case
~~~
Then, I open okular, configure the NSS backend for signing in the PDF tab and
upon attempt to sign, I get the error:
> There are no available signing certificates.
> For more information, please see the section about Adding Digital Signatures
> in the manual.
Then, I open the shell in the flatpak with `flatpak run --branch=stable
--arch=x86_64 --command=bash --file-forwarding org.kde.okular`. Then I try:
~~~
p11tool --list-token-urls
pkcs11:model=Belgium%20eID;manufacturer=Belgium%20Government;serial=8AA5B22712924134;token=BELPIC
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
p11-kit list-modules
module: p11-kit-trust
path: /usr/lib64/pkcs11/p11-kit-client.so
uri:
pkcs11:library-description=PKCS%2311%20Kit%20Proxy%20Module;library-manufacturer=PKCS%2311%20Kit
library-description: PKCS#11 Kit Proxy Module
library-manufacturer: PKCS#11 Kit
library-version: 1.1
token: System Trust
uri:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.25
flags:
write-protected
token-initialized
token: Default Trust
uri:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.25
flags:
write-protected
token-initialized
token: BELPIC
uri:
pkcs11:model=Belgium%20eID;manufacturer=Belgium%20Government;serial=8AA5B22712924134;token=BELPIC
manufacturer: Belgium Government
model: Belgium eID
serial-number: 8AA5B22712924134
hardware-version: 1.0
firmware-version: 24.0
flags:
write-protected
user-pin-initialized
~~~
So I can somewhat see the Belgium eID from the Okular flatpak, but I cannot see
anything from within Okular.
--
You are receiving this mail because:
You are watching all bug changes.
