Difference between revisions of "Electronic identification"

From ArchWiki
Jump to navigation Jump to search
(→‎DigiDoc: Add info about verifying xml-security-c package with gnupg)
(→‎Firefox: remove old firefox packages)
 
(15 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 +
 
[[Category:Other hardware]]
 
[[Category:Other hardware]]
 
{{Related articles start}}
 
{{Related articles start}}
Line 8: Line 9:
  
 
== Installation ==
 
== Installation ==
 +
a
 +
All types of electronic identification '''require''' installing the {{Pkg|ccid}} package. After installation, [[enable]], and [[start]] {{ic|pcscd.socket}}.
 +
In addition, [https://www.acs.com.hk/en/product-lines/2/pc-linked-smart-card-readers/ ACS] smart cards also require the {{Pkg|acsccid}} package.
 +
 +
{{Pkg|pcsc-tools}} contains {{ic|pcsc_scan}} program that can be used to check smart card detection [[Smartcards#Scan for card reader]].
  
[[Install]] the {{Pkg|ccid}} package. [https://www.acs.com.hk/en/product-lines/2/pc-linked-smart-card-readers/ ACS] smart card also require the {{Pkg|acsccid}} package. After installation, [[enable]] {{ic|pcscd.socket}}.
+
== Setup per country ==
  
 
=== Belgium ===
 
=== Belgium ===
Line 29: Line 35:
 
=== Estonia ===
 
=== Estonia ===
  
https://www.id.ee/?lang=en
+
See https://www.id.ee/?lang=en
  
 
==== DigiDoc ====
 
==== DigiDoc ====
  
Install {{AUR|chrome-token-signing}} and {{AUR|qdigidoc4}} packages, with dependencies on {{AUR|libdigidocpp}} and {{AUR|xml-security-c}}. <tt>xml-security-c</tt> is [[Makepkg#Signature_checking|verified with a signature]] that you have to import to your GnuPG keyring.
+
Once {{Pkg|ccid}} is installed and {{ic|pcscd.socket}} is [[start|started]], install {{AUR|qdigidoc4}}. One of the dependency {{AUR|xml-security-c}} is [[Makepkg#Signature_checking|verified with a signature]] that you have to import to your GnuPG keyring.
 +
If you have an ACS card reader, {{Pkg|acsccid}} is required.
  
DigiDoc4 contains merged features of older DigiDoc3 and ID-Card Utility. It can be started from your graphical desktop menu by searching for DigiDoc4 Client or from commandline with <tt>qdigidoc4</tt>.
+
DigiDoc4 has an optional [[GNOME/Files]] right click menu integration. Install {{AUR|python2-nautilus}}{{Broken package link|package not found}} and restart Gnome Files using the command {{ic|pkill nautilus}}.
  
Once DigiDoc is installed, it is necessary to enable and start <tt>pcscd</tt> service. [[Systemd#Basic_systemctl_usage]] shows how.
+
{{Note| {{AUR|chrome-token-signing}} contains the "Token signing" extension that allows digital signatures on the web for both Google Chrome/Chromium and Firefox.}}
  
DigiDoc4 has [[GNOME/Files]] right click menu integration. Install {{AUR|python2-nautilus}} and restart Gnome Files using command <tt>pkill nautilus</tt>.
+
==== Chromium ====
  
In case of bugs in DigiDoc4 you can install the older DigiDoc3 and ID-Card Utility programs using AUR packages {{AUR|qdigidoc}} and {{AUR|qesteidutil}}.
+
After installing {{AUR|chrome-token-signing}}, enable the PIN 1 authentication in [[Google Chrome]] and [[Chromium]] by running the following command (taken from the [https://github.com/open-eid/linux-installer/blob/master/esteid-update-nssdb open-eid repo]).
  
{{AUR|chrome-token-signing}} contains [https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Native_messaging Native Messaging] host for Google Chrome/Chromium and Firefox and it is the modern way of doing digital signatures on the web. This package also contains "Token signing" extension counterpart for both browsers.
+
  modutil -dbdir sql:$HOME/.pki/nssdb -add opensc-pkcs11 -libfile onepin-opensc-pkcs11.so -mechanisms FRIENDLY
  
==== Chromium ====
+
==== Firefox ====
 +
 
 +
To enable PIN 1 authentication in [[Firefox]] you should install {{AUR|esteidpkcs11loader}} and {{AUR|chrome-token-signing}}. After restarting the browser make sure that "Firefox PKCS11 loader" extension is enabled. You can also follow manual instructions at [[Smartcards#Mozilla Firefox]].
  
To enable PIN 1 authentication in [[Google Chrome]] and [[Chromium]] you should run [https://github.com/open-eid/linux-installer/blob/master/esteid-update-nssdb esteid-update-nssdb] script.
+
==== For new cards issued since December 2018 ====
Or you can run this command that does pretty much the same thing with less error checking.
+
The {{AUR|opensc-git}} package provides drivers for EstEID 2018+ [https://github.com/OpenSC/OpenSC/pull/1635].
  
  modutil -dbdir sql:$HOME/.pki/nssdb -add onepin-opensc-pkcs11 -libfile onepin-opensc-pkcs11.so -mechanisms FRIENDLY
+
{{Note| qdigidoc4 requires opensc but you need to remove it before installing opensc-git. To work around this, just force remove opensc with `pacman -Rdd opensc`.}}
  
{{AUR|chrome-token-signing}} contains "Token signing" extension that needs to be enabled for document signing in Chromium.
+
Currently the default pkcs11 provider for Chrome is unsuitable (it asks PIN2 on authentication) (see [https://github.com/OpenSC/OpenSC/issues/1818]).
 +
Fix it by
 +
# deleting {{ic|~/.pki/nssdb/pkcs11.txt}}
 +
# running {{ic|/usr/bin/pkcs11-register -m /usr/lib/onepin-opensc-pkcs11.so}}
 +
# and appending {{ic| -m /usr/lib/onepin-opensc-pkcs11.so}} to the {{ic|Exec}} line of {{ic|/etc/xdg/autostart/pkcs11-register.desktop}}.
  
