Confined browser snaps can't use system libraries (PKCS11) and native host messaging. What do we do?


#1

We develop and provide a PKCS11 library to enable usage of our national identity card on software that plays nice with standards. So we have had very good system-wide linux support for many years now.

As this shared PKCS11 library location is no longer accessible from within a confined snap, the library itself can’t be registered, and the browser will not have access to the smartcard (e.g. to log on to government applications using the snap version of FireFox).

Furthermore, if you look at a typical addon+native messaging solution (where the native application provides local access to the card) this also breaks. This can easily be seen when trying to manage Gnome extensions using the snap version of Firefox which will not work because the native host connector is unavailable. We use this architecture as well e.g. for signing services.

I read today Chromium will be (confined?) snap only in the future, and I am slightly worried.

Has this problem been considered and if so, what are the recommendations?


#2

Paging @oSoMoN


#3

I have investigated the PKCS11 situation in that other thread: Can't Load Security Device in Firefox Snap. @sam_vde: I would appreciate if you could test and confirm my findings.

Native host messaging is being tracked by bug #1741074.

There are no obvious solutions to either as yet.


#4

Will do, thanks for reaching out!


#5

Thanks for the background information. I’ve installed the no-snap firefox along side just for the purpose of logging in for work. I’ll be watching the bug tracker to see when I can go all in on the snap.