.. excerpt-begin This note shows how to install the `Estonian Electronic Identity Software`_ on Debian 9. .. IMPORTANT:: Update 20180621: Ria does not maintain the `zesti` binaries any more. Therefor I replaced the link in script to `xenial` instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated. ID-software_ – what’s this? =========================== ID-software allows you to use your ID-card electronically – use private and governmental e-services, digitally sign documents and encrypt documents for safe transfer. During ID-software installation 3 programs are installed into your computer: ID-card utility, DigiDoc3 client and DigiDoc3 crypto. With ID-card utility you can check the functioning of your ID-card and certificate validity, change PIN and PUK codes. The ID-card utility window displays the ID-card owner’s data and ID-card validity data. This information is constantly visible when ID-card utility is running. ID-card utility enables you to perform actions with certificates (extend them, change and unblock PIN codes and PUK code), configure @eesti.ee email address. .. _ID-software: https://id.ee .. _Estonian electronic identity software: https://installer.id.ee .. excerpt-end Installation ============ .. TIP:: The installer script will automatically install a plugin for Firefox-ESR. The plugin works out of the box with Firefox 57 Quantum. #. Download the installer script_. #. Edit the script Replace: .. code:: bash case $codename in wheezy) add_repository trusty *) make_fail "Debian $codename is not officially supported" ;; With: .. code:: bash case $codename in wheezy) add_repository trusty ;; stretch) add_repository xenial ;; *) make_fail "Debian $codename is not officially supported" ;; #. Download `libssl1.0.0`_ for your architecture (scroll down) #. Install `libssl1.0.0`:: sudo dpkg -i libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb (your exact package name might be different). #. Run the modified installation script [#]_ :: chmod 755 install-open-eid.sh ./install-open-eid.sh .. [#] The script creates the file `/etc/apt/sources.list.d/ria-repository.list` with the following content:: deb https://installer.id.ee/media/ubuntu/ xenial main Then it imports the repository key and runs `apt-get update` and `apt-get install open-eid`. .. note:: The `source code`_ of the Estonian ID software is hosted on Github. .. _source code: https://github.com/open-eid .. _script: https://installer.id.ee/media/install-scripts/install-open-eid.sh .. _libssl1.0.0: https://packages.debian.org/jessie-backports/libssl1.0.0 Check the installation ====================== Among other things the installer script installs a meta package ``open-eid`` which installs ``chrome-token-signing``, ``firefox-pkcs11-loader``, ``libdigidoc-tools``, ``libdigidocpp-tools``, ``libnss3-tools``, ``qdigidoc-tera`` and ``qdigidoc4``. These packages also depend on other packages and install them. To check if the ``Digidoc Open-EID`` extensions are properly installed in *Firefox Quantum*, open in the main menu: ``Tools->Add-ons->extensions``. Here you should see two extensions loaded: * Firefox PKCS11 loader (Configures Firefox to use PKCS11 for authentication) * Token signing (Use your eID smart card on the web) Troubeshooting ============== **Update 2018-06-21:** Ria does not maintain the ``zesti`` binaries any more. Therefor I replaced the link in script to ``xenial`` instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated. **Update 2018-12-12:** 1. Bugreport During the last update of the package ``AWP`` to version 5.3.0.16.04.130 on my Debian 9 machine, I experienced the following problem: .. code:: bash # apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 2 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Setting up awp (5.3.0.16.04.130) ... Adding smartcard support in Google Chrome ... dpkg: error processing package awp (--configure): subprocess installed post-installation script returned error exit status 1 dpkg: dependency problems prevent configuration of open-eid: open-eid depends on awp; however: Package awp is not configured yet. dpkg: error processing package open-eid (--configure): dependency problems - leaving unconfigured Errors were encountered while processing: awp open-eid E: Sub-process /usr/bin/dpkg returned an error code (1) 2. Here my workaround 1. Disable the ``postinst`` execution: .. code:: bash echo '#!