Bug#1120163: GNOME Papers digital-signing failure caused by 'apparmor-profile' restrictions

Cristiano Nunes cfgnunes at gmail.com
Thu Nov 6 06:59:52 GMT 2025 

Package: papers
Version: 48.3-1
Severity: normal
X-Debbugs-Cc: cfgnunes at gmail.com

Dear Maintainer,

While testing the “Sign Digitally” feature in GNOME Papers, I found that
the signing process fails due to AppArmor blocking access to several
paths required by NSS and by smartcard middleware.

I reproduced the same issue on Ubuntu as well and documented it here:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2106133

The audit log shows consistent AppArmor denials such as:

  - ~/.pki/nssdb/cert9.db             (file_lock)
  - ~/.mozilla/firefox/*/cert9.db     (read)
  - /run/pcscd/pcscd.comm             (connect)
  - /sys/devices/...                  (open)

After testing, I confirmed that extending the AppArmor profile resolves
the issue and restores the digital-signature functionality. Adding the
following rules to `/etc/apparmor.d/usr.bin.papers` fixes the problem:

  owner @{HOME}/.pki/** lrk,
  /sys/devices/** r,
  /run/pcscd/pcscd.comm rw,

If possible, please consider adjusting the AppArmor file in Debian so
that GNOME Papers can access the necessary NSS and smartcard paths by
default.

This is the file in the repository:
https://salsa.debian.org/gnome-team/papers/-/blob/debian/latest/debian/apparmor-profile

These are the messages in my journalctl:
--------------------
Apr 02 23:23:23 desktop kernel: audit: type=1400
audit(1743647003.486:12599): apparmor="DENIED" operation="file_lock"
class="file" profile="/usr/bin/papers"
name="/home/cristiano/.pki/nssdb/cert9.db" pid=811514 comm="papers"
requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

Apr 02 23:25:37 desktop kernel: audit: type=1400
audit(1743647137.429:12896): apparmor="DENIED" operation="file_lock"
class="file" profile="/usr/bin/papers" name="/home/cristiano/.pki>

Apr 02 23:31:26 desktop kernel: audit: type=1400
audit(1743647486.460:13357): apparmor="DENIED" operation="open"
class="file" profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0>

Apr 02 23:33:49 desktop kernel: audit: type=1400
audit(1743647629.944:13632): apparmor="DENIED" operation="connect"
class="file" profile="/usr/bin/papers" name="/run/pcscd/pcscd.comm">
--------------------

Best regards,
Cristiano Fraga G. Nunes


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages papers depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-5
ii  gsettings-desktop-schemas                    48.0-1
ii  libadwaita-1-0                               1.7.6-1~deb13u1
ii  libc6                                        2.41-12
ii  libgcc-s1                                    14.2.0-19
ii  libgdk-pixbuf-2.0-0                          2.42.12+dfsg-4
ii  libglib2.0-0t64                              2.84.4-3~deb13u1
ii  libgraphene-1.0-0                            1.10.8-5
ii  libgtk-4-1                                   4.18.6+ds-2
ii  libnautilus-extension4                       48.3-2
ii  libpango-1.0-0                               1.56.3-1
ii  libppsdocument-4.0-5                         48.3-1
ii  libppsview-4.0-4                             48.3-1
ii  papers-common                                48.3-1
ii  shared-mime-info                             2.4-5+b2

papers recommends no packages.

Versions of packages papers suggests:
ii  gvfs             1.57.2-2
pn  nautilus-sendto  <none>
ii  poppler-data     0.4.12-1
pn  unrar            <none>

-- no debconf information

More information about the pkg-gnome-maintainers mailing list