Flatpak allows users to manually configure filesystem paths that will get passed into the Flatpak application sandbox via flatpak override
. This feature can also pass in a unix socket, which works to pass in a dynamically started p11-kit-server socket from the host to access PKCS#11 devices. This will let you access web sites requiring smart card certificate authentication from a web browser installed via Flatpak.
- Flatpak installed and working
- Web browser that supports p11-kit installed via Flatpak (ex: Microsoft Edge or Chromium from flathub)
- systemd, pcscd, opensc, and p11-kit packages installed on the host
-
Enable the p11-kit-service user socket to automatically activate the server service:
systemctl --user enable --now p11-kit-server.socket
-
Check the socket status and information with:
systemctl --user status p11-kit-server.socket
. The path to the socket is in the output asListen: /run/user/$UID/p11-kit/pkcs11
which will be used in the next step. -
Configure Flatpak to add the socket into the app sandbox (here only configured for MS Edge):
flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 com.microsoft.Edge
.xdg-run
is a special path name Flatpak recognizes and substitutes for the path stored in the$XDG_RUNTIME_DIR
environment variable. This is the/run/user/$UID
part of the socket path.man flatpak-override
for more information. -
Open the browser app and test logging into a CAC/PIV enabled web site like A365 – it should work. If you haven't installed the DoD Root Certificates, websites that don't use commercial PKI certificates will not function.