/bin/sh' | sudo tee /var/lib/dpkg/info/awp.postinst 2. Extract the binaries: .. code:: bash sudo apt install awp 3. Extract the file ``postinst`` from the debian package ``awp_5.3.0.16.04.130_amd64.deb`` you will find in ``/var/cache/apt/archives``: .. code:: bash cd /var/cache/apt/archives cp awp_5.3.0.16.04.130_amd64.deb /tmp cd /tmp ar x awp_5.3.0.16.04.130_amd64.deb tar -xzf control.tar.gz If the above seems to complicated, here the content of ``postinst``. Create a file named ``postinst`` and copy the content there. .. code:: bash #!/bin/bash NSSDB=$HOME/.pki/nssdb MODUTIL="/usr/bin/modutil -force -dbdir sql:$NSSDB" CERTUTIL="/usr/bin/certutil -d sql:$NSSDB" LIBFILE=/usr/local/AWP/lib/libOcsPKCS11Wrapper.so if [ -n "`which apt-get`" ]; then sudo apt-get -y install libnss3-tools 2>/dev/null fi if [ -n "`which yum`" ]; then sudo yum install libnss3-tools 2>/dev/null fi echo "Adding smartcard support in Google Chrome ..." if [ ! -f $NSSDB/cert9.db ]; then echo "Initializing new database" sudo -i -u $SUDO_USER mkdir -p $HOME/.pki sudo -i -u $SUDO_USER mkdir -p $NSSDB sudo -i -u $SUDO_USER $CERTUTIL -N --empty-password fi if [ -f $LIBFILE ]; then sudo -i -u $SUDO_USER $MODUTIL -delete idemia-pkcs11 2>/dev/null sudo -i -u $SUDO_USER $MODUTIL -add idemia-pkcs11 -libfile $LIBFILE -mechanisms FRIENDLY 2>/dev/null exit fi 4. and execute it manually as normal user (not as root): .. code:: bash ./postinst Reading package lists... Done Building dependency tree Reading state information... Done libnss3-tools is already the newest version (2:3.26.2-1.1+deb9u1). libnss3-tools set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 2 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Setting up awp (5.3.0.16.04.130) ... Adding smartcard support in Google Chrome ... Module "idemia-pkcs11" added to database. Setting up open-eid (18.12.0.1815-1604) ... Adding smartcard support in Google Chrome ... Read more in `DigiDoc4-Client issue 435`_ and `open-eid linux installer issue 37`_. .. _DigiDoc4-Client issue 435: https://github.com/open-eid/DigiDoc4-Client/issues/435 .. _open-eid linux installer issue 37: https://github.com/open-eid/linux-installer/issues/37 **Update 15.1.2019** 1. Bugreport After a recent system-upgrade ``qdigidoc4`` does not start and emits the following error message:: $ qdigidoc4 Chache configuration serial: 82 Bundled configuration serial: 79 QObject: Cannot create children for a parent that is in a different thread. (Parent is QSigner(0x19b4360), parent's thread is QThread(0x183d400), current thread is QSigner(0x19b4360) qdigidoc4: symbol lookup error: /usr/lib/x86_64-linux-gnu/libdigidocpp.so.1: undefined symbol: _ZN11xalanc_1_1114XPathEvaluator10initializeERN11xercesc_3_113MemoryManagerE 2. Cause The upgraded package ``libxml-security-c`` requires a specific version of ``libxalan-c111``! The *version 1.7.3-1RIA1* of ``libxml-security-c`` pulls ``libxalan-c111``, but the latter mustn't be too recent! On my debian 9 system ``libxalan-c111`` *version 1.11-6* works well, but *version 1.11-9~bpo9+1* does not. 3. Solution Downgrade the package ``libxalan-c111``:: $ sudo apt-get install libxalan-c111=1.11-6 Reading package lists... Done Building dependency tree Reading state information... Done libxalan-c111 set to manually installed. $ sudo apt-mark hold libxalan-c111 4. Conclusion Digidoc on Debian 9 still works as long as you get somehow the broken package `awp` installed (see above). You also have to take care that you hold the package ``libxalan-c111`` at version 1.11-6 and do not upgrade it. Here a list of packages with version numbers I installed from the RIA-repository https://installer.id.ee/media/ubuntu/:: Package Installed version ---------------------- ------------------- awp 5.3.0,.16.04.130 chrome-token-signing 1:1.0.8.500-1604 firefox-pkcs11-loader 3,13.0.1074-1604 firefox-pkes11-loader 3,13.0.1074-1604 libdigidoc-common 3,10.1.1212-1510 libdigidoc-common 3,10.1.1212-1510 libdigidoc-tools 3,10,1.1212-1510 libdigidoc2 3,10.1.1212-1510 libdigidocpp-common 3,13.8.1379-1604 libdigidocpp-common 3,13.8.1379-1604 libdigidocpp-tools 