451060 – don't force user to go command-line to get SmartCard signing to work.

Bug 451060 - don't force user to go command-line to get SmartCard signing to work.

Summary: don't force user to go command-line to get SmartCard signing to work.

Status:	REPORTED

Alias:	None

Product:	okular
Classification:	Applications
Component:	PDF backend (show other bugs)
Version:	unspecified
Platform:	Arch Linux Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	Okular developers

URL:
Keywords:	usability

Depends on:
Blocks:

Reported:	2022-03-02 23:49 UTC by ludwig.maes
Modified:	2022-03-27 16:59 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description ludwig.maes 2022-03-02 23:49:57 UTC

Add GUI button in Settings -> Configure Backends -> PDF:   ["Add Security Device"]
***
NOTE: If you are reporting a crash, please try to attach a backtrace with debug symbols.
See https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

Before I resolved my problem, the okular error message when trtying to add a signature was cryptic. It found the Certificate Database, but it didnt automatically contain the security device (just like say firefox doesnt out of the box), but Okular does not provide a GUI means of adding the security device .so module (whereas Firefox does).

Currently the user is expected to have already added the <security device> to the certificate database, say through firefox, where there is a button security devices, and then add/load where you can give:

* a pretty name for the security device
* the location of the relevant security device library (in my case /usr/lib/opensc-pkcs11.so

This can be found by running say:
p11-kit list-modules
and then using find / -name on the opensc .so

Wondering what firefox was doing under the hood, I found it at:

https://gist.github.com/PhilipSchmid/a82b9642e1ec2bf2d16823d72cffc589

so I ran the following command:

modutil -dbdir $HOME/.pki/nssdb/ -add "Mijn eID" -libfile "/usr/lib/opensc-pkcs11.so" -force

and probably unnecessarily also the command

modutil -dbdir $HOME/.pki/nssdb/ -enable "Mijn eID" -force

I say unnecessarily because according to arch-wiki instructions for FireFox and Chromium:
https://wiki.archlinux.org/title/Smartcards#Configuration

It seems unneccesary to run the -enable command for Chromium (whereas FireFox does these commands under the hood, and  shows GUI method, what I request for Okular)

I would also like to note that it doesn't seem necessary to install the government supplied middleware at all! OpenSC works.
The only weird thing was that I had to select the authentication certificate, it seemed to ask an extra password for the signing certificate but my PIN code did not work! Whereas it worked for the authentication certificate... I think the middlewares of all the different countries are just de-quirking the non-compliance with smartcard standards?

my apologies for my messy submisssion, I am not familiar with reporting bugs/wishes...

STEPS TO REPRODUCE
1. 
2. 
3. 

OBSERVED RESULT


EXPECTED RESULT


SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION