Electronic identification

From ArchWiki

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: Some duplication with Smartcards (Discuss in Talk:Electronic identification)

An electronic identification ("eID") is an electronic identification solution of citizens or organizations, for example in view to access benefits or services provided by government authorities, banks or other companies. Apart from online authentication many eICs also give users the option to sign electronic documents with a digital signature.

Installation

Install the ccid package, all electronic identification requires this package. Then see #Hardware specific packages.

For pinentry support, install pinentry.

Hardware specific packages

ACS smart cards

Install the acsccid package.

For more information about ACS smart cards, see [1].

Cr-75 card reader

Install the libcr75-gitAUR package for the device with the 1307:0361 ID.

Belgium

To identify with an identification card reader, the following steps are required:

  • The app for authentication [2]

Import the (continuous build) keys from [3]. See makepkg#Signature checking.

Install the eid-mw package, then run:

$ about-eid-mw 

which should open a window. In the window, check that the "PCSC daemon status" is "running". If it is not the case, start pcscd.service. In the same window, copy the value for "PKCS#11 location". This value can alternatively be found by first finding the module (which might be beidpkcs11.so) by doing:

# p11tool --list-tokens

Then finding the full path with:

# find /usr/lib -name beidpkcs11.so
  • The driver of the card reader itself.

Look at the brand of the card reader; there is a high chance it is ACS (Advanced Card System Ltd). If it is ACS, go to https://belgeid.be/product/acr38 and download the Linux driver. Follow the described install driver process.

  • Know which internet browser you will be using

For Chrome, no plugin. For Chromium, you will need to install opensc and p11-kit as well. You may consider: https://devctl.blogspot.com/2014/01/making-belgian-eid-work-on-arch-linux.html

For Firefox, add the Firefox plugin to your browser. In recent versions, you will need to manually add the eID module to the Firefox security devices configuration. Your module path might be different than the one in the guide, use the value of "PKCS#11 location" found with the instructions at the authentication paragraph.

To test if the setup worked, try it out on the test page. You may find hints for troubleshooting in the official documentation but keep in mind that Arch Linux is not officially supported.

Also note that using Flatpak or Snap is not supported, as those do not allow PKCS#11 modules such as eID to be loaded.

Signing documents

Signing emails with Thunderbird and documents with LibreOffice is explained in a blog post by Luc Stroobant.

Depending on your system configuration it may be possible to run Adobe Reader DC under wine (see also the official FAQ on digital digital signatures). If using Adobe Reader is not possible, you can use Belgian Federal Public Services' "signing box". Using this service requires the installation of an extra eID middleware and extension by e-contract.be. Navigate to the signing box page, upload any pdf-file and attempt to add a digital signature to begin the installation process.

Alternatively, okular provides native digital signing of pdf's in Linux since version 21.04.

Brazil (ICP-Brasil)

SSL

Install ca-certificates-icp_brAUR as the Brazilian root CAs are not part of Mozilla's NSS due to a long standing issue.

The above package should be enough. If you have any issue, check [ITI's installation instructions https://www.gov.br/iti/pt-br/assuntos/navegadores] for Chromium, Firefox and other popular web browsers, and for Java.

Smart Cards (A3 certificates)

1. Install safesignidentityclientAUR and opensc.

2. Start/enable pcscd.service

Note: Having the "CAC Module" (/usr/lib/opensc-pkcs11.so) enabled can cause problems both in Firefox and Chrome

Firefox

Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and click "Load" to load a module using /usr/lib/libaetpkss.so and name it ICP-Brasil A3 - Safe Sign Identity Client.

Note: Firefox may report the module did not load correctly however you will have to check in the security devices to confirm whether the module properly loaded or not

Test it by going to Receita Federal's e-CAC.

Chrome

Ensure Chrome is closed and run:

 modutil -dbdir sql:$HOME/.pki/nssdb/ -add "ICP-Brasil A3 - Safe Sign Identity Client" -libfile /usr/lib/libaetpkss.so

Croatia

1. Start/enable pcscd.service

2. Install eidmiddlewareAUR[broken link: package not found]. Alternatively, unpack the .deb with ar x filename.deb and then extract the file tree from the data.tar.xz to an arbitrary location, after which the client can be run directly.

3. Launch Eid client (/usr/lib/akd/eidmiddleware/Client). It is used for activating the card or changing the PINs or the PUK.

Firefox

Navigate to Edit > Preference > Advanced > Certificates > Security Devices and click Load to load a module using /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so. You can assign any name to it, i.e. Cro PKCS#11 Module.

Estonia

See https://www.id.ee/en/.

Tip:
  • Automated installation script in Estonian community wiki: EST | ENG. Although initially created for Manjaro Linux, it is also suitable for Arch Linux and other related distributions that use pacman.
  • The packages are available in an unofficial user repository.

DigiDoc

Once ccid and opensc is installed and pcscd.socket is started, install qdigidoc4AUR. One of the dependency xml-security-cAUR is verified with a signature that you have to import to your GnuPG keyring. If you have an ACS card reader, acsccid is required.

DigiDoc4 has an optional GNOME/Files right click menu integration that requires python-nautilus to be installed.

Note: chrome-token-signingAUR contains the "Token signing" extension that allows digital signatures on the web for both Google Chrome/Chromium and Firefox.

Chromium

After installing chrome-token-signingAUR, enable the PIN 1 authentication in Google Chrome and Chromium by running the following command (taken from the open-eid repo).

 modutil -dbdir sql:$HOME/.pki/nssdb -add opensc-pkcs11 -libfile onepin-opensc-pkcs11.so -mechanisms FRIENDLY

Firefox

To enable PIN 1 authentication in Firefox you should install esteidpkcs11loaderAUR and chrome-token-signingAUR. After restarting the browser make sure that "Firefox PKCS11 loader" extension is enabled. You can also follow manual instructions at Smartcards#Mozilla Firefox.

Finland

Official instructions: https://dvv.fi/kansalaisvarmenne-kortinlukijaohjelmisto.

mPollux Digisign Client

First install the prequisites as described in #Installation. Then install vrk-mpollux-digisign-clientAUR. Launch the client, connect your reader and put in your card. Click the icon in your status bar once it turns yellow. This should trigger the card activation process if you have not activated it before.

Firefox

Navigate to Security Devices page (Search it via Preferences), then click Load and set Module Name to DigiSign PKCS#11-moduuli and module filename to /usr/lib/libcryptoki.so. Finally restrart Firefox. The card can be tested at: https://dvv.fi/testaa-varmenteen-kayttoa.

Germany

ReinerSCT devices

For some devices, you need to install pcsc-cyberjackAUR and copy the default configuration file /etc/pcsc-cyberjack/cyberjack.conf.default to the same folder, without the .default suffix. Restart pcsc.service and applications like ausweisapp2AUR should recognize the scanner. The ReinerSCT RFID will blink its LED, which it does not when the driver is not installed correctly.

Spain

DNI electrónico (DNIe)

Install ca-certificates-dnieAUR. To sign documents using your identity card, install autofirmaAUR.

Sweden

BankID is the leading electronic identification in Sweden.