Can not sign with package `qdigidoc` and eID card

[getreu]

Hello,

please find below a bug report about the Nix package qdidgidoc:

Description

I can not sign any more since the 24.5 update.

Error message

Failed to sign container. Please check the access to signing services and network settings.

ASiC_E.cpp:371 Failed to sign container. Connect.cpp:95 Failed to connect to host: 'dd-at.ria.ee:80' DECODER routines:0 error:1E08010C:DECODER routines::unsupported BIO routines:0 error:10080002:BIO routines::system lib

Additional tests

I also checked if I am able to authenticate with https://web-eid.eu/ . Both, authentication and singing works.

Diagnostic output

For completeness, here my diagnostics output:

Locale: English / en_US.UTF-8

Application version: 4.5.1.0 (64 bit) OS: NixOS 24.05 (Uakari) (x86_64/x86_64) CPU: AMD Ryzen 5 PRO 4650U with Radeon Graphics Kernel: Linux 6.6.44 #1-NixOS SMP PREEMPT_DYNAMIC Sat Aug 3 06:54:42 UTC 2024 x86_64

Libraries: QT (5.15.14) OpenSSL build (OpenSSL 3.0.14 4 Jun 2024) OpenSSL current (OpenSSL 3.0.14 4 Jun 2024)

Arguments: qdigidoc4 Library paths: /run/wrappers/lib/qt- 5.15.14/plugins;/home/getreu/.local/share/flatpak/exports/lib/qt- 5.15.14/plugins;/var/lib/flatpak/exports/lib/qt- 5.15.14/plugins;/home/getreu/.nix-profile/lib/qt- 5.15.14/plugins;/nix/profile/lib/qt- 5.15.14/plugins;/home/getreu/.local/state/nix/profile/lib/qt- 5.15.14/plugins;/etc/profiles/per-user/getreu/lib/qt- 5.15.14/plugins;/nix/var/nix/profiles/default/lib/qt- 5.15.14/plugins;/run/current-system/sw/lib/qt- 5.15.14/plugins;/nix/store/h8m7pcd6d20jsx7hn81rsgkq0h884893-qtwayland- 5.15.14-bin/lib/qt- 5.15.14/plugins;/nix/store/vc9wklk5w3cskkymp52g7js83my4d9ch-qttools- 5.15.14-bin/lib/qt- 5.15.14/plugins;/nix/store/plix80gx31963j2qpsws7rid1gfr6cyn- qtdeclarative-5.15.14-bin/lib/qt- 5.15.14/plugins;/nix/store/h32d5q8ngcy68nddbw5vja3r316s20p3-qtsvg- 5.15.14-bin/lib/qt- 5.15.14/plugins;/nix/store/fbddznz5ln765jbl2i2mfnf8h7rkkmd9-qtbase- 5.15.14-bin/lib/qt- 5.15.14/plugins;/nix/store/h4li58h9pni11wigz8xldad9kgzc0q3c-qdigidoc- 4.5.1/bin URLs: CONFIG_URL: https://id.eesti.ee/config.json SID-PROXY-URL: https://dd-sid.ria.ee/v1 SIDV2-PROXY-URL: https://dd-sid.ria.ee/v1 SID-SK-URL: https://dd-sid.ria.ee/v1 SIDV2-SK-URL: https://dd-sid.ria.ee/v1 MID-PROXY-URL: https://dd-mid.ria.ee/mid-api MID-SK-URL: https://dd-mid.ria.ee/mid-api RPUUID: is set by default TSL_URL: https://ec.europa.eu/tools/lotl/eu-lotl.xml TSA_URL: http://dd-at.ria.ee/tsa SIVA_URL: https://siva.eesti.ee/V3/validate CDOC2: CDOC2-DEFAULT: false CDOC2-USE-KEYSERVER: true CDOC2-DEFAULT-KEYSERVER: ria-test

TSL signing certs: Patrick Kremer (Signature) European Commission European Commission JEROEN ARNOLD L RATHE APOSTOLOS APLADAS CONSTANTIN-ADRIAN CROITORU

TSL cache: EE.xml (65) eu-lotl-pivot-335.xml (335) eu-lotl-pivot-341.xml (341) eu-lotl.xml (343) g0xdp6w34ric1mdh8g7r0v8h85idkcg1-eu-lotl-pivot-300.xml (300)

Central Configuration:

Smart Card service status: Running
Smart Card readers:
Alcor Micro AU9540 00 00 max APDU size 65536
Reader state: PRESENT, INUSE
ATR cold - 3BD...
ATR warm - 3BD...
AID35: 6a86
UPDATER_AID: 6a86
AID_IDEMIA: 9000 (OK)
ID - 3...
USB info:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 5986:2130 Bison Electronics Inc. Integrated
Camera
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard
Reader
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 002: ID 0489:e0cd Foxconn / Hon Hai MediaTek Bluetooth
Adapter
Bus 007 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

---

Add a :+1: reaction to issues you find important.

