This note shows how to install the Estonian Electronic Identity Software on Debian 9.
Important
Update 20180621: Ria does not maintain the zesti binaries any more. Therefor I replaced the link in script to xenial instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated.
1. ID-software – what’s this?¶
ID-software allows you to use your ID-card electronically – use private and governmental e-services, digitally sign documents and encrypt documents for safe transfer.
During ID-software installation 3 programs are installed into your computer: ID-card utility, DigiDoc3 client and DigiDoc3 crypto.
With ID-card utility you can check the functioning of your ID-card and certificate validity, change PIN and PUK codes. The ID-card utility window displays the ID-card owner’s data and ID-card validity data. This information is constantly visible when ID-card utility is running. ID-card utility enables you to perform actions with certificates (extend them, change and unblock PIN codes and PUK code), configure @eesti.ee email address.
2. Installation¶
Tip
The installer script will automatically install a plugin for Firefox-ESR. The plugin works out of the box with Firefox 57 Quantum.
Download the installer script.
Edit the script
Replace:
case $codename in wheezy) add_repository trusty *) make_fail "Debian $codename is not officially supported" ;;With:
case $codename in wheezy) add_repository trusty ;; stretch) add_repository xenial ;; *) make_fail "Debian $codename is not officially supported" ;;Download libssl1.0.0 for your architecture (scroll down)
Install libssl1.0.0:
sudo dpkg -i libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
(your exact package name might be different).
Run the modified installation script [2]
chmod 755 install-open-eid.sh ./install-open-eid.sh
| [2] | The script creates the file /etc/apt/sources.list.d/ria-repository.list with the following content: deb https://installer.id.ee/media/ubuntu/ xenial main
Then it imports the repository key and runs apt-get update and apt-get install open-eid. |
Note
The source code of the Estonian ID software is hosted on Github.
3. Check the installation¶
Among other things the installer script installs a meta package open-eid which
installs chrome-token-signing, firefox-pkcs11-loader, libdigidoc-tools,
libdigidocpp-tools, libnss3-tools, qdigidoc-tera and qdigidoc4.
These packages also depend on other packages and install them.
To check if the Digidoc Open-EID extensions are properly installed in
Firefox Quantum, open in the main menu: Tools->Add-ons->extensions.
Here you should see two extensions loaded:
- Firefox PKCS11 loader (Configures Firefox to use PKCS11 for authentication)
- Token signing (Use your eID smart card on the web)
4. Troubeshooting¶
Update 2018-06-21:
Ria does not maintain the zesti binaries any more. Therefor
I replaced the link in script to xenial instead. Although there are no
dependency clashes on my system, I do not have the time to test a fresh install
now. Feedback is appreciated.
Update 2018-12-12:
Bugreport
During the last update of the package
AWPto version 5.3.0.16.04.130 on my Debian 9 machine, I experienced the following problem:# apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 2 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Setting up awp (5.3.0.16.04.130) ... Adding smartcard support in Google Chrome ... dpkg: error processing package awp (--configure): subprocess installed post-installation script returned error exit status 1 dpkg: dependency problems prevent configuration of open-eid: open-eid depends on awp; however: Package awp is not configured yet. dpkg: error processing package open-eid (--configure): dependency problems - leaving unconfigured Errors were encountered while processing: awp open-eid E: Sub-process /usr/bin/dpkg returned an error code (1)
Here my workaround
Disable the
postinstexecution:echo '#!/bin/sh' | sudo tee /var/lib/dpkg/info/awp.postinst
Extract the binaries:
sudo apt install awp
Extract the file
postinstfrom the debian packageawp_5.3.0.16.04.130_amd64.debyou will find in/var/cache/apt/archives:cd /var/cache/apt/archives cp awp_5.3.0.16.04.130_amd64.deb /tmp cd /tmp ar x awp_5.3.0.16.04.130_amd64.deb tar -xzf control.tar.gz
If the above seems to complicated, here the content of
postinst. Create a file namedpostinstand copy the content there.#!/bin/bash NSSDB=$HOME/.pki/nssdb MODUTIL="/usr/bin/modutil -force -dbdir sql:$NSSDB" CERTUTIL="/usr/bin/certutil -d sql:$NSSDB" LIBFILE=/usr/local/AWP/lib/libOcsPKCS11Wrapper.so if [ -n "`which apt-get`" ]; then sudo apt-get -y install libnss3-tools 2>/dev/null fi if [ -n "`which yum`" ]; then sudo yum install libnss3-tools 2>/dev/null fi echo "Adding smartcard support in Google Chrome ..." if [ ! -f $NSSDB/cert9.db ]; then echo "Initializing new database" sudo -i -u $SUDO_USER mkdir -p $HOME/.pki sudo -i -u $SUDO_USER mkdir -p $NSSDB sudo -i -u $SUDO_USER $CERTUTIL -N --empty-password fi if [ -f $LIBFILE ]; then sudo -i -u $SUDO_USER $MODUTIL -delete idemia-pkcs11 2>/dev/null sudo -i -u $SUDO_USER $MODUTIL -add idemia-pkcs11 -libfile $LIBFILE -mechanisms FRIENDLY 2>/dev/null exit fiand execute it manually as normal user (not as root):
./postinst Reading package lists... Done Building dependency tree Reading state information... Done libnss3-tools is already the newest version (2:3.26.2-1.1+deb9u1). libnss3-tools set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 2 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Setting up awp (5.3.0.16.04.130) ... Adding smartcard support in Google Chrome ... Module "idemia-pkcs11" added to database. Setting up open-eid (18.12.0.1815-1604) ... Adding smartcard support in Google Chrome ...
