This note shows how to install the Estonian Electronic Identity Software on Debian 9.

Important

Update 20180621: Ria does not maintain the zesti binaries any more. Therefor I replaced the link in script to xenial instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated.

1. ID-software – what’s this?

ID-software allows you to use your ID-card electronically – use private and governmental e-services, digitally sign documents and encrypt documents for safe transfer.

During ID-software installation 3 programs are installed into your computer: ID-card utility, DigiDoc3 client and DigiDoc3 crypto.

With ID-card utility you can check the functioning of your ID-card and certificate validity, change PIN and PUK codes. The ID-card utility window displays the ID-card owner’s data and ID-card validity data. This information is constantly visible when ID-card utility is running. ID-card utility enables you to perform actions with certificates (extend them, change and unblock PIN codes and PUK code), configure @eesti.ee email address.

2. Installation

Tip

The installer script will automatically install a plugin for Firefox-ESR. The plugin works out of the box with Firefox 57 Quantum.

  1. Download the installer script.

  2. Edit the script

    Replace:

    case $codename in
      wheezy)
        add_repository trusty
      *)
        make_fail "Debian $codename is not officially supported"
        ;;
    

    With:

    case $codename in
      wheezy)
        add_repository trusty
        ;;
      stretch)
        add_repository xenial
        ;;
      *)
        make_fail "Debian $codename is not officially supported"
        ;;
    
  3. Download libssl1.0.0 for your architecture (scroll down)

  4. Install libssl1.0.0:

    sudo dpkg -i libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
    

    (your exact package name might be different).

  5. Run the modified installation script [1]

    chmod 755 install-open-eid.sh
    ./install-open-eid.sh
    
[1]

The script creates the file /etc/apt/sources.list.d/ria-repository.list with the following content:

deb https://installer.id.ee/media/ubuntu/ xenial main

Then it imports the repository key and runs apt-get update and apt-get install open-eid.

Note

The source code of the Estonian ID software is hosted on Github.

3. Check the installation

Among other things the installer script installs a meta package open-eid which installs chrome-token-signing, firefox-pkcs11-loader, libdigidoc-tools, libdigidocpp-tools, libnss3-tools, qdigidoc-tera and qdigidoc4. These packages also depend on other packages and install them.

To check if the Digidoc Open-EID extensions are properly installed in Firefox Quantum, open in the main menu: Tools->Add-ons->extensions.

Here you should see two extensions loaded:

  • Firefox PKCS11 loader (Configures Firefox to use PKCS11 for authentication)
  • Token signing (Use your eID smart card on the web)

4. Troubeshooting

Update 2018-06-21:

Ria does not maintain the zesti binaries any more. Therefor I replaced the link in script to xenial instead. Although there are no dependency clashes on my system, I do not have the time to test a fresh install now. Feedback is appreciated.

Update 2018-12-12:

  1. Bugreport

    During the last update of the package AWP to version 5.3.0.16.04.130 on my Debian 9 machine, I experienced the following problem:

    # apt upgrade
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Calculating upgrade... Done
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    2 not fully installed or removed.
    After this operation, 0 B of additional disk space will be used.
    Do you want to continue? [Y/n]
    Setting up awp (5.3.0.16.04.130) ...
    Adding smartcard support in Google Chrome ...
    dpkg: error processing package awp (--configure):
     subprocess installed post-installation script returned error exit status 1
    dpkg: dependency problems prevent configuration of open-eid:
     open-eid depends on awp; however:
      Package awp is not configured yet.
    
    dpkg: error processing package open-eid (--configure):
     dependency problems - leaving unconfigured
    Errors were encountered while processing:
     awp
     open-eid
    E: Sub-process /usr/bin/dpkg returned an error code (1)
    
  2. Here my workaround

    1. Disable the postinst execution:

      echo '#!/bin/sh' | sudo tee /var/lib/dpkg/info/awp.postinst
      
    2. Extract the binaries:

      sudo apt install awp
      
    3. Extract the file postinst from the debian package awp_5.3.0.16.04.130_amd64.deb you will find in /var/cache/apt/archives:

      cd /var/cache/apt/archives
      cp awp_5.3.0.16.04.130_amd64.deb /tmp
      cd /tmp
      ar x awp_5.3.0.16.04.130_amd64.deb
      tar -xzf control.tar.gz
      

      If the above seems to complicated, here the content of postinst. Create a file named postinst and copy the content there.

