Dears, Before I used Kinoite with Flatpak Okular (from Fedora flathub repo), I managed to sign documents with my Belgian eID card. However, given the sandboxing of flatpak apps, this is broken currently on my Fedora Kinoite laptop. ~~~ Okular - View and annotate documents ID: org.kde.okular Ref: app/org.kde.okular/x86_64/stable Arch: x86_64 Branch: stable Version: 25.08.0 License: GPL-2.0+ and GFDL-1.3 Origin: fedora Collection: Installation: system Installed: 223.7 MB Runtime: org.fedoraproject.KDE6Platform/x86_64/f42 Sdk: org.fedoraproject.KDE6Sdk/x86_64/f42 Commit: 39b38c2dde46e7c745cc5c40df4dc4eef1d85997b156b4012d0e9c1cd94d9ea3 Subject: Export org.kde.okular Date: 2025-08-15 21:43:35 +0000 Alt-id: a95b3cd8893041e487347faa2ca7c43ce2c40bcc8533bdc0ea1abf52cb50b9db ~~~ The Belgian eID is recognised on the host with `pdfsig`: ~~~ pdfsig -backend NSS -list-nicks Certificate nicknames available: BELPIC:Authentication BELPIC:Signature ~~~ I understand that the configuration relies on p11kit modules: ~~~ cat /usr/share/p11-kit/modules/beid.module module: beidpkcs11.so ~~~ Then, flatpaks should rely on p11kit-client to interact with certs from the host. Reference: https://gist.github.com/jmpolom/cbecace9c56f6de72df9c129058caff2 https://github.com/p11-glue/p11-kit/issues/68 So I have run on my host the following setup commands: ~~~ systemctl --user enable --now p11-kit-server.socket flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 org.kde.okular # reboot – just in case ~~~ Then, I open okular, configure the NSS backend for signing in the PDF tab and upon attempt to sign, I get the error: > There are no available signing certificates. > For more information, please see the section about Adding Digital Signatures in the manual. Then, I open the shell in the flatpak with `flatpak run --branch=stable --arch=x86_64 --command=bash --file-forwarding org.kde.okular`. Then I try: ~~~ p11tool --list-token-urls pkcs11:model=Belgium%20eID;manufacturer=Belgium%20Government;serial=8AA5B22712924134;token=BELPIC pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust p11-kit list-modules module: p11-kit-trust path: /usr/lib64/pkcs11/p11-kit-client.so uri: pkcs11:library-description=PKCS%2311%20Kit%20Proxy%20Module;library-manufacturer=PKCS%2311%20Kit library-description: PKCS#11 Kit Proxy Module library-manufacturer: PKCS#11 Kit library-version: 1.1 token: System Trust uri: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.25 flags: write-protected token-initialized token: Default Trust uri: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.25 flags: write-protected token-initialized token: BELPIC uri: pkcs11:model=Belgium%20eID;manufacturer=Belgium%20Government;serial=8AA5B22712924134;token=BELPIC manufacturer: Belgium Government model: Belgium eID serial-number: 8AA5B22712924134 hardware-version: 1.0 firmware-version: 24.0 flags: write-protected user-pin-initialized ~~~ So I can somewhat see the Belgium eID from the Okular flatpak, but I cannot see anything from within Okular.
It would seem you are the person that can fix this. It used to work and now it doesn't. bisect when it broke.
(In reply to Albert Astals Cid from comment #1) > It would seem you are the person that can fix this. > > It used to work and now it doesn't. bisect when it broke. Hi Albert, it was working when I was using no flatpaks. Now that I use an Okular flatpak, it does not work. I do not think that a simple bisect would help, as the environment has changed.
(In reply to Robert Riemann from comment #2) > (In reply to Albert Astals Cid from comment #1) > > It would seem you are the person that can fix this. > > > > It used to work and now it doesn't. bisect when it broke. > > Hi Albert, it was working when I was using no flatpaks. Now that I use an > Okular flatpak, it does not work. I do not think that a simple bisect would > help, as the environment has changed. Ah, i misunderstood you, I thought you said it was working with flatpaks too before.
I had a similar issue, but I fixed it. Here's what I did: On the host, run: ``` mkdir -p ~/.pki/nssdb systemctl --user enable --now p11-kit-server.socket flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 --filesystem=~/.pki/nssdb org.kde.okular ``` Then edit the file ~/.pki/nssdb/pkcs11.txt to contain something like this (the first part was already there, the second part is important!): ``` library= name=NSS Internal PKCS #11 Module parameters=configdir='sql:/home/evert/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='> NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Came> library= name=p11-kit-proxy library=/usr/lib64/pkcs11/p11-kit-client.so slotDescription=p11-kit-proxy parameters= ``` Potentially, the `p11-kit-client.so` may be placed in a different directory, in which case you'll need to edit it. Finally, in Okular, go to "Settings" > "Configure Backends" > "PDF" > "Certificate Database" and set it to `~/.pki/nssdb`. Restart Okular. (Thanks in part to the instructions at https://gist.github.com/jmpolom/cbecace9c56f6de72df9c129058caff2)