Read more in DigiDoc4-Client issue 435 and open-eid linux installer issue 37.
Update 15.1.2019
Bugreport
After a recent system-upgrade
qdigidoc4does not start and emits the following error message:$ qdigidoc4 Chache configuration serial: 82 Bundled configuration serial: 79 QObject: Cannot create children for a parent that is in a different thread. (Parent is QSigner(0x19b4360), parent's thread is QThread(0x183d400), current thread is QSigner(0x19b4360) qdigidoc4: symbol lookup error: /usr/lib/x86_64-linux-gnu/libdigidocpp.so.1: undefined symbol: _ZN11xalanc_1_1114XPathEvaluator10initializeERN11xercesc_3_113MemoryManagerE
Cause
The upgraded package
libxml-security-crequires a specific version oflibxalan-c111!The version 1.7.3-1RIA1 of
libxml-security-cpullslibxalan-c111, but the latter mustn’t be too recent! On my debian 9 systemlibxalan-c111version 1.11-6 works well, but version 1.11-9~bpo9+1 does not.Solution
Downgrade the package
libxalan-c111:$ sudo apt-get install libxalan-c111=1.11-6 Reading package lists... Done Building dependency tree Reading state information... Done libxalan-c111 set to manually installed. $ sudo apt-mark hold libxalan-c111
Conclusion
Digidoc on Debian 9 still works as long as you get somehow the broken package awp installed (see above). You also have to take care that you hold the package
libxalan-c111at version 1.11-6 and do not upgrade it.Here a list of packages with version numbers I installed from the RIA-repository https://installer.id.ee/media/ubuntu/:
Package Installed version ---------------------- ------------------- awp 5.3.0,.16.04.130 chrome-token-signing 1:1.0.8.500-1604 firefox-pkcs11-loader 3,13.0.1074-1604 firefox-pkes11-loader 3,13.0.1074-1604 libdigidoc-common 3,10.1.1212-1510 libdigidoc-common 3,10.1.1212-1510 libdigidoc-tools 3,10,1.1212-1510 libdigidoc2 3,10.1.1212-1510 libdigidocpp-common 3,13.8.1379-1604 libdigidocpp-common 3,13.8.1379-1604 libdigidocpp-tools 3,13.8.1379-1604 libdigidocpp1 3,13.8.1379-1604 libxml-security-c17v5 L7.3-1RIAL open-eid 18.12.0.1815-1604 open-eid 18.12.0.1815-1604 opensc 0.19.0-0RIA2 opensc-pkesi1 0.19.0-0RIA2 adigidoc-tera 1.1.0,12-1604 adigidoca 4.2.0.43-1604
5. Critics and outlook¶
From my point of view the DigiDoc Linux (hence FOSS) support has been neglected recklessly. There is only one distribution left with only 2 versions supported in total. But the common argument that support for more Linux distributions is too expensive is not valid any more: A reasonable remedy to improve this situation at low costs is the Flatpack technology. Today Flatpacks are well-supported on every Linux system [1].
| [1] | I suggest Flagtpack in favour of its compeditor SnapCraft because Flatpack is well-supported on all Linux system and its build in application sandboxing: All applications are limited to a set of predefined permissions, enhancing privacy and security. Setting up a Flatpack repositiory is a child’s play. Flatpak is developed by an independent community, with no lock-in to a single vendor. SnapCraft (Snappy) is developed by Ubuntu and not well-supported on other Linux distributions than Ubuntu. Thus, distribution DigiDoc as SnapCraft packages would have very little advantage compared to the current situtation. |
In addition to the DigiDoc Desktop application, the question rises how to distribute the corresponding browser plugin.
Here a statement of RIA:
Currently Information Authority does not have plans to address this issue due to nature of Open-EID software architecture. Releasing Digidoc client is possible through other mediums such as Applemage, Sncapcraft or in your case Flatpak but necessary plugins for browsers can not be transferred through those services. […]
Although Digidoc client is functional without browser plugins installed, are significant components that shouldn’t be separated.
—Markus Kullerkup, 5 Sep 2018, Flatpak support, Issue #318, open-eid/DigiDoc4-Client
I disagree with this statement: Internet browsers always have had their proper infrastructure to distribute and install plugins. Is common that a Desktop application needs an additional plugin that has to be installed from the browser’s plugin repositories (a kind of app-store for browser): For example, the very popular and widespread Zotero software shows that this model works well and is widely accepted. As a result, distributing the DigiDoc Desktop Application as a Flatpack package and the browser plugin through the browser’s plugin store would not pose a problem. This is especially true for Linux users who are in general more technical adapt than the average Windows user.
For Estonians the DigiDoc software is crucial because it is indispensable to deal with legal digital signatures. As of 22.04.2019 RIA the only Open Source Desktop operating system that has support for DigiDoc is Ubuntu 16.04 (LTS), 18.04 (LTS) (64bit), 18.10. All other Linux distributions are ruled out which discriminates Open Source technologies in favour of Microsoft.
What to do? Digidoc is developed by RIA the Information System Authority of Estonia, a governmental authority in the jurisdiction of the Ministry of Economic Affairs and Communications. Technically the problem is easy to remediate : Flatpack provides the technical platform for a cross-Linux-distribution development and distribution of software. What is missing is the RIA’s political will to invest in open source technologies and infrastructure. How to improve this situation? As RIA is a public agent actor, I suggest to write to RIA and manifest your interest in Linux support.