It would be a big limitation if the solution to this focuses entirely on
pcsc-lite:
a) /var/run/pcscd/pcscd.comm is internal and varies between
distributions and pcsc-lite versions. I.e. any pcsc-lite library
embedded in the snap package is not guaranteed to be able to talk to the
system pcscd
Since this has been open for so long, I would like to point out that all
these pkcs11 modules use a system PCSC-lite daemon.
https://pcsclite.apdu.fr/ PCSC-lite provides locking and can use pol-
kit to restrict access as needed. There should be only one PCSC daemon
running for the system.
--
(In reply to J Bedford from comment #24)
> Any news on this? It really is a blocker for using Ubuntu in a number of
> countries as it prevents interaction with government services.
Maybe see this as a secuirty feature, not a bug :-)
--
You received this bug notification because you are a
No. I am not a Ubuntu developer, Only OpenSC. But this problem has not
been resolved for 2 years.
Also see https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632
and comment 8
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
You can guarantee that it will always be so?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor denied when trying to load pkcs11 module for smart
> Any news on this? It really is a blocker for using Ubuntu in a number
of countries as it prevents interaction with government services."
You can always use firefox-esr. It does not use SNAP.
--
You received this bug notification because you are a member of Desktop
Packages, which is
Any news on this? It really is a blocker for using Ubuntu in a number of
countries as it prevents interaction with government services.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
The test snap does have the components I expected to be sufficient. I
don't know the reason of failure and haven't got the time to investigate
it in the short term, sorry.
** Changed in: chromium-browser (Ubuntu)
Status: In Progress => Triaged
--
You received this bug notification
For some reason some binaries are no longer making it into the snap. :|
I'm investigating...
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor
> Can you ascertain if your smart card is supported by OpenSC?
Yes, totally. It's a DNIe:
https://github.com/OpenSC/OpenSC/wiki/DNIe-(OpenDNIe)/dca4ae71aac1deb510df0d2b9afebb59afd07feb
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
Can you ascertain if your smart card is supported by OpenSC?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor denied when trying to load pkcs11
OK, now chromium starts, but when I try to access some website that
requires the certificate on my smartcard, it seems like it's doing
nothing to access the smartcard, so to speak.
Eveything works OK on my non-snaped Firefox.
--
You received this bug notification because you are a member of
Parallel install is OK, I committed the fix for that weeks ago... In the
wrong branch. (:
Rebuilt now, with my limited connection I cannot donwload it to test it,
but I tested by making local changes by unsquashing and trying the snap.
Can you please give it another try and let me know? The
Hi! I wanted to try this. This is what I did:
$ sudo snap set system experimental.parallel-instances=true
$ snap refresh --beta snapd
$ sudo snap install --channel stable/pkcs chromium_pkcs
$ sudo snap connect chromium_pkcs:pcscd
But I get an error when trying to execute chromium:
$
Thanks Ludovic, so for those smart cards, the pcscd interface has been
merged in Snapd (but is apparently only available from 2.60.4 on, so
currently you need the beta channel of it), and so I update the test
case to a simpler:
--->
snap refresh --beta snapd
snap refresh --channel stable/pkcs
> Bear in mind that I was oblivious to the components involved until I
started looking at this bug and I still don't have a complete picture of
them. So please point out any mistake or omission you can find.
Your solution may/should work for smart cards that are supported by OpenSC.
But it will
The snap on stable/pkcs has been built with (what I gather are) the
essential components — opensc-pkcs11, libpcsclite, and also a couple of
debugging utilities — for the most basic and supported smart cards. You
may want to test it, if so keep reading.
You would also need pcscd installed and
It's on the Ubuntu Desktop team backlog and we hope to be able to work
on it during this Ubuntu cycle
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap]
Yes, the plan is to work on this for Firefox as well, but I'm not sure
about the exact timeline.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap]
According to Launchpad, it's being worked on for a fix on Chromium, can
we also work on Firefox ?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap]
(In reply to Olivier Tilloy from comment #19)
> Not currently, but it is on my short-term to-do list.
