(Fix) `Please enter the password for the PKCS#11 token PIV_II` RPM

If you’re using a yubikey or similar, and run into the above message in Firefox (or Thunderbird, apparently), here’s the source for an RPM that will fix it for you.

Also, this shows how you can override configs in /usr.

Name:           fffix
Version:        0.0.1
Release:        1%{?dist}
Summary:        Fixes Firefox

License:        BSD
URL:            None

Requires:       opensc






echo "disable-in: firefox thunderbird" > %{_prefix}/share/p11-kit/modules/opensc.module

* Sat Mar 26 2022 Jonathan Dickinson
  1. toolbox create && toolbox enter
  2. sudo dnf install -y rpmdevtools
  3. rpmdev-setuptree
  4. cd ~/rpmbuild/SPECS
  5. (create a new file called fffix.spec and paste the above into it)
  6. rpmbuild -bb fffix.spec
  7. sudo rpm-ostree install ~/rpmbuild/RPMS/fffix-*.rpm
  8. Reboot

Thanks, @jcdickinson . Do you know what the token PIV_II password it’s looking for is? Using the YubiKey Manager nomenclature, is it looking for the PIN for the PIV application (or the PIV Management Key), or is it looking for the FIDO2 application PIN?

Thanks for the insight.

Why is a reboot needed?

Because the new commit isn’t active until reboot.

Could you clarify the purpose of applying this configuration change with an RPM?

Disclaimer: I don’t know much about RPMs. But I tried to understand what this script does and wasn’t able to clarify for myself.

This “RPM Packaging Guide” mentions that the %post directive is defined as a “Scriptlet that is executed just after the package is installed on the target system.”

So, wouldn’t appending disable-in: firefox thunderbird to the opensc.module file do the same thing as writing and installing this RPM?