diff options
| -rw-r--r-- | README.md | 1 | ||||
| -rw-r--r-- | meta/extra.txt | 5 | ||||
| -rw-r--r-- | run_onchange_after_deploy-pteid-pkcs11.sh.tmpl | 62 |
3 files changed, 68 insertions, 0 deletions
@@ -82,6 +82,7 @@ Everything is driven by [just](https://just.systems/) recipes against four paral | `systemd-units/{system,user}/*.txt` | `just unit-apply`, `just unit-status` | Units to enable, split by scope. `system/` files pair by name with `meta/` groups (`system/base.txt` ↔ `meta/base.txt`); `user/` files are standalone. Recipe group token: `<name>` / `system:<name>` / `user:<name>`. | | `etc/` | `run_onchange_after_deploy-etc.sh.tmpl` | System-level configs deployed to `/etc/` via a chezmoi onchange hook. | | `firefox/` | `run_onchange_after_deploy-firefox.sh.tmpl` | LibreWolf `user-overrides.js` + `userChrome.css` (kept under the familiar `firefox/` name). | +| (cartão de cidadão) | `run_onchange_after_deploy-pteid-pkcs11.sh.tmpl` | Bridges the `pt.gov.autenticacao` flatpak's PKCS#11 module into the LibreWolf flatpak's NSS DB (filesystem + `--socket=pcsc` override + `modutil -add`). No-op unless both flatpaks are installed. | ## Recipes at a glance diff --git a/meta/extra.txt b/meta/extra.txt index 3936385..3e8def9 100644 --- a/meta/extra.txt +++ b/meta/extra.txt @@ -6,6 +6,11 @@ udisks2 # Flatpak runtime (apps tracked in meta/flatpak.txt) flatpak +# Smartcard stack (cartão de cidadão reader + PKCS#11 bridge into flatpak browsers). +# pcscd.socket is enabled by systemd-units/system/base.txt. +pcsc-lite +ccid + # OCR (used by ~/.local/bin/ocr) tesseract tesseract-data-eng diff --git a/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl new file mode 100644 index 0000000..b6c3b6c --- /dev/null +++ b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl @@ -0,0 +1,62 @@ +#!/bin/sh +# Bridge the pt.gov.autenticacao flatpak's PKCS#11 module into the LibreWolf +# flatpak's NSS database so cartão de cidadão authentication works in the +# browser despite the cross-sandbox isolation. +# +# Idempotent. Re-runs whenever this script or the pt.gov.autenticacao entry +# in meta/flatpak.txt changes. +# +# pteid entry hash: {{ output "sh" "-c" (printf "grep '^pt\\.gov\\.autenticacao' %q/meta/flatpak.txt 2>/dev/null || true" .chezmoi.sourceDir) | sha256sum }} +set -eu + +PTEID_APP=pt.gov.autenticacao +BROWSER_APP=io.gitlab.librewolf-community +MODULE_NAME=pteid-mw + +flatpak info --user "$PTEID_APP" >/dev/null 2>&1 || exit 0 +flatpak info --user "$BROWSER_APP" >/dev/null 2>&1 || exit 0 + +PTEID_LOC=$(flatpak info --user --show-location "$PTEID_APP" 2>/dev/null) +[ -d "$PTEID_LOC/files" ] || exit 0 + +SO=$(find "$PTEID_LOC/files" -name 'libpteidpkcs11.so' -type f 2>/dev/null | head -1) +[ -n "$SO" ] && [ -f "$SO" ] || exit 0 +SO_DIR=$(dirname "$SO") + +# flatpak --filesystem mounts host paths under /run/host inside the sandbox. +SO_IN_SANDBOX="/run/host$SO" +SO_DIR_IN_SANDBOX="/run/host$SO_DIR" + +flatpak override --user \ + --filesystem="$PTEID_LOC/files:ro" \ + --socket=pcsc \ + --env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \ + "$BROWSER_APP" + +command -v modutil >/dev/null 2>&1 || { + echo "pteid-pkcs11: modutil not found (install nss); skipping NSS registration." >&2 + exit 0 +} + +PROFILES_DIR="$HOME/.var/app/$BROWSER_APP/.librewolf" +[ -d "$PROFILES_DIR" ] || exit 0 + +registered=0 +skipped=0 +for prof in "$PROFILES_DIR"/*/; do + [ -f "$prof/cert9.db" ] || continue + if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then + skipped=$((skipped + 1)) + continue + fi + if pgrep -u "$(id -u)" -x librewolf >/dev/null 2>&1; then + echo "pteid-pkcs11: LibreWolf is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2 + exit 0 + fi + modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null + registered=$((registered + 1)) +done + +if [ "$registered" -gt 0 ]; then + echo "pteid-pkcs11: registered $MODULE_NAME in $registered LibreWolf profile(s)." +fi |