Confined browser snaps can't use system libraries (PKCS11) and native host messaging. What do we do?


#1

We develop and provide a PKCS11 library to enable usage of our national identity card on software that plays nice with standards. So we have had very good system-wide linux support for many years now.

As this shared PKCS11 library location is no longer accessible from within a confined snap, the library itself can’t be registered, and the browser will not have access to the smartcard (e.g. to log on to government applications using the snap version of FireFox).

Furthermore, if you look at a typical addon+native messaging solution (where the native application provides local access to the card) this also breaks. This can easily be seen when trying to manage Gnome extensions using the snap version of Firefox which will not work because the native host connector is unavailable. We use this architecture as well e.g. for signing services.

I read today Chromium will be (confined?) snap only in the future, and I am slightly worried.

Has this problem been considered and if so, what are the recommendations?


#2

Paging @oSoMoN