Skip to content

Instantly share code, notes, and snippets.

@jmpolom
Last active April 30, 2024 00:07
Show Gist options
  • Save jmpolom/cbecace9c56f6de72df9c129058caff2 to your computer and use it in GitHub Desktop.
Save jmpolom/cbecace9c56f6de72df9c129058caff2 to your computer and use it in GitHub Desktop.
Flatpak PKCS#11 for smart cards via p11-kit and opensc

How to configure Flatpak apps for PKCS#11 and smart cards

Flatpak allows users to manually configure filesystem paths that will get passed into the Flatpak application sandbox via flatpak override. This feature can also pass in a unix socket, which works to pass in a dynamically started p11-kit-server socket from the host to access PKCS#11 devices. This will let you access web sites requiring smart card certificate authentication from a web browser installed via Flatpak.

Pre-requisites

  • Flatpak installed and working
  • Web browser that supports p11-kit installed via Flatpak (ex: Microsoft Edge or Chromium from flathub)
  • systemd, pcscd, opensc, and p11-kit packages installed on the host

Procedure

  1. Enable the p11-kit-service user socket to automatically activate the server service: systemctl --user enable --now p11-kit-server.socket

  2. Check the socket status and information with: systemctl --user status p11-kit-server.socket. The path to the socket is in the output as Listen: /run/user/$UID/p11-kit/pkcs11 which will be used in the next step.

  3. Configure Flatpak to add the socket into the app sandbox (here only configured for MS Edge): flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 com.microsoft.Edge. xdg-run is a special path name Flatpak recognizes and substitutes for the path stored in the $XDG_RUNTIME_DIR environment variable. This is the /run/user/$UID part of the socket path. man flatpak-override for more information.

  4. Open the browser app and test logging into a CAC/PIV enabled web site like A365 – it should work. If you haven't installed the DoD Root Certificates, websites that don't use commercial PKI certificates will not function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment