Bug 1906652

Summary: flatpak smart card support socket=pcsc for smart cards doesn't seem to work on RHEL 8.3
Product: Red Hat Enterprise Linux 9 Reporter: Trevor Clark <r.trevor.clark>
Component: flatpakAssignee: Debarshi Ray <debarshir>
Status: NEW --- QA Contact: Petr Schindler <pschindl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.4CC: debarshir, desktop-qa-list, jjelen
Target Milestone: rcKeywords: Reopened
Target Release: 9.4   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-22 07:28:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trevor Clark 2020-12-11 03:22:03 UTC 
Description of problem:


I have a yubikey smart card connected to my RHEL 8 computer. flatpak seems to have a permission option to connect to pcsc, but I cannot get flatpak applications to recognise the smart card. For instance this application https://flathub.org/apps/details/com.yubico.yubioath cannot detect the smart card. if I run pcsc_scan from the terminal I can see the yubikey as I would expect so it seems to be a flatpak specific issue. I especially want to get this working to use Remmina, https://flathub.org/apps/details/org.remmina.Remmina, as a convenient remote desktop client that allows shared smart cards with windows over RDP, but this doesn't seem to work with flatpak on RHEL 8.3 There is not a  a native build of this application available. Any help would be appreciated.


How reproducible:


Steps to Reproduce:
1. Install https://flathub.org/apps/details/com.yubico.yubioath
2. Insert yubikey and the application is not able to see the smart cart

Actual results:

flatpak applications cannot see the smart card


Expected results:

flatpak applications can see and use the smart card
Comment 1 Trevor Clark 2020-12-12 17:49:54 UTC 
The appimage version of the yubico authenticator, https://www.yubico.com/products/services-software/download/yubico-authenticator/#download_here, can recognize the smart card no problem.
Comment 2 David King 2021-04-16 14:22:00 UTC 
I do not have access to any hardware to test this, but as it is in a third-party app from Flathub, it would be best to report the issue upstream, and report back if you manage to isolate this to something specific to RHEL:

https://github.com/flathub/com.yubico.yubioath/issues
Comment 3 Trevor Clark 2021-04-16 14:30:53 UTC 
I'm pretty sure this is not an upstream issue. I have the same issue with Remmina, https://flathub.org/apps/details/org.remmina.Remmina. It can't detect a smart card as a flatpak either. I will investigate a little more though. thanks!
Comment 4 Jakub Jelen 2022-02-22 18:42:46 UTC 
FYI, this is caused by a bug #2054826, which landed recently in Fedora (after I introduced RHEL changes to Fedora recently) so I am reopening the bug.

In short, the flatpack is using internal API of PCSC, which has fixed size list of readers, which we needed to enlarge couple of years back in downstream patch. This works fine in the OS, this works fine if the flatpack runs rhel container on rhel, but this breaks in any other combination (rhel -> ubuntu container or vice versa).
Comment 6 Trevor Clark 2022-02-26 15:46:52 UTC 
At some point the yubico flatpak started being able to read my smart card, but smart card sharing with Remmina doesn't work for me still.

https://github.com/flathub/org.remmina.Remmina/issues/97
Comment 9 RHEL Program Management 2023-08-22 07:28:47 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 10 Debarshi Ray 2023-08-22 13:35:47 UTC 
I still want to fix this, but I won't have time to do it by RHEL 8.10.  So, let's re-target it for RHEL 10.
Comment 12 Debarshi Ray 2023-08-22 13:38:35 UTC 
(In reply to Debarshi Ray from comment #10)
> I still want to fix this, but I won't have time to do it by RHEL 8.10.  So,
> let's re-target it for RHEL 10.

I meant, RHEL 9, not 10.  :)