Enable smart cards in snapped browsers

marek-suchanek · March 19, 2025, 2:25pm

Key	Value
Summary	Enable smart card authentication in Firefox or Chromium installed from snap.
Categories	desktop, packaging
Difficulty	2
Author	Marek Suchánek marek.suchanek@canonical.com, Nathan Teodosio nathan.teodosio@canonical.com

Overview

Duration: 2:00

With this configuration, you can use your smart card to authenticate and sign content in Firefox or Chromium installed from snap. By default, smart cards do not work in snapped web browsers due to strict confinement in the snap.

If instead you want to use your smart card to log in and authenticate the user, see How to use Smart Card authentication in Ubuntu Desktop.

What you’ll need

A web browser installed from snap: Firefox or Chromium.
A smart card, ideally one that is supported by OpenSC.

Select your smart card driver

Duration: 5:00

Check if your smart card is supported by OpenSC. See Supported hardware (smart cards and USB tokens).

If you can see your smart card on the list, you can skip this whole section.
If your smart card isn’t supported by OpenSC, you need a binary driver for your smart card. Your organization or government usually provides this driver.

Warning
Using third-party smart card drivers in snap is experimental and unsupported. The driver might not work.
Install the smart card driver that you received from your organization or government. For example, Bit4id cards require the libbit4xpki.so driver, which is a proprietary p11k library. When you install the driver, it’s available at the /usr/lib/libbit4xpki.so file path.

In the following commands, replace libbit4xpki.so with the file name of your driver and /usr/lib/libbit4xpki.so with the full path to the driver.
Move the smart card driver, such as libbit4xpki.so, into the snap environment in your home directory.
- For Firefox:
```
cp /usr/lib/libbit4xpki.so ~/snap/firefox/common/
```
- For Chromium:
```
cp /usr/lib/libbit4xpki.so ~/snap/chromium/common/
```

Configure Firefox

Duration: 3:00

Enable smart card access in the Firefox snap. You can choose the graphical or terminal interface:

In the GNOME graphical interface:
1. Open Settings.
2. Go to Apps → Firefox.
3. Enable pcscd.
In the terminal, enter the following command:
```
sudo snap connect firefox:pcscd
```

Load the smart card module in Firefox:

Open Firefox and go to Settings → Privacy & Security → Security → Security devices.
Click the Load button.
Enter the following line into the Module filename field:
- If your card is supported by OpenSC:
```
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
```
  If you’re running Ubuntu on a different CPU architecture than Intel 64 and AMD64, replace x86_64-linux-gnu with your architecture code name.
- If you provided a proprietary smart card driver:
```
/home/MY_USER_NAME/snap/firefox/common/libbit4xpki.so
```
  Replace MY_USER_NAME with your user name and libbit4xpki.so with the proprietary driver file name.
Warning
Do not use the Browse button.
Click OK to confirm.

Configure Chromium

Duration: 3:00

Enable smart card access in the Chromium snap. You can choose the graphical or terminal interface:

In the GNOME graphical interface:
1. Open Settings.
2. Go to Apps → Chromium Web Browser.
3. Enable pcscd.
In the terminal, enter the following command:
```
sudo snap connect chromium:pcscd
```

Load the smart card module in Chromium:

Install the modutil tool:
```
sudo apt install libnss3-tools
```
Add the smart card module to the NSS Database:
- If your card is supported by OpenSC:
```
modutil -dbdir sql:.pki/nssdb/ -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
```
  If you’re running Ubuntu on a different CPU architecture than Intel 64 and AMD64, replace x86_64-linux-gnu with your architecture code name.
- If you provided a proprietary smart card driver:
```
modutil -dbdir sql:.pki/nssdb/ -add "Bit4id" -libfile /home/MY_USER_NAME/snap/chromium/common/libbit4xpki.so
```
  Replace MY_USER_NAME with your user name, Bit4id with your smart card name or brand and libbit4xpki.so with the proprietary driver file name.

Test if the authentication works

Duration: 2:00

Open your web browser and try authenticating with your smart card.

Did it work? If not:

Report any bugs

If your card is supported by OpenSC and you encounter an issue with the workflow, please add your comment to Opensc smart cards do not work in the snapped browsers (LP#2089141).
If you provided a proprietary smart card driver, it might not work for a variety of reasons. Please file a new issue at Launchpad Bugs.

Your driver might depend on missing libraries. See the full list of dependencies and attach them to your bug report:
```
snap run --shell firefox -c ldd ~/snap/firefox/common/libbit4xpki.so
```
Replace libbit4xpki.so with your driver’s file name. Replace firefox with chromium if you use Chromium.
If your card isn’t supported by OpenSC, see the known issue tracked in [snap] apparmor denied when trying to load pkcs11 module for smart card authentication (LP#1967632).

Additional resources

This tutorial connects the pcscd smart card plug to the web browser snap. For details about pcscd, see The pcscd interface.

3v1n0 · March 26, 2025, 1:22pm

Please mention https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/95 or add a note to this guide, since 99% of libraries provided by smart-card makers should just work by being inside the snap environment.

Ideally we should provide a tool to easily import them (using the portal + some code that adds them to firefox or chrome through nss)