python-validity + open-fprintd on Ubuntu 26.04
Tested on Lenovo ThinkPad T470s. The 138a:0097 Validity sensor is shared across several ThinkPad models from the 2016–2017 generation, including the T470, T470p, T570, X270, X1 Carbon 5th gen, X1 Yoga 2nd gen, and P51. This guide applies to all of them.
Prerequisites
Confirm your sensor is 138a:0097:
Expected output: ID 138a:0097 Validity Sensors, Inc.
Step 1: Windows initialization (required if sensor is unprovisioned)
The 138a:0097 sensor uses Match-on-Chip storage that must be initialized by the Windows driver before Linux can use it. If the sensor has never been paired with a host — common on fresh installs or wiped machines — Linux will fail silently.
Check if already provisioned:
sudo systemctl start python3-validity
sudo validity-sensors-tools.initializer 2>&1 | head -5
If you see Device is already initialized or enrollment works in Step 4, skip this section.
If not provisioned: Boot Windows (via dual-boot or a temporary Ventoy USB with a Windows ISO), install the Validity/Synaptics fingerprint driver from Lenovo's support site, enroll at least one finger, then return to Linux. You do not need to keep Windows — one successful boot is enough to provision the chip.
Step 2: Install open-fprintd and python-validity
Ubuntu 26.04 ships fprintd by default, which does not support 138a:0097. You need open-fprintd as a drop-in replacement.
sudo add-apt-repository ppa:ubuntuhandbook1/open-fprintd
sudo apt update
sudo apt install open-fprintd fprintd-clients python3-validity
If apt complains about dependency conflicts with libpam-fprintd or fprintd:
sudo apt install open-fprintd fprintd-clients python3-validity \
--ignore-depends=fprintd,libpam-fprintd
Then hold the conflicting packages to prevent apt from overwriting them:
sudo apt-mark hold fprintd libpam-fprintd
Step 3: Wire PAM
Enable fingerprint auth system-wide:
Check the box for fingerprint authentication and confirm.
If using polkit (e.g. for sudo in GUI apps): create /etc/pam.d/polkit-1 if it doesn't exist:
sudo tee /etc/pam.d/polkit-1 << 'EOF'
auth sufficient pam_fprintd.so
auth include common-auth
account include common-account
session include common-session
EOF
Step 4: Fix D-Bus permissions (if needed)
If open-fprintd fails to start with AccessDenied errors in journalctl, create a D-Bus policy override:
sudo tee /etc/dbus-1/system.d/open-fprintd-validity-fix.conf << 'EOF'
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="net.reactivated.Fprint"/>
<allow send_destination="net.reactivated.Fprint"/>
<allow receive_sender="net.reactivated.Fprint"/>
<allow own="io.github.uunicorn.Fprint"/>
<allow send_destination="io.github.uunicorn.Fprint"/>
<allow receive_sender="io.github.uunicorn.Fprint"/>
</policy>
<policy context="default">
<allow send_destination="net.reactivated.Fprint"/>
<allow receive_sender="net.reactivated.Fprint"/>
<allow send_destination="io.github.uunicorn.Fprint"/>
<allow receive_sender="io.github.uunicorn.Fprint"/>
</policy>
</busconfig>
EOF
sudo systemctl restart dbus open-fprintd python3-validity
Step 5: Enroll fingerprints
Follow prompts. Enroll the finger you want to use for login/sudo.
Verify enrollment:
Step 6: Fix suspend/resume
open-fprintd installs suspend/resume hooks automatically. Confirm the services exist and are enabled:
systemctl status open-fprintd-suspend.service open-fprintd-resume.service
Both should appear as static (linked into suspend/hibernate targets). If fingerprint auth fails after resume, check:
journalctl | grep -E "open-fprintd|python3-validity" | tail -20
A Failed to interact with fprintd service error from GNOME Shell at resume time means the lock screen raced against the service restart. The root cause is the resume hook restarting both services sequentially while GNOME Shell queries the D-Bus name simultaneously. No robust fix is known without patching the hook — the stock behavior is functional if imperfect.
Step 7: GNOME Keyring conflict (autologin only)
If you use autologin and GNOME prompts for a keyring password on every login, delete the default keyring:
rm ~/.local/share/keyrings/login.keyring
You will be prompted to create a new (blank-password) keyring on next login.
