Funkenflug aus flammenden Synapsen.

Because I'm going to need this again: fixing firefox/nss token certificate bug

Documenting this here because Mozilla's docs are bullshit. I have no idea how much kool-aid is needed to actually try and develop extensions for this crock of shit…

For some time now, you can't seem to save settings you make in the security devices settings. (To be exact: you can see them added to the NSS database, but on restarting your thunderbird/firefox, your NSS database is overwritten with one only containing the default entries. Removing permissions fro the relevant database files in the profile directory only leads to the software ignoring them.)

Anyway, so find a elevated javascript console (in thunderbird, that's Ctrl-Shift-J) and paste

Components.classes[";1"].getService(Components.interfaces.nsIPKCS11).addModule("p11autoproxy", "/usr/lib64/", 0, 0); 
Components.classes[";1"].getService(Components.interfaces.nsIPK11TokenDB).findTokenByName("PIV_II (PIV Card Holder pin)").login(true);

Obviously, the name might be different for you – if you manually add the device through the GUI, it's the string listed as "Label".

Next on the list: find out how to either force this early enough in the startup process or to automatically re-select the certs to use for signatures for certain accounts.