This note shows how to install the Estonian Electronic Identity Software on Debian 9.

Important

Update 20180621: Ria does not maintain the zesti binaries any more. Therefor I replaced the link in script to xenial instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated.

1. ID-software – what’s this?

ID-software allows you to use your ID-card electronically – use private and governmental e-services, digitally sign documents and encrypt documents for safe transfer.

During ID-software installation 3 programs are installed into your computer: ID-card utility, DigiDoc3 client and DigiDoc3 crypto.

With ID-card utility you can check the functioning of your ID-card and certificate validity, change PIN and PUK codes. The ID-card utility window displays the ID-card owner’s data and ID-card validity data. This information is constantly visible when ID-card utility is running. ID-card utility enables you to perform actions with certificates (extend them, change and unblock PIN codes and PUK code), configure @eesti.ee email address.

2. Installation

Tip

The installer script will automatically install a plugin for Firefox-ESR. The plugin works out of the box with Firefox 57 Quantum.

  1. Download the installer script.

  2. Edit the script

    Replace:

    case $codename in
      wheezy)
        add_repository trusty
      *)
        make_fail "Debian $codename is not officially supported"
        ;;
    

    With:

    case $codename in
      wheezy)
        add_repository trusty
        ;;
      stretch)
        add_repository xenial
        ;;
      *)
        make_fail "Debian $codename is not officially supported"
        ;;
    
  3. Download libssl1.0.0 for your architecture (scroll down)

  4. Install libssl1.0.0:

    sudo dpkg -i libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
    

    (your exact package name might be different).

  5. Run the modified installation script [1]

    chmod 755 install-open-eid.sh
    ./install-open-eid.sh
    
[1]

The script creates the file /etc/apt/sources.list.d/ria-repository.list with the following content:

deb https://installer.id.ee/media/ubuntu/ xenial main

Then it imports the repository key and runs apt-get update and apt-get install open-eid.

Note

The source code of the Estonian ID software is hosted on Github.

3. Check the installation

Among other things the installer script installs a meta package open-eid which installs chrome-token-signing, firefox-pkcs11-loader, libdigidoc-tools, libdigidocpp-tools, libnss3-tools, qdigidoc-tera and qdigidoc4. These packages also depend on other packages and install them.

To check if the Digidoc Open-EID extensions are properly installed in Firefox Quantum, open in the main menu: Tools->Add-ons->extensions.

Here you should see two extensions loaded:

  • Firefox PKCS11 loader (Configures Firefox to use PKCS11 for authentication)
  • Token signing (Use your eID smart card on the web)

4. Troubeshooting

Update 2018-06-21:

Ria does not maintain the zesti binaries any more. Therefor I replaced the link in script to xenial instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated.

Update 2018-12-12:

  1. Bugreport

    During the last update of the package AWP to version 5.3.0.16.04.130 on my Debian 9 machine, I experienced the following problem:

    # apt upgrade
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Calculating upgrade... Done
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    2 not fully installed or removed.
    After this operation, 0 B of additional disk space will be used.
    Do you want to continue? [Y/n]
    Setting up awp (5.3.0.16.04.130) ...
    Adding smartcard support in Google Chrome ...
    dpkg: error processing package awp (--configure):
     subprocess installed post-installation script returned error exit status 1
    dpkg: dependency problems prevent configuration of open-eid:
     open-eid depends on awp; however:
      Package awp is not configured yet.
    
    dpkg: error processing package open-eid (--configure):
     dependency problems - leaving unconfigured
    Errors were encountered while processing:
     awp
     open-eid
    E: Sub-process /usr/bin/dpkg returned an error code (1)
    
  2. Here my workaround

    1. Disable the postinst execution:

      echo '#!/bin/sh' | sudo tee /var/lib/dpkg/info/awp.postinst
      
    2. Extract the binaries:

      sudo apt install awp
      
    3. Extract the file postinst from the debian package awp_5.3.0.16.04.130_amd64.deb you will find in /var/cache/apt/archives:

      cd /var/cache/apt/archives
      cp awp_5.3.0.16.04.130_amd64.deb /tmp
      cd /tmp
      ar x awp_5.3.0.16.04.130_amd64.deb
      tar -xzf control.tar.gz
      

      If the above seems to complicated, here the content of postinst. Create a file named postinst and copy the content there.

      #!/bin/bash
      
      NSSDB=$HOME/.pki/nssdb
      MODUTIL="/usr/bin/modutil -force -dbdir sql:$NSSDB"
      CERTUTIL="/usr/bin/certutil -d sql:$NSSDB"
      LIBFILE=/usr/local/AWP/lib/libOcsPKCS11Wrapper.so
      
      if [ -n "`which apt-get`" ];
      then
          sudo apt-get -y install libnss3-tools 2>/dev/null
      fi
      if [ -n "`which yum`" ];
      then
          sudo yum install libnss3-tools 2>/dev/null
      fi
      
      echo "Adding smartcard support in Google Chrome ..."
      
