The bug "Unable to list readers inside flatpak, when pcscd runs on host." was very strange. It is not like the potential problem I described in "Accessing smart cards from inside a flatpak sandbox" where we have 2 sides (host & flatpak container) using different versions of the pcsc-lite internal protocol.
In the present case both sides are using the same protocol but SCardGetStatusChange() fails with a very strange error: Unknown error: 0x53204253. 0x53204253 is not a (valid) error code returned by any of the PC/SC functions.
Fedora custom build
After some debug I discovered that Fedora provides pcsc-lite packages with a modification.
From
https://fedora.pkgs.org/35/fedora-updates-x86_64/pcsc-lite-libs-1.9.5-1.fc35.x86_64.rpm.html
your can download the
source package
which contains the patch file
diff -up ./src/PCSC/pcsclite.h.in.readers_32 ./src/PCSC/pcsclite.h.in --- ./src/PCSC/pcsclite.h.in.readers_32 2018-08-20 16:02:17.708302410 -0700 +++ ./src/PCSC/pcsclite.h.in 2018-08-20 16:02:49.462500967 -0700 @@ -281,7 +281,7 @@ extern const SCARD_IO_REQUEST g_rgSCardT #define PCSCLITE_VERSION_NUMBER "@VERSION@" /**< Current version */ /** Maximum readers context (a slot is count as a reader) */ -#define PCSCLITE_MAX_READERS_CONTEXTS 16 +#define PCSCLITE_MAX_READERS_CONTEXTS 48 #define MAX_READERNAME 128 diff -up ./src/PCSC/pcsclite.h.readers_32 ./src/PCSC/pcsclite.h --- ./src/PCSC/pcsclite.h.readers_32 2018-08-20 16:02:30.993385481 -0700 +++ ./src/PCSC/pcsclite.h 2018-08-20 16:03:00.061567242 -0700 @@ -281,7 +281,7 @@ extern const SCARD_IO_REQUEST g_rgSCardT #define PCSCLITE_VERSION_NUMBER "1.9.5" /**< Current version */ /** Maximum readers context (a slot is count as a reader) */ -#define PCSCLITE_MAX_READERS_CONTEXTS 16 +#define PCSCLITE_MAX_READERS_CONTEXTS 48 #define MAX_READERNAME 128
This patch redefines PCSCLITE_MAX_READERS_CONTEXTS
which is the
maximum number of readers supported by pcsc-lite and update the value from 16
to 48.
pcsc-lite internal protocol
To implement the function SCardGetStatusChange() pcsc-lite exchanges the list of readers between the daemon (pcscd) and the client (libpcsclite.so.1).
pcscd will sent a list of PCSCLITE_MAX_READERS_CONTEXTS
readers
and libpcsclite.so.1 is expecting a list of
PCSCLITE_MAX_READERS_CONTEXTS
readers.
Flatpak issue
In the case of flatpak the server is running on the host and is provided by Fedora, and the client is running inside the flatpak container and is provided by whoever provides the flatpak so possibly with a pcsc-lite client not from Fedora.
And now we have a problem: the daemon is sending a list of 48 readers while the client is expecting a list of only 16 readers. After that, many bad things can happen, like incorrect return values.
Flatpak solution
The solution is simple: include in the flatpak container a client library that is configured like the server on your host i.e. patch the pcsc-lite included in the container.
The bad news is that the flatpak contained application will not be universal
any-more. You will need 2 different containers for Fedora and for Debian for
example.
pcsc-lite-ccid patch
The pcsc-lite-ccid Fedora package (CCID reader driver) also uses a patch to increase the number of supported readers.
The package source code is available at
https://fedora.pkgs.org/35/fedora-updates-x86_64/pcsc-lite-ccid-1.4.36-2.fc35.x86_64.rpm.html
and contains the file
diff -up ./src/ccid_ifdhandler.h.readers_32 ./src/ccid_ifdhandler.h --- ./src/ccid_ifdhandler.h.readers_32 2018-08-20 16:06:34.080905748 -0700 +++ ./src/ccid_ifdhandler.h 2018-08-20 16:07:04.638097096 -0700 @@ -47,7 +47,7 @@ extern int DriverOptions; * The maximum number of readers is also limited in pcsc-lite (16 by default) * see the definition of PCSCLITE_MAX_READERS_CONTEXTS in src/PCSC/pcsclite.h */ -#define CCID_DRIVER_MAX_READERS 16 +#define CCID_DRIVER_MAX_READERS 48 /* * CCID driver specific functions
According to the spec file
* Fri Jun 25 2021 Jakub Jelen <jjelen@redhat.com> - 1.4.34-2 - Add support for more readers
So less than a year.
Increase the number of readers?
I guess Fedora/RedHat has one (or more) customer(s) with a need to support
more than 16 readers. Maybe that is the case of 0.01% of pcsc-lite users
(rough estimation out of my mind). And for some users 48 readers will not be
enough (See "A reader for 96 smart cards? sysmoSIMBANK").
A long term solution is to move from a hard coded limit of
CCID_DRIVER_MAX_READERS
readers to a dynamic (unlimited) list. This is already
planed for pcsc-lite in "use a list instead of a fixed size array for 16 reader states" and for ccid in "use a list instead of a fixed size array for 16 reader states". I had no motivation to implement that so far. If you need this change
please contact me.
Revert the Fedora patches?
One option to solve the issue with Flatpak would be for Fedora/RedHat to revert the patches.
I don't know if they have more customers using more than 16 smart card readers, or more customers using Flatpak applications.
Conclusion
Flatpak applications with a need to access smart cards or tokens (Chrome, Teams) may be difficult to use on Fedora/RedHat.