Electronic identification

From ArchWiki
Jump to navigation Jump to search

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Some duplication with Smartcards (Discuss in Talk:Electronic identification#)

An electronic identification ("eID") is an electronic identification solution of citizens or organizations, for example in view to access benefits or services provided by government authorities, banks or other companies. Apart from online authentication many eICs also give users the option to sign electronic documents with a digital signature.


a All types of electronic identification require installing the ccid package. After installation, enable, and start pcscd.socket. In addition, ACS smart cards also require the acsccid package.

pcsc-tools contains pcsc_scan program that can be used to check smart card detection Smartcards#Scan for card reader.



Install the eid-mwAUR package. Before installation, import the (continuous build) keys from [1]. See makepkg#Signature checking.

There is no plugin for Chrome, but there is one for Firefox. Add the Firefox plugin to your browser. In recent versions, you'll need to manually add the eID module to the Firefox security devices configuration. Your module path might be different than the one in the guide. List the different devices by doing:

# p11tool --list-tokens

Here you'll see the module, which might be beidpkcs11.so. Now to find the full path you do:

# find /usr/lib -name beidpkcs11.so

You should now be able to use your eID reader in Firefox. Try it out using the test page.

You may find hints for troubleshooting in the official documentation but keep in mind that Arch Linux is not officially supported.

If you want to use Chromium you will need to install opensc and p11-kit aswell.

Brazil (ICP-Brasil)


Install ca-certificates-icp_brAUR as the Brazilian root CAs are not part of Mozilla's NSS due to a long standing issue.

Smart Cards (A3 certificates)

1. Install safesignidentityclientAUR and opensc.

2. Start and enable pcscd.

 systemctl enable pcscd.service
 systemctl start pcscd.service
Note: Having the "CAC Module" (/usr/lib/opensc-pkcs11.so) enabled can cause problems both in Firefox and Chrome


Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and click "Load" to load a module using /usr/lib/libaetpkss.so and name it ICP-Brasil A3 - Safe Sign Identity Client.

Note: Firefox may report the module did not load correctly however you will have to check in the security devices to confirm whether the module properly loaded or not

Test it by going to Receita Federal's e-CAC.


Ensure Chrome is closed and run:

 modutil -dbdir sql:$HOME/.pki/nssdb/ -add "ICP-Brasil A3 - Safe Sign Identity Client" -libfile /usr/lib/libaetpkss.so


See https://www.id.ee/?lang=en


Once ccid is installed and pcscd.socket is started, install qdigidoc4AUR. One of the dependency xml-security-cAUR is verified with a signature that you have to import to your GnuPG keyring. If you have an ACS card reader, acsccid is required.

DigiDoc4 has an optional GNOME/Files right click menu integration. Currently this is broken due to missing Python 3 support

Note: chrome-token-signingAUR contains the "Token signing" extension that allows digital signatures on the web for both Google Chrome/Chromium and Firefox.


After installing chrome-token-signingAUR, enable the PIN 1 authentication in Google Chrome and Chromium by running the following command (taken from the open-eid repo).

 modutil -dbdir sql:$HOME/.pki/nssdb -add opensc-pkcs11 -libfile onepin-opensc-pkcs11.so -mechanisms FRIENDLY


To enable PIN 1 authentication in Firefox you should install esteidpkcs11loaderAUR and chrome-token-signingAUR. After restarting the browser make sure that "Firefox PKCS11 loader" extension is enabled. You can also follow manual instructions at Smartcards#Mozilla Firefox.


ReinerSCT devices

Install pcsc-cyberjackAUR and copy the default configuration file /etc/pcsc-cyberjack/cyberjack.conf.default to the same folder, without default. Restart pcsc.service and apps like ausweisapp2AUR should recognize the scanner. The ReinerSCT RFID will blink its LED, which it does not when the driver is not installed correctly.


DNI electrónico (DNIe)

Install ca-certificates-dnieAUR. To sign documents using your identity card, install autofirmaAUR.


BankID is the leading electronic identification in Sweden.