Bug 498558 - Can't import certificates to digitally sign in Okular, it gives "NSS_Init failed: security library: bad database"
Summary: Can't import certificates to digitally sign in Okular, it gives "NSS_Init fai...
Status: RESOLVED FIXED
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: 24.12.0
Platform: Ubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Scarlett Moore
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-12 14:21 UTC by Allexus J
Modified: 2025-01-24 14:32 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Allexus J 2025-01-12 14:21:53 UTC
I'm struggling to import self signed certificates into Okular to digitally sign a pdf, I cannot succeed.

I tried two ways:

1)

    $ rm -rf ~/.pki/nssdb/ && mkdir -p ~/.pki/nssdb
    $ certutil -N -d ~/.pki/nssdb
    $ certutil -S -d ~/.pki/nssdb -s "CN=Example Signing Certificate;OU=Example Certificate Authority;O=Example Organization;L=City;ST=State;C=US" -t ",,C,C" -n "Example Signing Certificate" -x

Then I started Okular via terminal, I made sure backend pdf setting was set on database certificate path /home/allexj/.pki/nssdb, and it gives me 

    NSS_Init failed: security library: bad database.


2)
I also tried creating certificate in a different way, but the result is the same (same error as before):

    $ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout signing.key -out signing.crt -subj "/CN=John T Doe/emailAddress=you@somesite.com" \
    -addext "subjectAltName=email:you@somesite.com"
    $ openssl pkcs12 -export -in signing.crt -inkey signing.key -out signing-certificate.p12 -name "John T Doe"
    $ rm .rf ~/.pki/nssdb && mkdir -p ~/.pki/nssdb && certutil -d ~/.pki/nssdb -N
    $ pk12util -d ~/.pki/nssdb -i signing-certificate.p12


What am I doing wrong? Is this a bug?



SOFTWARE/OS VERSIONS
OS: Ubuntu 24.04.1, Gnome
$ kf5-config --version
Qt: 5.15.13
KDE Frameworks: 5.115.0
Comment 1 Allexus J 2025-01-13 11:08:52 UTC
Update: I was finally able to digitally sign my PDF by using Master PDF Editor 5. But I want to know why Okular has this bug.
Comment 2 Sune Vuorela 2025-01-13 12:21:05 UTC
(In reply to Allexus J from comment #1)
> Update: I was finally able to digitally sign my PDF by using Master PDF
> Editor 5. But I want to know why Okular has this bug.

Is your package installed as a distribution package or as a snap package ?
Comment 3 Allexus J 2025-01-13 17:38:22 UTC
(In reply to Sune Vuorela from comment #2)
> (In reply to Allexus J from comment #1)
> > Update: I was finally able to digitally sign my PDF by using Master PDF
> > Editor 5. But I want to know why Okular has this bug.
> 
> Is your package installed as a distribution package or as a snap package ?

snap
Comment 4 Sune Vuorela 2025-01-14 08:36:45 UTC
(In reply to Allexus J from comment #3)
> (In reply to Sune Vuorela from comment #2)
> > (In reply to Allexus J from comment #1)
> > > Update: I was finally able to digitally sign my PDF by using Master PDF
> > > Editor 5. But I want to know why Okular has this bug.
> > 
> > Is your package installed as a distribution package or as a snap package ?
> 
> snap

I know nothing of snaps, but I would expect it needing to configured a 'hole' in the sandboxing to access ~/.pki/nssdb for that. I don't know if that has been set up or not.

Scarlett?

/Sune
Comment 5 Scarlett Moore 2025-01-14 14:36:11 UTC
Yep, I will have to give the snap access to that file. Will fix asap.
Comment 6 Scarlett Moore 2025-01-15 16:55:15 UTC
I have uploaded fix to stable, unfortunately it has to be approved. https://forum.snapcraft.io/t/kde-okular-snap-personal-files/44643
Comment 7 Scarlett Moore 2025-01-24 14:32:44 UTC
You must sudo snap connect okular:dot-pki-nssdb :personal-files and it will work.