search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.42k stars 13.63k forks source link

web-eid-app: can not sign with Estonian ID card #300435

Closed getreu closed 5 months ago

getreu commented 5 months ago

Reproduce

Install

  1. Install the web-eid-app package in NixOS

    Insert in configuration.nix:

    packages = with pkgs; [
  firefox-esr
  web-eid-app
  p11-kit
  opensc

];

    and below:

    services.pcscd.enable = true;
programs.firefox.enable = true;
programs.firefox.package = pkgs.firefox-esr;
programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# Authentification
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
 module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';

  2. Enable logging (for testing only)

    1. Enable logging:

      echo 'logging=true' > ~/.config/RIA/web-eid.conf

    2. Check success:

      web-eid

      A dialogue About Web eID window appears. Click on [Cancel].

      cat /.local/share/RIA/web-eid/web-eid.log

      You should see something like:

      2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode

  3. Install the browser extension within Firefox from Web eID – Get this Extension for Firefox (en-US)

  4. Link the web-eid manifest into the browser configuration

    
mkdir -p ~/.mozilla/native-messaging-hosts/
cd ~/.mozilla/native-messaging-hosts/
ln -s "$(dirname $(dirname $(realpath $(which web-eid))))/share/web-eid/eu.webeid.json" .

  5. Check success

    1. Enable logging:
    2. Insert Estionan ID card.
    3. Check with DigiDoc that the card reader works and the ID card reader and driver works. (Ok)
    4. Goto https://web-eid.eu/ and click on [Authenticate].

Incorrect result

Unfortunately, I get the following error page in the browser:

Authentication failed
[Code]
ERR_WEBEID_NATIVE_UNAVAILABLE
[Message]
a message from native application was expected, but native application closed connection

Furthermore, no log message in /.local/share/RIA/web-eid/web-eid.log.

Help is welcome.

I also filed a bug report upstream: https://github.com/web-eid/web-eid-app/issues/317

getreu commented 5 months ago

The manifest path was the problem.

In the manual above, I replaced the line:

ln -s "$(dirname $(dirname $(realpath $(which web-eid))))/share/web-eid/eu.webeid.json" .

with 

ls -s "$(dirname $(dirname $(realpath $(which web-eid))))/lib/mozilla/native-messaging-hosts/eu.webeid.json" .

Below you find the corrected working procedure.

getreu commented 5 months ago

Edit: modified according to https://github.com/NixOS/nixpkgs/issues/281710#issuecomment-2031506760

Tested working procedure:

Installation

  1. Install the web-eid-app package in NixOS

    Insert in configuration.nix:

    important: do not add firefox-esr in packages!

    packages = with pkgs; [
  web-eid-app
  p11-kit
  opensc

];

    and below:

    services.pcscd.enable = true;
programs.firefox.enable = true;
programs.firefox.package = pkgs.firefox-esr;
programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# Authentification
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
 module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';

  2. Enable logging (for testing only)

    1. Enable logging:

      echo 'logging=true' > ~/.config/RIA/web-eid.conf

    2. Check success:

      web-eid

      A dialogue About Web eID window appears. Click on [Cancel].

      cat /.local/share/RIA/web-eid/web-eid.log

      You should see something like:

      2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode

  3. Install the browser extension within Firefox from Web eID – Get this Extension for Firefox (en-US)

  4. Check success

    1. Enable logging:
    2. Insert Estionan ID card.
    3. Check with DigiDoc that the card reader works and the ID card reader and driver works. (Ok)

    4. Goto https://web-eid.eu/ and click on [Authenticate].

      Type pin1, you should see:

      Digital signing Welcome, XXX XXX!

      Press the button [Sign document], then type pin2, you should see:

      Digital signing
Welcome, XXX XXX!
Signature added: example-for-signing.asice
getreu commented 5 months ago

Edit: this workaround is not necessary any more according to https://github.com/NixOS/nixpkgs/issues/281710#issuecomment-2031506760

Addendum

The lines 

mkdir -p ~/.mozilla/native-messaging-hosts/
cd ~/.mozilla/native-messaging-hosts/
ls -s "$(dirname $(dirname $(realpath $(which web-eid))))/lib/mozilla/native-messaging-hosts/eu.webeid.json" .

are a workaround until #281710 is fixed.

getreu commented 5 months ago

Jens Getreu's blog - Sign with your Estonian ID card under NixOS