      #!/bin/bash
      
      NSSDB=$HOME/.pki/nssdb
      MODUTIL="/usr/bin/modutil -force -dbdir sql:$NSSDB"
      CERTUTIL="/usr/bin/certutil -d sql:$NSSDB"
      LIBFILE=/usr/local/AWP/lib/libOcsPKCS11Wrapper.so
      
      if [ -n "`which apt-get`" ];
      then
          sudo apt-get -y install libnss3-tools 2>/dev/null
      fi
      if [ -n "`which yum`" ];
      then
          sudo yum install libnss3-tools 2>/dev/null
      fi
      
      echo "Adding smartcard support in Google Chrome ..."
      
      if [ ! -f $NSSDB/cert9.db ]; then
          echo "Initializing new database"
          sudo -i -u $SUDO_USER mkdir -p $HOME/.pki
          sudo -i -u $SUDO_USER mkdir -p $NSSDB
          sudo -i -u $SUDO_USER $CERTUTIL -N --empty-password
      fi
      
      if [ -f $LIBFILE ]; then
              sudo -i -u $SUDO_USER $MODUTIL -delete idemia-pkcs11 2>/dev/null
              sudo -i -u $SUDO_USER $MODUTIL -add idemia-pkcs11 -libfile $LIBFILE -mechanisms FRIENDLY 2>/dev/null
          exit
      fi
      
    4. and execute it manually as normal user (not as root):

       ./postinst
      Reading package lists... Done
      Building dependency tree
      Reading state information... Done
      libnss3-tools is already the newest version (2:3.26.2-1.1+deb9u1).
      libnss3-tools set to manually installed.
      0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
      2 not fully installed or removed.
      After this operation, 0 B of additional disk space will be used.
      Setting up awp (5.3.0.16.04.130) ...
      Adding smartcard support in Google Chrome ...
      Module "idemia-pkcs11" added to database.
      Setting up open-eid (18.12.0.1815-1604) ...
      Adding smartcard support in Google Chrome ...
      

      Read more here<https://github.com/open-eid/DigiDoc4-Client/issues/435)> and here <https://github.com/open-eid/linux-installer/issues/37>.

Update 15.1.2019

  1. Bugreport

    After a recent system-upgrade qdigidoc4 does not start and emits the following error message:

    $ qdigidoc4
    Chache configuration serial: 82
    Bundled configuration serial: 79
    QObject: Cannot create children for a parent that is in a different thread.
    (Parent is QSigner(0x19b4360), parent's thread is QThread(0x183d400), current thread is QSigner(0x19b4360)
    qdigidoc4: symbol lookup error: /usr/lib/x86_64-linux-gnu/libdigidocpp.so.1: undefined symbol: _ZN11xalanc_1_1114XPathEvaluator10initializeERN11xercesc_3_113MemoryManagerE
    
  2. Cause

    The upgraded package libxml-security-c requires a specific version of libxalan-c111!

    The version 1.7.3-1RIA1 of libxml-security-c pulls libxalan-c111, but the latter mustn’t be to recent! On my debian 9 system libxalan-c111 version 1.11-6 works well, but version 1.11-9~bpo9+1 does not.

  3. Solution

    Downgrade the package libxalan-c111:

    $ sudo apt-get install libxalan-c111=1.11-6
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    libxalan-c111 set to manually installed.
    $ sudo apt-mark hold libxalan-c111
    
  4. Conclusion

    Digidoc on Debian 9 still works as long as you get somehow the broken package awp installed (see above). You also have to take care that you hold the package libxalan-c111 at version 1.11-6 and do not upgrade it.

    Here a list of packages with version numbers I installed from the RIA-repository https://installer.id.ee/media/ubuntu/:

    Package                 Installed version
    ----------------------  -------------------
    awp                     5.3.0,.16.04.130
    chrome-token-signing    1:1.0.8.500-1604
    firefox-pkcs11-loader   3,13.0.1074-1604
    firefox-pkes11-loader   3,13.0.1074-1604
    libdigidoc-common       3,10.1.1212-1510
    libdigidoc-common       3,10.1.1212-1510
    libdigidoc-tools        3,10,1.1212-1510
    libdigidoc2             3,10.1.1212-1510
    libdigidocpp-common     3,13.8.1379-1604
    libdigidocpp-common     3,13.8.1379-1604
    libdigidocpp-tools      3,13.8.1379-1604
    libdigidocpp1           3,13.8.1379-1604
    libxml-security-c17v5   L7.3-1RIAL
    open-eid                18.12.0.1815-1604
    open-eid                18.12.0.1815-1604
    opensc                  0.19.0-0RIA2
    opensc-pkesi1           0.19.0-0RIA2
    adigidoc-tera           1.1.0,12-1604
    adigidoca               4.2.0.43-1604