TL;DR: To get straight to the point (and because I'm pretty sure I'll need it down the road):
sudo pacman -S ccid opensc pcsc-toolssudo systemctl enable --now pcscd.service- Attach your USB reader and put your smart card in it;
-
opensc-tool -nto check if the card is supported. If it's not you need to figure out the manufacturer/vendor of your smart card and find out their driver - In this case, card was made by AET Europe, driver/package needed was "safesignidentityclient"
-
yay -S safesignidentityclient, during it you'll see the required file right there:
-
modutil -dbdir sql:$HOME/.pki/nssdb/ -add "AET SafeSign" -libfile /usr/lib/libaetpkss.soto load the driver up and you're home. - If you're using it on Firefox, you need to load the
/usr/lib/libaetpkss.sodriver on Settings > Privacy & Security > roll all the way down to Security Devices > Load
- if you're using it on a Chromium, from what I gather you don't need to do nothing else, Chromiums grab it straight from the
modutilstuff (or there was some other step I'm not seeing in history right now that did it)
I'm gonna add some keywords here to help possible neighbors find out what they're looking for:
identidade digital, certificado digital, acesso.gov.br
(original)
Took some time off, but thought I'd get back on it once more before going to bed. Thought I'd broaden my search beyond just Arch stuff, found this:
When I try to pkcs11-tool --list-objects --login, I get a weird error:
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1)
Aborting.
This other one also gives an error:
$ pkcs15-tool --list-info
Using reader with a card: Gemalto PC Twin Reader 00 00
Failed to connect to card: Card is invalid or cannot be handled
I know the certificate is valid because I can use it with no trouble on Windows, though...
Huh, I wonder if this is the problem:
$ opensc-tool -n
Using reader with a card: Gemalto PC Twin Reader 00 00
Unsupported card
Looks like what I actually need is this... I just need to find where to download the mf...
Closer I could find was 3.8.0.0 for Ubuntu...
Looks like the 3.7.0.0 is in AUR
yay -S safesignidentityclient, then loaded /usr/lib/libaetpkss.so on Firedragon and... SUCCESS.
At least so far. Let's see if this actually works.
On Firedragon it works, I was able to log in to a website using my certificate from the smart card. But still no success on Okular, still getting the "no sign certificates available" error there...
DING DING DING! I had forgotten to modutil this sucker in. modutil -dbdir sql:$HOME/.pki/nssdb/ -add "AET SafeSign" -libfile /usr/lib/libaetpkss.so and it showed right up on Okular!
Ah right, found this tab open and thought I should share: this is where it hit me to find the proper driver. I had found this 
article on Medium, and way down the road he mentions the SafenetAuthenticationClient-9.1.7–0_amd64.deb. That's when it hit me that I had already dealt with safesignidentityclient before and had to find it!