      if [ ! -f $NSSDB/cert9.db ]; then
          echo "Initializing new database"
          sudo -i -u $SUDO_USER mkdir -p $HOME/.pki
          sudo -i -u $SUDO_USER mkdir -p $NSSDB
          sudo -i -u $SUDO_USER $CERTUTIL -N --empty-password
      fi
      
      if [ -f $LIBFILE ]; then
              sudo -i -u $SUDO_USER $MODUTIL -delete idemia-pkcs11 2>/dev/null
              sudo -i -u $SUDO_USER $MODUTIL -add idemia-pkcs11 -libfile $LIBFILE -mechanisms FRIENDLY 2>/dev/null
          exit
      fi
      
    4. and execute it manually as normal user (not as root):

       ./postinst
      Reading package lists... Done
      Building dependency tree
      Reading state information... Done
      libnss3-tools is already the newest version (2:3.26.2-1.1+deb9u1).
      libnss3-tools set to manually installed.
      0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
      2 not fully installed or removed.
      After this operation, 0 B of additional disk space will be used.
      Setting up awp (5.3.0.16.04.130) ...
      Adding smartcard support in Google Chrome ...
      Module "idemia-pkcs11" added to database.
      Setting up open-eid (18.12.0.1815-1604) ...
      Adding smartcard support in Google Chrome ...
      

      Read more here<https://github.com/open-eid/DigiDoc4-Client/issues/435)> and here <https://github.com/open-eid/linux-installer/issues/37>.

Update 15.1.2019

  1. Bugreport

    After a recent system-upgrade qdigidoc4 does not start and emits the following error message:

    $ qdigidoc4
    Chache configuration serial: 82
    Bundled configuration serial: 79
    QObject: Cannot create children for a parent that is in a different thread.
    (Parent is QSigner(0x19b4360), parent's thread is QThread(0x183d400), current thread is QSigner(0x19b4360)
    qdigidoc4: symbol lookup error: /usr/lib/x86_64-linux-gnu/libdigidocpp.so.1: undefined symbol: _ZN11xalanc_1_1114XPathEvaluator10initializeERN11xercesc_3_113MemoryManagerE
    
  2. Cause

    The upgraded package libxml-security-c requires a specific version of libxalan-c111!

    The version 1.7.3-1RIA1 of libxml-security-c pulls libxalan-c111, but the latter mustn’t be to recent! On my debian 9 system libxalan-c111 version 1.11-6 works well, but version 1.11-9~bpo9+1 does not.

  3. Solution

    Downgrade the package libxalan-c111:

    $ sudo apt-get install libxalan-c111=1.11-6
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    libxalan-c111 set to manually installed.
    $ sudo apt-mark hold libxalan-c111
    
  4. Conclusion

    Digidoc on Debian 9 still works as long as you get somehow the broken package awp installed (see above). You also have to take care that you hold the package libxalan-c111 at version 1.11-6 and do not upgrade it.

    Here a list of packages with version numbers I installed from the RIA-repository https://installer.id.ee/media/ubuntu/:

    Package                 Installed version
    ----------------------  -------------------
    awp                     5.3.0,.16.04.130
    chrome-token-signing    1:1.0.8.500-1604
    firefox-pkcs11-loader   3,13.0.1074-1604
    firefox-pkes11-loader   3,13.0.1074-1604
    libdigidoc-common       3,10.1.1212-1510
    libdigidoc-common       3,10.1.1212-1510
    libdigidoc-tools        3,10,1.1212-1510
    libdigidoc2             3,10.1.1212-1510
    libdigidocpp-common     3,13.8.1379-1604
    libdigidocpp-common     3,13.8.1379-1604
    libdigidocpp-tools      3,13.8.1379-1604
    libdigidocpp1           3,13.8.1379-1604
    libxml-security-c17v5   L7.3-1RIAL
    open-eid                18.12.0.1815-1604
    open-eid                18.12.0.1815-1604
    opensc                  0.19.0-0RIA2
    opensc-pkesi1           0.19.0-0RIA2
    adigidoc-tera           1.1.0,12-1604
    adigidoca               4.2.0.43-1604
    

5. Critics and outlook

From my point of view the DigiDoc Linux (hence FOSS) support has been neglected recklessly. There is only one distribution left with only 2 versions supported in total. A reasonable remedy to improve this situation at low costs could be the Flatpack technology. Today Flatpacks are well supported on every Linux system. In addition to the DigiDoc software itself, the question rises how to distribute the corresponding browser plugin. An appropriate way is to use the browser’s plugin repositories and infrastructure (a kind of app-store for browser). Is it practicable for the user to install DigiDoc as 2 separate parts coming through 2 different channels? Yes! The very successful Zotero software shows that this model works well and is widely accepted.

The organisation behind Digidoc is RIA the Information System Authority of Estonia, a governmental authority in the jurisdiction of the Ministry of Economic Affairs and Communications. Technically the problem is solved: Flatpack provides the technical platform for a cross-Linux-distribution development and distribution of software. What is missing is the RIA’s political will to invest in open source technologies and infrastructure. How to improve this situation? If you are Estonian citizen I suggest to write to RIA and manifest your interest in Linux support.