==== Firefox ====
+
=== Germany ===
  
To enable PIN 1 authentication in [[Firefox]] 58+ you should install {{AUR|esteidpkcs11loader}} and after restarting the browser make sure that "Firefox PKCS11 loader" extension is enabled. You can also follow manual instructions at [[Smartcards#Mozilla Firefox]].
+
==== ReinerSCT devices ====
For {{AUR|firefox-esr52}} and other other Firefox forks you can use {{AUR|esteidfirefoxplugin}}.
 
  
{{AUR|chrome-token-signing}} contains "Token signing" extension that needs to be enabled for document signing in Firefox 58+.
+
Install {{AUR|pcsc-cyberjack}} and copy the default configuration file {{ic|/etc/pcsc-cyberjack/cyberjack.conf.default}} to the same folder, without default. Restart {{ic|pcsc.service}} and apps like {{AUR|ausweisapp2}} should recognize the scanner. The ReinerSCT RFID will blink its LED, which it does not when the driver is not installed correctly.
  
 
=== Sweden ===
 
=== Sweden ===
  
 
[https://www.bankid.com/en/om-bankid/detta-ar-bankid BankID] is the leading electronic identification in Sweden.
 
[https://www.bankid.com/en/om-bankid/detta-ar-bankid BankID] is the leading electronic identification in Sweden.

Latest revision as of 23:37, 15 February 2020

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Some duplication with Smartcards (Discuss in Talk:Electronic identification#)

An electronic identification ("eID") is an electronic identification solution of citizens or organizations, for example in view to access benefits or services provided by government authorities, banks or other companies. Apart from online authentication many eICs also give users the option to sign electronic documents with a digital signature.

Installation

a All types of electronic identification require installing the ccid package. After installation, enable, and start pcscd.socket. In addition, ACS smart cards also require the acsccid package.

pcsc-tools contains pcsc_scan program that can be used to check smart card detection Smartcards#Scan for card reader.

Setup per country

Belgium

https://eid.belgium.be/en

Install the eid-mwAUR package. Before installation, import the (continuous build) keys from [1]. See makepkg#Signature checking.

There is no plugin for Chrome, but there is one for Firefox. Add the Firefox plugin to your browser. In recent versions, you'll need to manually add the eID module to the Firefox security devices configuration. Your module path might be different than the one in the guide. List the different devices by doing:

# p11tool --list-tokens

Here you'll see the module, which might be beidpkcs11.so. Now to find the full path you do:

# find /usr/lib -name beidpkcs11.so

You should now be able to use your eID reader in Firefox. Try it out using the test page.

You may find hints for troubleshooting in the official documentation but keep in mind that Arch Linux is not officially supported.

Estonia

See https://www.id.ee/?lang=en

DigiDoc

Once ccid is installed and pcscd.socket is started, install qdigidoc4AUR. One of the dependency xml-security-cAUR is verified with a signature that you have to import to your GnuPG keyring. If you have an ACS card reader, acsccid is required.

DigiDoc4 has an optional GNOME/Files right click menu integration. Install python2-nautilusAUR[broken link: package not found] and restart Gnome Files using the command pkill nautilus.

Note: chrome-token-signingAUR contains the "Token signing" extension that allows digital signatures on the web for both Google Chrome/Chromium and Firefox.

Chromium

After installing chrome-token-signingAUR, enable the PIN 1 authentication in Google Chrome and Chromium by running the following command (taken from the open-eid repo).

 modutil -dbdir sql:$HOME/.pki/nssdb -add opensc-pkcs11 -libfile onepin-opensc-pkcs11.so -mechanisms FRIENDLY

Firefox

To enable PIN 1 authentication in Firefox you should install esteidpkcs11loaderAUR and chrome-token-signingAUR. After restarting the browser make sure that "Firefox PKCS11 loader" extension is enabled. You can also follow manual instructions at Smartcards#Mozilla Firefox.

For new cards issued since December 2018

The opensc-gitAUR package provides drivers for EstEID 2018+ [2].

Note: qdigidoc4 requires opensc but you need to remove it before installing opensc-git. To work around this, just force remove opensc with `pacman -Rdd opensc`.

Currently the default pkcs11 provider for Chrome is unsuitable (it asks PIN2 on authentication) (see [3]). Fix it by

  1. deleting ~/.pki/nssdb/pkcs11.txt
  2. running /usr/bin/pkcs11-register -m /usr/lib/onepin-opensc-pkcs11.so
  3. and appending -m /usr/lib/onepin-opensc-pkcs11.so to the Exec line of /etc/xdg/autostart/pkcs11-register.desktop.

Germany

ReinerSCT devices

Install pcsc-cyberjackAUR and copy the default configuration file /etc/pcsc-cyberjack/cyberjack.conf.default to the same folder, without default. Restart pcsc.service and apps like ausweisapp2AUR should recognize the scanner. The ReinerSCT RFID will blink its LED, which it does not when the driver is not installed correctly.

Sweden

BankID is the leading electronic identification in Sweden.