Electronic identification
An electronic identification ("eID") is an electronic identification solution of citizens or organizations, for example in view to access benefits or services provided by government authorities, banks or other companies. Apart from online authentication many eICs also give users the option to sign electronic documents with a digital signature.
Installation
All types of electronic identification require installing the ccid package. After installation, enable, and start pcscd.socket
.
In addition, ACS smart cards also require the acsccid package.
If you have a CR-75 card reader (1307:0361), you will also have to compile the following driver: https://github.com/jordidg/libcr75. Reconnect the reader after that.
pcsc-tools contains pcsc_scan
program that can be used to check smart card detection Smartcards#Scan for card reader.
NB! There is a bug in libusb 1.0.24, which prevents some "buggy" smartcard readers from working (e.g., Dell Latitude integrated reader). Downgrading to 1.0.23 fixes things for now.
Belgium
Install the eid-mw package. Before installation, import the (continuous build) keys from [1]. See makepkg#Signature checking. Run:
$ about-eid-mw
which should open a window. In the window, check that the "PCSC daemon status" is "running". If it is not the case, run
# systemctl start pcscd
In the same window, copy the value for "PKCS#11 location". This value can alternatively be found by first finding the module (which might be `beidpkcs11.so`) by doing:
# p11tool --list-tokens
Then finding the full path with:
# find /usr/lib -name beidpkcs11.so
There is no plugin for Chrome, but there is one for Firefox. Add the Firefox plugin to your browser. In recent versions, you will need to manually add the eID module to the Firefox security devices configuration. Your module path might be different than the one in the guide, use the value of "PKCS#11 location" found with the instructions of the previous paragraph. You should now be able to use your eID reader in Firefox. Try it out using the test page.
You may find hints for troubleshooting in the official documentation but keep in mind that Arch Linux is not officially supported.
If you want to use Chromium you will need to install opensc and p11-kit aswell.
Signing documents
Signing emails with Thunderbird and documents with LibreOffice is explained in a blog post by Luc Stroobant.
Depending on your system configuration it may be possible to run Adobe Reader DC under wine (see also the official FAQ on digital digital signatures). If using Adobe Reader is not possible, you can use Belgian Federal Public Services' "signing box". Using this service requires the installation of an extra eID middleware and extension by e-contract.be. Navigate to the signing box page, upload any pdf-file and attempt to add a digital signature to begin the installation process.
Brazil (ICP-Brasil)
SSL
Install ca-certificates-icp_brAUR as the Brazilian root CAs are not part of Mozilla's NSS due to a long standing issue.
Smart Cards (A3 certificates)
1. Install safesignidentityclientAUR and opensc.
2. Start and enable pcscd
.
systemctl enable pcscd.service systemctl start pcscd.service
/usr/lib/opensc-pkcs11.so
) enabled can cause problems both in Firefox and ChromeFirefox
Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and click "Load" to load a module using /usr/lib/libaetpkss.so
and name it ICP-Brasil A3 - Safe Sign Identity Client
.
Test it by going to Receita Federal's e-CAC.
Chrome
Ensure Chrome is closed and run:
modutil -dbdir sql:$HOME/.pki/nssdb/ -add "ICP-Brasil A3 - Safe Sign Identity Client" -libfile /usr/lib/libaetpkss.so
Estonia
See
- https://www.id.ee/?lang=en
- Automated installation script in Estonian community wiki: EST | ENG. Although initially created for Manjaro Linux, it is also suitable for Arch Linux and other related distributions that use pacman.
DigiDoc
Once ccid is installed and pcscd.socket
is started, install qdigidoc4AUR. One of the dependency xml-security-cAUR is verified with a signature that you have to import to your GnuPG keyring.
If you have an ACS card reader, acsccid is required.
DigiDoc4 has an optional GNOME/Files right click menu integration that requires python-nautilus to be installed. Currently this is broken due to missing Python 3 support
Chromium
After installing chrome-token-signingAUR, enable the PIN 1 authentication in Google Chrome and Chromium by running the following command (taken from the open-eid repo).
modutil -dbdir sql:$HOME/.pki/nssdb -add opensc-pkcs11 -libfile onepin-opensc-pkcs11.so -mechanisms FRIENDLY
Firefox
To enable PIN 1 authentication in Firefox you should install esteidpkcs11loaderAUR and chrome-token-signingAUR. After restarting the browser make sure that "Firefox PKCS11 loader" extension is enabled. You can also follow manual instructions at Smartcards#Mozilla Firefox.
Finland
Official instructions: https://dvv.fi/kansalaisvarmenne-kortinlukijaohjelmisto.
mPollux Digisign Client
First install the prequisites as described in #Installation. Then install vrk-mpollux-digisign-clientAUR. Launch the client, connect your reader and put in your card. Click the icon in your status bar once it turns yellow. This should trigger the card activation process if you have not activated it before.
Firefox
Navigate to Security Devices page (Search it via Preferences), then click Load and set Module Name to DigiSign PKCS#11-moduuli and module filename to /usr/lib/libcryptoki.so
. Finally restrart Firefox. The card can be tested at: https://dvv.fi/testaa-varmenteen-kayttoa.
Germany
ReinerSCT devices
For some devices, you need to install pcsc-cyberjackAUR and copy the default configuration file /etc/pcsc-cyberjack/cyberjack.conf.default
to the same folder, without the .default suffix. Restart pcsc.service
and apps like ausweisapp2AUR should recognize the scanner. The ReinerSCT RFID will blink its LED, which it does not when the driver is not installed correctly.
Spain
DNI electrónico (DNIe)
Install ca-certificates-dnieAUR. To sign documents using your identity card, install autofirmaAUR.
Sweden
BankID is the leading electronic identification in Sweden.