I've now successfully tested all major platforms. Everything works as expected. I've noticed that the PKCS#11 module generates too many notifications for removal/insertion events. That's removed now as well.

@Jakuje, @dengert, please let me know if you think that removing onepin-opensc-pkcs11 may cause any trouble for users.

I will notifiy our test team

typos are fixed.

Please, remove also the onepin from the spec file in https://github.com/OpenSC/OpenSC/blob/master/packaging/opensc.spec#L164 so we can have the CI passing.

PIV should be fine. Only uses 1 pin

Let's still wait for @metsma 's feedback

Let's still wait for @metsma 's feedback

Can we filter Chrome to?

I did not look into the details, but this sounds like a user interface change that should not be ignored.

So i suggest a "symlink" or a "deprecation wrapper". If the module disappears ... we will have an issue with any config in any application that is configured to use it.

I did not look into the details, but this sounds like a user interface change that should not be ignored.

Indeed it is, that's why I asked for opinions above. We can surely implement some temporary workarounds, but I fear that those are hard to maintain given the different platforms we support and that I don't see them go away once they are in place. Hence, I personally would opt for a possible breaking change nevertheless.

Can we filter Chrome to?

With all the browser forks it could get crazy quickly, but it is possible, for sure. But, AFAIK, problems have only been reported for Firefox....

Can we filter Chrome to?

With all the browser forks it could get crazy quickly, but it is possible, for sure. But, AFAIK, problems have only been reported for Firefox....

We have only official chrome in testing matrix. Chromium uses SNAP in Ubuntu and we don't supprt this configuration.

Indeed it is, that's why I asked for opinions above. We can surely implement some temporary workarounds, but I fear that those are hard to maintain given the different platforms we support and that I don't see them go away once they are in place. Hence, I personally would opt for a possible breaking change nevertheless.

Indeed such things are hard to get rid of. But i would still like to ask for some help for end users and distributors.

But these modules are mentioned in all sorts of management scripts that configure browsers (many of them) and other applications, some of them proprietary ... Think of ansible or puppet and alike. These scripts will have to work over generations and flavors of Linux, and maybe other OSs. And they will have to deal with creating new configuration and updating old.

Not even to mention manual configuration that people have somewhere, did after reading whatever google did spit out ... a forum/blog.

I am afraid the user-interface change might be big and hard to handle for distros, admins, and "did something funny" end-users.

@henning-schild I've added the onepin module as link/copy to the installation. I need to verify the Windows installer, however.

@henning-schild I've added the onepin module as link/copy to the installation. I need to verify the Windows installer, however.

Thanks so much. If i read that last commit correctly it is only about compatibility and not about deprecation.

I sure hope the old name can be deprecated one day, or kept forever and not causing too much trouble over time.

@metsma , could you please elaborate what you mean by

Can we filter Chrome to?

Do you think OpenSC should behave like the onepin module in Chrome as well? If so, why?

@metsma , could you please elaborate what you mean by

Can we filter Chrome to?

Do you think OpenSC should behave like the onepin module in Chrome as well? If so, why?

Because chrome is using NSS for accessing hardware tokens as far as I know.

Yes. On linux Chrome uses NSS

Thank you for the clarification!

Addendum: gnome evolution uses the SmartCard too, I think it does so via the NSS database (like Chrome). Maybe it should be handled as well? But who knows how many apps use the nssdb...

With #2733 being merged, I wonder if the special treatment of Firefox (or any other NSS powered app) is still needed. OpenSC now behaves friendly in terms of having publicly readable certificates! @metsma could you confirm this by testing master?

@metsma, do you have any updates regarding OpenSC's "friendlyness", especially with #2733 being merged?

@frankmorgner our test team reports that Firefox and Chrome still request 2 pins (PIN1, PIN2) on authentication.

@frankmorgner our test team reports that Firefox and Chrome still request 2 pins (PIN1, PIN2) on authentication.

I assume you mean that FF/Chrome are requesting the two PINs although only one would be needed for authenticating to a specific site. If so, it sseems that although OpenSC is considered to have the certificates friendly-ish readable, the user experience is still poor.

Then, I would try to extend this PR to also recognize chrome and chromium. Do you know (platform independant) names of other browsers, that are using NSS?

@frankmorgner our test team reports that Firefox and Chrome still request 2 pins (PIN1, PIN2) on authentication.

I assume you mean that FF/Chrome are requesting the two PINs although only one would be needed for authenticating to a specific site. If so, it sseems that although OpenSC is considered to have the certificates friendly-ish readable, the user experience is still poor.

Yes

Then, I would try to extend this PR to also recognize chrome and chromium. Do you know (platform independant) names of other browsers, that are using NSS?

I think this will cover most. Maybe add configure option to extend this list. There are other forks available (Tor, Opera etc)

Then, I would try to extend this PR to also recognize chrome and chromium. Do you know (platform independant) names of other browsers, that are using NSS?

Wouldn't the problem show up in a potentially unlimited number of applications that use NSS? E.g. opera, thunderbird, evolution, some vpn clients, electron-based apps, etc. Listing them all in opensc seems impossible, perhaps there could be a config somewhere :S

I have symlinked opensc-pkcs11.so to the onepin variant on my systems because too many applications had problems.

-rwxr-xr-x. 1 root root  258K  2. Dez 18:49 onepin-opensc-pkcs11.so
lrwxrwxrwx. 1 root root    23 16. Dez 08:23 opensc-pkcs11.so -> onepin-opensc-pkcs11.so

Applications I have in use:
Firefox, Chrome, Evolution

AFAIR all of those apps had the multipe-pin-requested problems.

I think a reasonable good default regular expression for matching the executable's name would work and could be made configurable.

Matching all NSS programs, would not make sense, because in E-Mail applications you want to do signing and encryption even if multiple PINs are involved.

• resolved merge conflicts
• extended one-slot configuration (onepin) to chrome and chromium
• extended opensc.conf to use the apps path for a configuration block. Which allows setting slots_per_card to 1 also for other browsers while leaving the general PKCS#11 configuration alone.

@metsma , could you trigger your test team, please?