3,13.8.1379-1604 libdigidocpp1 3,13.8.1379-1604 libxml-security-c17v5 L7.3-1RIAL open-eid 18.12.0.1815-1604 open-eid 18.12.0.1815-1604 opensc 0.19.0-0RIA2 opensc-pkesi1 0.19.0-0RIA2 adigidoc-tera 1.1.0,12-1604 adigidoca 4.2.0.43-1604 Critics and outlook =================== From my point of view the DigiDoc Linux (hence FOSS) support has been neglected recklessly. There is only one distribution left with only 2 versions supported in total. But the common argument that support for more Linux distributions is too expensive is not valid any more: A reasonable remedy to improve this situation at low costs is the Flatpack technology. Today Flatpacks are well-supported on every Linux system [1]_. .. [1] I suggest Flagtpack in favour of its compeditor SnapCraft because Flatpack is `well-supported on all Linux system`_ and its build in `application sandboxing`_: All applications are limited to a set of predefined permissions, enhancing privacy and security. Setting up a Flatpack repositiory is a child's play. Flatpak is developed by an independent community, with no lock-in to a single vendor. SnapCraft (Snappy) is developed by Ubuntu and `not well-supported on other Linux distributions than Ubuntu`_. Thus, distribution DigiDoc as SnapCraft packages would have very little advantage compared to the current situtation. .. _well-supported on all Linux system: https://kamikazow.wordpress.com/2017/02/09/adoption-of-flatpak-vs-snap/ .. _application sandboxing: https://www.slant.co/versus/23675/30031/~flatpak_vs_snapcraft .. _not well-supported on other Linux distributions than Ubuntu: https://kamikazow.wordpress.com/2017/02/09/adoption-of-flatpak-vs-snap/ In addition to the DigiDoc Desktop application, the question rises how to distribute the corresponding browser plugin. Here a statement of `RIA`_: Currently Information Authority does not have plans to address this issue due to nature of Open-EID software architecture. Releasing Digidoc client is possible through other mediums such as Applemage, Sncapcraft or in your case Flatpak but necessary plugins for browsers can not be transferred through those services. [...] Although Digidoc client is functional without browser plugins installed, are significant components that shouldn't be separated. -- Markus Kullerkup, 5 Sep 2018, `Flatpak support, Issue #318, open-eid/DigiDoc4-Client`_ I disagree with this statement: Internet browsers always have had their proper infrastructure to distribute and install plugins. Is common that a Desktop application needs an additional plugin that has to be installed from the browser's plugin repositories (a kind of app-store for browser): For example, the very popular and widespread `Zotero`_ software shows that this model works well and is widely accepted. As a result, distributing the DigiDoc Desktop Application as a Flatpack package and the browser plugin through the browser's plugin store would not pose a problem. This is especially true for Linux users who are in general more technical adapt than the average Windows user. For Estonians the DigiDoc software is crucial because it is indispensable to deal with legal digital signatures. As of 22.04.2019 RIA the only Open Source Desktop operating system that has support for DigiDoc is Ubuntu 16.04 (LTS), 18.04 (LTS) (64bit), 18.10. All other Linux distributions are ruled out which discriminates Open Source technologies in favour of Microsoft. What to do? Digidoc is developed by `RIA`_ the Information System Authority of Estonia, a governmental authority in the jurisdiction of the Ministry of Economic Affairs and Communications. Technically the problem is easy to remediate : Flatpack provides the technical platform for a cross-Linux-distribution development and distribution of software. What is missing is the RIA's political will to invest in open source technologies and infrastructure. How to improve this situation? As RIA is a public agent actor, I suggest to `write to RIA`_ and manifest your interest in Linux support. .. _Zotero: https://www.zotero.org/ .. _RIA: https://www.ria.ee/en.html .. _write to RIA: https://www.ria.ee/en/contacts.html .. _Flatpak support, Issue #318, open-eid/DigiDoc4-Client: https://github.com/open-eid/DigiDoc4-Client/issues/318