Sign with your Estonian ID card under NixOS
This note shows how to install the Estonian Electronic Identity Software on NixOS.
ID-software – what’s this?
ID-software allows you to use your ID-card electronically – use private and governmental e-services, digitally sign documents and encrypt documents for safe transfer.
With the ID-card Digidoc4 utility you can check the functioning of your ID-card and certificate validity, change PIN and PUK codes. The ID-card utility window displays the ID-card owner’s data and ID-card validity data. This information is constantly visible when ID-card utility is running. ID-card utility enables you to perform actions with certificates (extend them, change and unblock PIN codes and PUK code).
The Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography. Estonian, Finnish, Latvian, Lithuanian, Belgian and Croatian eID cards are supported in the first phase.
Installation
-
Install the required packages in NixOS:
Insert in the
packageslist inconfiguration.nix:Important: do not add any
firefox*packages inpkgs! Note, thefirefox-esrpackage is pulled in below withprograms.firefox.package = pkgs.firefox-esr;packages = with pkgs; [ qdigidoc # Digidoc web-eid-app # Signing in browswer p11-kit # Signing in browswer opensc # Signing in browswer ];Execute in a terminal:
sudo nixos-rebuild switch -
Check success:
Insert your ID card in the reader and invoke the Digidoc application:
$ qdigidoc4 Failed to parse public key QObject: Cannot create children for a parent that is in a different thread. (Parent is QSigner(0x10cb9d0), parent's thread is QThread(0xecab00), current thread is QSigner(0x10cb9d0) "3BDB960080B1FE451F830012233F536549440F9000F1" Loading: "opensc-pkcs11.so" 2024-04-03T09:40:25Z I [X509CertStore.cpp:63] - Loaded 58 certificates into TSL certificate store. TSL loading finished "OpenSC Project (2.20)" "OpenSC smartcard framework (0.25)" Flags: 0 qdigidoc4.QSmartCard: Polling qdigidoc4.QSmartCard: Read "Alcor Micro AU9540 00 00" qdigidoc4.QSmartCard: Read card "EC1278287" info ...The Digidoc application should open now and in the right upper corner of the Digidoc window you should see your name and your “isikukood”.
-
Configure the helper software
web-eid-app:Add to your
configuration.nix:services.pcscd.enable = true; programs.firefox.enable = true; programs.firefox.package = pkgs.firefox-esr; programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ]; programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so"; # Authentification environment.etc."pkcs11/modules/opensc-pkcs11".text = '' module: ${pkgs.opensc}/lib/opensc-pkcs11.so '';Execute in a terminal:
sudo nixos-rebuild switch -
Enable logging (for testing only):
-
Enable logging:
echo 'logging=true' > ~/.config/RIA/web-eid.conf -
Check success:
web-eidA dialogue About Web eID window appears. Click on
[Cancel].cat ~/.local/share/RIA/web-eid/web-eid.logYou should see something like:
2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode
-
-
Install the browser extension within Firefox from Web eID – Get this Extension for Firefox (en-US)
-
Check success:
-
Enable logging:
-
Insert Estionan ID card.
-
Check with DigiDoc that the card reader works and the ID card reader and driver works.
-
Goto https://web-eid.eu/ and click on
[Authenticate].Type your pin1, you should see:
Digital signing Welcome, XXX XXX!Press the button
[Sign document], then type your pin2, you should see:Digital signing Welcome, XXX XXX! Signature added: example-for-signing.asice
-
-
Disable logging:
rm ~/.config/RIA/web-eid.conf
Troubleshooting: consider this thread