Any news about this? Thanks
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
** Also affects: chromium-browser (Ubuntu)
Importance: Undecided
Status: New
** Changed in: chromium-browser (Ubuntu)
Importance: Undecided => High
** Changed in: chromium-browser (Ubuntu)
Status: New => In Progress
** Changed in: chromium-browser (Ubuntu)
Assignee:
Adding my name to this as I use an old W10 laptop for accessing USGOV
sites until the issue is fixed.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor
I was able to load the module libaetpkss from version 3.7.0 (instead of
the latest 3.8.0) to Snap Firefox just copying the shared library to my
home dir (where Firefox has access). It has to be the version 3.7.0 that
needs the legacy package libssl1.1
--
You received this bug notification
I don't know if this could help someone but firefox from mozilla repositories
didn't worked for me neither (Kubuntu 22.10)
If I remember correctly I noticed that pcs package is not installed by default,
in addition the service pcsd didn't run by default, in this context firefox
can't add the
Not currently, but it is on my short-term to-do list.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor denied when trying to load pkcs11 module for smart
"If canonical wants to deploy ubuntu in enterprise with a lot of card reader
usages, this is a critical bug."
I agree.
The also need to keep in mind, that enterprises may also use smartcards for
login which implies pcscd
needs to be run as root as pam modules will need access to it, during
Could there be a little bit more professional solution? If canonical
wants to deploy ubuntu in enterprise with a lot of card reader usages,
this is a critical bug.
In this case there should be maintained non-snap official firefox
package to workaround.
--
You received this bug notification
(In reply to Olivier Tilloy from comment #1)
> (from
> https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)
>
> The proposed approach to solve this that was discussed with the Ubuntu
> security team is:
> - stage common PKCS modules in the snap
> - add a layout
Also, you can install the regular Firefox following this instructions.
In this case, you will change the snap version for the .deb one. and it
contains instructions for avoiding the re-installation of Firefox snap
and for getting automated updates for the .deb version via unattended-
upgrades:
"Is there a working work-around available?"
Yes, install the Debian FireFox-esr which does not use snap.
Google for: Ubuntu firefox esr
https://ubuntuhandbook.org/index.php/2022/03/install-firefox-esr-
ubuntu/
--
You received this bug notification because you are a member of Desktop
Problem to install/read Belgium e-Id. Is this the problem bug? Is there
a working work-around available?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
[snap] apparmor
(In reply to Olivier Tilloy from comment #1)
> (from
> https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)
>
> The proposed approach to solve this that was discussed with the Ubuntu
> security team is:
> - stage common PKCS modules in the snap
> - add a layout
Launchpad has imported 17 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=1734371.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
Thanks for the ldd output.
libpcsclite.so.1 is the lib to used the pcscd socket, and is used by modules
libstpkcs11.so, libeToken.so.10.7.77 and libopensc.so.8 (see below) It is not
used in libbit4xpki.so which may be a software pkcs11 or does not use pcscd.
libcrypto.so.1.1 is OpenSSL-1.1
It seems there is another smartcard model used by the Italian
government. I though this could be useful as another example:
$ ldd libstpkcs11.so
linux-vdso.so.1 (0x7ffe51f67000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x7f394c92a000)
I did a quick search and found two deb packages at a Italian government
website containing libbit4xpki.so
This is the output from i386 and amd64 versions:
$ ldd libbit4xpki.so
linux-gate.so.1 (0xf7f7f000)
libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf7d87000)
libdl.so.2
Here is the output:
$ ldd /usr/lib/libeToken.so.10.7.77
linux-vdso.so.1 (0x7ffe6e5ae000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x7fa98abb3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fa98abae000)
libpcsclite.so.1 =>
So it appears that to load a PKCS11 module in snap packaged FireFox requires:
1) "/run/user/[0-9]*/** mr,"
2) "/run/pcscd/pcscd.comm rw," (if module uses pcscd)
3) absolute path (i.e. no symlinks) to the module
4) all libs the module may need to be in the snap base
To test if (4) is
https://launchpad.net/~liuck
Thank you very much! I managed to use my SafeNet eToken 5100 to login to a
Brazilian government website using your instructions!
In my case, I didn't need to install the libacsccid1 package, maybe that
is related to your smart card. I also didn't have any infinite
This maybe the biggest problem:
"- /usr inside the snap is a bind-mount from /usr in the base snap, not on the
host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/**
rm,` to the apparmor profile doesn't work as you'd expect (see
Thank you very much for documenting thoroughly your findings. These will
be useful to design and implement a proper solution to the problem.
In the meantime, a couple of comments:
- the apparmor profile will be overwritten every time the snap is
updated, so you will have to re-apply the changes
Guys, it works for me!
