| Summary: | Make Flatpak Okular sign PDFs with Belgian eID (again) | ||
|---|---|---|---|
| Product: | [Applications] okular | Reporter: | Robert Riemann <robert> |
| Component: | PDF backend | Assignee: | Okular developers <okular-devel> |
| Status: | REPORTED --- | ||
| Severity: | normal | CC: | aacid, evertheylen |
| Priority: | NOR | ||
| Version First Reported In: | 25.08.0 | ||
| Target Milestone: | --- | ||
| Platform: | Flatpak | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
It would seem you are the person that can fix this. It used to work and now it doesn't. bisect when it broke. (In reply to Albert Astals Cid from comment #1) > It would seem you are the person that can fix this. > > It used to work and now it doesn't. bisect when it broke. Hi Albert, it was working when I was using no flatpaks. Now that I use an Okular flatpak, it does not work. I do not think that a simple bisect would help, as the environment has changed. (In reply to Robert Riemann from comment #2) > (In reply to Albert Astals Cid from comment #1) > > It would seem you are the person that can fix this. > > > > It used to work and now it doesn't. bisect when it broke. > > Hi Albert, it was working when I was using no flatpaks. Now that I use an > Okular flatpak, it does not work. I do not think that a simple bisect would > help, as the environment has changed. Ah, i misunderstood you, I thought you said it was working with flatpaks too before. I had a similar issue, but I fixed it. Here's what I did:
On the host, run:
```
mkdir -p ~/.pki/nssdb
systemctl --user enable --now p11-kit-server.socket
flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 --filesystem=~/.pki/nssdb org.kde.okular
```
Then edit the file ~/.pki/nssdb/pkcs11.txt to contain something like this (the first part was already there, the second part is important!):
```
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/evert/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='>
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Came>
library=
name=p11-kit-proxy
library=/usr/lib64/pkcs11/p11-kit-client.so
slotDescription=p11-kit-proxy
parameters=
```
Potentially, the `p11-kit-client.so` may be placed in a different directory, in which case you'll need to edit it.
Finally, in Okular, go to "Settings" > "Configure Backends" > "PDF" > "Certificate Database" and set it to `~/.pki/nssdb`. Restart Okular.
(Thanks in part to the instructions at https://gist.github.com/jmpolom/cbecace9c56f6de72df9c129058caff2)
|
Dears, Before I used Kinoite with Flatpak Okular (from Fedora flathub repo), I managed to sign documents with my Belgian eID card. However, given the sandboxing of flatpak apps, this is broken currently on my Fedora Kinoite laptop. ~~~ Okular - View and annotate documents ID: org.kde.okular Ref: app/org.kde.okular/x86_64/stable Arch: x86_64 Branch: stable Version: 25.08.0 License: GPL-2.0+ and GFDL-1.3 Origin: fedora Collection: Installation: system Installed: 223.7 MB Runtime: org.fedoraproject.KDE6Platform/x86_64/f42 Sdk: org.fedoraproject.KDE6Sdk/x86_64/f42 Commit: 39b38c2dde46e7c745cc5c40df4dc4eef1d85997b156b4012d0e9c1cd94d9ea3 Subject: Export org.kde.okular Date: 2025-08-15 21:43:35 +0000 Alt-id: a95b3cd8893041e487347faa2ca7c43ce2c40bcc8533bdc0ea1abf52cb50b9db ~~~ The Belgian eID is recognised on the host with `pdfsig`: ~~~ pdfsig -backend NSS -list-nicks Certificate nicknames available: BELPIC:Authentication BELPIC:Signature ~~~ I understand that the configuration relies on p11kit modules: ~~~ cat /usr/share/p11-kit/modules/beid.module module: beidpkcs11.so ~~~ Then, flatpaks should rely on p11kit-client to interact with certs from the host. Reference: https://gist.github.com/jmpolom/cbecace9c56f6de72df9c129058caff2 https://github.com/p11-glue/p11-kit/issues/68 So I have run on my host the following setup commands: ~~~ systemctl --user enable --now p11-kit-server.socket flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 org.kde.okular # reboot – just in case ~~~ Then, I open okular, configure the NSS backend for signing in the PDF tab and upon attempt to sign, I get the error: > There are no available signing certificates. > For more information, please see the section about Adding Digital Signatures in the manual. Then, I open the shell in the flatpak with `flatpak run --branch=stable --arch=x86_64 --command=bash --file-forwarding org.kde.okular`. Then I try: ~~~ p11tool --list-token-urls pkcs11:model=Belgium%20eID;manufacturer=Belgium%20Government;serial=8AA5B22712924134;token=BELPIC pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust p11-kit list-modules module: p11-kit-trust path: /usr/lib64/pkcs11/p11-kit-client.so uri: pkcs11:library-description=PKCS%2311%20Kit%20Proxy%20Module;library-manufacturer=PKCS%2311%20Kit library-description: PKCS#11 Kit Proxy Module library-manufacturer: PKCS#11 Kit library-version: 1.1 token: System Trust uri: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.25 flags: write-protected token-initialized token: Default Trust uri: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.25 flags: write-protected token-initialized token: BELPIC uri: pkcs11:model=Belgium%20eID;manufacturer=Belgium%20Government;serial=8AA5B22712924134;token=BELPIC manufacturer: Belgium Government model: Belgium eID serial-number: 8AA5B22712924134 hardware-version: 1.0 firmware-version: 24.0 flags: write-protected user-pin-initialized ~~~ So I can somewhat see the Belgium eID from the Okular flatpak, but I cannot see anything from within Okular.