Troubleshooting
Start request repeated too quickly — python3-validity is crash-looping. Usually means the sensor is not provisioned (see Step 1) or a stale lock file exists:
sudo systemctl stop python3-validity
sudo rm -f /var/run/python-validity*.lock
sudo systemctl start python3-validity
journalctl -u python3-validity -n 30
NoSuchDevice from fprintd-enroll — open-fprintd is not running or python3-validity hasn't finished initializing. Wait a few seconds and retry, or check systemctl status open-fprintd.
Sensor not found after reinstalling Linux — If you wiped Windows and the sensor was previously provisioned to it, you may need to re-provision. Boot a Windows environment and re-enroll as in Step 1.
message type 15 error — The sensor's internal storage is locked to a Windows enclave (common on second-hand machines). You must boot the original Windows installation or reset the sensor. See upstream issue tracker for details.
python-validity + open-fprintd on Ubuntu 26.04
Tested on Lenovo ThinkPad T470s. The
138a:0097Validity sensor is shared across several ThinkPad models from the 2016–2017 generation, including the T470, T470p, T570, X270, X1 Carbon 5th gen, X1 Yoga 2nd gen, and P51. This guide applies to all of them.Prerequisites
Confirm your sensor is
138a:0097:lsusb | grep -i validityExpected output:
ID 138a:0097 Validity Sensors, Inc.Step 1: Windows initialization (required if sensor is unprovisioned)
The
138a:0097sensor uses Match-on-Chip storage that must be initialized by the Windows driver before Linux can use it. If the sensor has never been paired with a host — common on fresh installs or wiped machines — Linux will fail silently.Check if already provisioned:
If you see
Device is already initializedor enrollment works in Step 4, skip this section.If not provisioned: Boot Windows (via dual-boot or a temporary Ventoy USB with a Windows ISO), install the Validity/Synaptics fingerprint driver from Lenovo's support site, enroll at least one finger, then return to Linux. You do not need to keep Windows — one successful boot is enough to provision the chip.
Step 2: Install open-fprintd and python-validity
Ubuntu 26.04 ships
fprintdby default, which does not support138a:0097. You needopen-fprintdas a drop-in replacement.If
aptcomplains about dependency conflicts withlibpam-fprintdorfprintd:Then hold the conflicting packages to prevent apt from overwriting them:
Step 3: Wire PAM
Enable fingerprint auth system-wide:
Check the box for fingerprint authentication and confirm.
If using polkit (e.g. for
sudoin GUI apps): create/etc/pam.d/polkit-1if it doesn't exist:Step 4: Fix D-Bus permissions (if needed)
If
open-fprintdfails to start withAccessDeniederrors injournalctl, create a D-Bus policy override:Step 5: Enroll fingerprints
Follow prompts. Enroll the finger you want to use for login/sudo.
Verify enrollment:
Step 6: Fix suspend/resume
open-fprintdinstalls suspend/resume hooks automatically. Confirm the services exist and are enabled:Both should appear as
static(linked into suspend/hibernate targets). If fingerprint auth fails after resume, check:A
Failed to interact with fprintd serviceerror from GNOME Shell at resume time means the lock screen raced against the service restart. The root cause is the resume hook restarting both services sequentially while GNOME Shell queries the D-Bus name simultaneously. No robust fix is known without patching the hook — the stock behavior is functional if imperfect.Step 7: GNOME Keyring conflict (autologin only)
If you use autologin and GNOME prompts for a keyring password on every login, delete the default keyring:
rm ~/.local/share/keyrings/login.keyringYou will be prompted to create a new (blank-password) keyring on next login.
Troubleshooting
Start request repeated too quickly—python3-validityis crash-looping. Usually means the sensor is not provisioned (see Step 1) or a stale lock file exists:sudo systemctl stop python3-validity sudo rm -f /var/run/python-validity*.lock sudo systemctl start python3-validity journalctl -u python3-validity -n 30NoSuchDevicefrom fprintd-enroll —open-fprintdis not running orpython3-validityhasn't finished initializing. Wait a few seconds and retry, or checksystemctl status open-fprintd.Sensor not found after reinstalling Linux — If you wiped Windows and the sensor was previously provisioned to it, you may need to re-provision. Boot a Windows environment and re-enroll as in Step 1.
message type 15error — The sensor's internal storage is locked to a Windows enclave (common on second-hand machines). You must boot the original Windows installation or reset the sensor. See upstream issue tracker for details.