It's weird but somehow it works :-)
More than my previous not working comment
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/9
I have added:
- the libacsccid1 package
- rw access to the unix socket /run/pcscd/pcscd.comm in the apparmor profile
** Also affects: firefox via
https://bugzilla.mozilla.org/show_bug.cgi?id=1734371
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
BTW: I succeed in my test and I checked my working ACR38 AC1038-based
Smart Card Reader with these commands:
# apt install libacsccid1 pcscd pcsc-tools opensc
# pcsc_scan
and in FF snap I cannot load /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
(thanks to
https://launchpad.net/~liuck
You can test your reader/card with OpenSC without firefox.
see: "man pkcs11-tool" or "pkcs11-tool --help". "pkcs11-tool --test
--login" will try and read certificates and do sign/verify using
private keys. It may prompt for pin several times.
If you can also add
This problem is an Ubuntu/snap packaging issue. FF and Thunderbird both
allow the loading of PKCS11 modules as do other programs. But the snap
has not packaged these.
Access to smartcards is usually handled by PC/SC i.e. the pcscd daemon.
It provides locking access to the smartcards from multiple
https://launchpad.net/~dengert , https://launchpad.net/~tnetter
unfortunately my summary of @dengert instructions is nor a solution /
nor a workaround.
Following those steps I managed to add only one "security device", but
it does not work when accessing the website:
https://launchpad.net/~liuck can you give some more information:
What PKCS11 module are you using?
What version of Ubuntu?
From my testing with a fresh copy install of XUbuntu-22.04.1 as guest of
VirtualBox, the "/run/user/[0-9]*/** mr," appears to allow access to any
file in my /usr/run/1000
Many thanks to Luca Ferroni for summarizing a solution.
For users of European Patent Office smart cards seeing
Secure Connection Failed... Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
please see instructions posted by thomasip on Wed Aug 24, 2022 2:29 pm at:
Hi, this bug also affects me.
TLDR and as a confirm of the workaround, as root digit:
# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap
add "#include " in
/var/lib/snapd/apparmor/profiles/snap.firefox.firefox after
After spending a week on this, I think I see the problem.
(1) pkcs11 modules are dynamically load by mozilla nss and need the
/etc/apparmor.d/abstractions/p11-kit as stated in previous comment.
(2) dynamically loaded modules may also load additional shared
libraries. So apparmor profiles are
Initial problem of:
Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400
audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap"
profile="snap.firefox.firefox"
name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
comm="firefox" requested_mask="m" denied_mask="m"
** Summary changed:
- apparmor denied when trying to load pkcs11 module for smart card
authentication
+ [snap] apparmor denied when trying to load pkcs11 module for smart card
authentication
--
You received this bug notification because you are a member of Desktop
Packages, which is
Here the BE government application eid-viewer (latest version) dot not load the
data on Belgian identity-cards. Not the internal (a Dell-Latitude) , not the
external card reader PKCS#11 works. The leds on the reader goes dark 5 seconds
after plugging the usb cable in.
I see on the
** Tags added: snap
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
apparmor denied when trying to load pkcs11 module for smart card
authentication
Status in firefox
It seems the fix is coming. A new interface called pkcs11 was released.
Now it just needs Firefox snap use it.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
apparmor
It's the same with Spain's government electronic ID card. When I try to
load the security device on firefox (the smart card reader) it throw me
an error.
Output of dmesg:
6930.990257] audit: type=1400 audit(1649676741.715:120): apparmor="DENIED"
operation="file_mmap"
** Changed in: firefox (Ubuntu)
Importance: Undecided => High
** Changed in: firefox (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Thanks, that's known and on the desktop jira and tracked upstream as
https://bugzilla.mozilla.org/show_bug.cgi?id=1734371
** Bug watch added: Mozilla Bugzilla #1734371
https://bugzilla.mozilla.org/show_bug.cgi?id=1734371
--
You received this bug notification because you are a member of
The upstream firefox binary tarball loads the pkcs11 module just fine
from /usr/lib/x86_64-linux-gnu/
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632
Title:
apparmor denied
Public bug reported:
I use a smart card to access government sites. I have that working in
firefox and chrome on ubuntu impish, and gave jammy a try, but there
firefox won't load the library, giving me a generic error.
dmesg, however, shows this apparmor denied message:
[sáb abr 2 17:32:27
62 matches
Mail list logo
