Enable smart cards in snapped browsers

marek-suchanek · March 19, 2025, 2:25pm

Key	Value
Summary	Enable smart card authentication in Firefox or Chromium installed from snap.
Categories	desktop, packaging
Difficulty	2
Author	Marek Suchánek marek.suchanek@canonical.com, Nathan Teodosio nathan.teodosio@canonical.com

Overview

Duration: 2:00

With this configuration, you can use smart card authentication in Firefox or Chromium installed from snap. By default, smart cards do not work in snapped web browsers due to strict confinement in the snap.

What you’ll need

A web browser installed from snap: Firefox or Chromium.
A smart card that’s supported by OpenSC. See Supported hardware (smart cards and USB tokens).

If your smart card isn’t supported, you can’t use your smart card in snapped browsers.

Firefox

Duration: 3:00

Enable smart card access in the Firefox snap. You can choose the graphical or terminal interface:

In the GNOME graphical interface:
1. Open Settings.
2. Go to Apps → Firefox.
3. Enable pcscd.
In the terminal, enter the following command:
```
sudo snap connect firefox:pcscd
```

Load the PKCS#11 smart card module in Firefox:

Open Firefox and go to Settings → Privacy & Security → Security → Security devices.
Click the Load button.
Enter the following line into the Module filename field:
```
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
```
Warning
Do not use the Browse button.
Click OK to confirm.

Chromium

Duration: 3:00

Enable smart card access in the Chromium snap. You can choose the graphical or terminal interface:

In the GNOME graphical interface:
1. Open Settings.
2. Go to Apps → Chromium Web Browser.
3. Enable pcscd.
In the terminal, enter the following command:
```
sudo snap connect chromium:pcscd
```

Load the PKCS#11 smart card module in Chromium:

Install the modutil tool:
```
sudo apt install libnss3-tools
```

Add the PKCS#11 smart card module to the NSS Database:

modutil -dbdir sql:.pki/nssdb/ -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Test if the authentication works

Duration: 2:00

Open your web browser and try authenticating with your smart card.

Did it work? If not:

Report any bugs

If your card is supported by OpenSC and you encounter an issue with the workflow, please add your comment to Opensc smart cards do not work in the snapped browsers (LP#2089141).
If your card is not supported by OpenSC, then this is the already known issue tracked in [snap] apparmor denied when trying to load pkcs11 module for smart card authentication (LP#1967632).

Additional resources

This tutorial connects the pcscd smart card plug to the web browser snap. For details about pcscd, see The pcscd interface.

3v1n0 · March 26, 2025, 1:22pm

Please mention Comment #95 : Bug #1967632 : Bugs : firefox package : Ubuntu or add a note to this guide, since 99% of libraries provided by smart-card makers should just work by being inside the snap environment.

Ideally we should provide a tool to easily import them (using the portal + some code that adds them to firefox or chrome through nss)