[flokli]

I can reproduce. The "Signing" animation is shown for a while, and then an error too:

The error message mentions dd-at-ria.ee not being reachable:

This hostname does not even have a DNS record.

I spotted https://github.com/open-eid/libdigidocpp/commit/2b5db855ba3ceb9bae1f11589ea1aea22bb7595a#diff-1e7de1ae2d059d21e1dd75d5812d5a34b0222cef273b7c3a2af62eb747f9d20aR25 changing the "Default TSA URL". Maybe they updated the URL in some places, but forgot updating elsewhere?

I found this URL in my qdigidoc settings too:

Changing it to the new URL unfortunately also didn't help, as it doesn't like the Digicert certificate.

Maybe unrelated, maybe not - I also see a 2024-08-13T23:10:20Z E [TSL.cpp:302] - TSL eu-lotl.xml signature is invalid in my logs.

This looks like an issue in the application itself / some config shipped somewhere, but nothing NixOS-specific. I propose opening an issue upstream in qdigidoc, maybe linking to here for context.

[flokli]

I tried manually bumping libdigidocpp, and I tried using digidoc-tool from libdigidocpp. It mentions a signature to be invalid:

❯ /nix/store/802v0dcr9b7vsb1l1vi18fc98l2b7bqj-libdigidocpp-unstable-2024-07-17-bin/bin/digidoc-tool create --file=CONTRIBUTING.md contributing.asice
Version
  digidoc-tool version: 3.18.0.0
  libdigidocpp version: 3.18.0.0
2024-08-14T07:39:11Z E [TSL.cpp:311] - TSL eu-lotl.xml signature is invalid
2024-08-14T07:39:12Z I [X509CertStore.cpp:63] - Loaded 0 certificates into TSL certificate store.
Available certificates:
  label: XXXX
Selected:
  label: XXXX
Please enter PIN for token 'XXXX' or <enter> to cancel: 
2024-08-14T07:39:16Z W [TSL.cpp:126] - Failed to parse TSL  /home/flokli/.digidocpp/tsl/EE.xml: /home/flokli/.digidocpp/tsl/EE.xml:1:2 error: invalid document structure
2024-08-14T07:39:16Z E [TSL.cpp:311] - TSL EE.xml signature is invalid
2024-08-14T07:39:16Z I [X509CertStore.cpp:63] - Loaded 58 certificates into TSL certificate store.
    Validation: OK

Opened an issue upstream: https://github.com/open-eid/DigiDoc4-Client/issues/1281

[flokli]

@getreu I got a link to https://github.com/open-eid/DigiDoc4-Client/issues/1276, mentioning a workaround.

However it looks like the libdigidocpp changes linked there are not a sufficient fix, so I cannot patch this in nixpkgs, and it for now requires each user to manually set that address and import certificates.

[getreu]

As I understand Update OpenSSL 3.0.14 by metsma · Pull Request #597 · open-eid/libdigidocpp now fixes this issue with the related commit: Uppdate OpenSSL 3.0.14 (#597) · open-eid/libdigidocpp@2b5db85. Do you consider a patch release?

[flokli]

Unless I'm missing something, https://github.com/open-eid/libdigidocpp/commit/2b5db855ba3ceb9bae1f11589ea1aea22bb7595a#diff-1e7de1ae2d059d21e1dd75d5812d5a34b0222cef273b7c3a2af62eb747f9d20aR25 is the only relevant change for us from this commit (which sets the TSA_URL flag).

The patch doesn't apply, but IIRC I tried setting this manually via cmakeFlags and it didn't fix things for me back then.

I can try again tomorrow or so, re-rolling that patch and trying to sign again with a fresh profile.

Do you consider a patch release?

Yes, absolutely, if there's a patch we can apply to fix this for nixpkgs users, at least when starting with empty state I'd like to do it.

[flokli]

I did apply the TSA_URL change in libdigidocpp, and it seems this was enough to get signing to work.

PR is up at https://github.com/NixOS/nixpkgs/pull/345532, please test and report back there.

[getreu]

I installed the patched version and still get an error when signing:

Failed to sign container. Please check the access to signing services and network settings.
Details:
ASiC_E.cpp:371 Failed to sign container.
Connect.cpp:152 Failed to create ssl connection with host: 'eid-dd.ria.ee:443'
SSL routines:0 error:0A000086:SSL routines::certificate verify failed

[flokli]

Did you reset your settings to the defaults / wipe application state?

[getreu]

I deleted the ~/.digidocpp directory and I reset the settings. Both did not help.

[flokli]

And this is a $(nix-build -A qdigidoc)/bin/qdigidoc from a current nixpkgs checkout? What's the exact store path and nixpkgs commit, so I can try to repro?

[getreu]

ls -1 /nix/store | grep qdigidoc
2g549d111vrkfbq9j587kdgl5g7r6ws6-qdigidoc-4.5.1
3bb76xb2f9vbp08m7gzwjd62znvh1siw-qdigidoc-4.5.1.drv
3q6mivd9mci6bfnj3f25ynfria1xylqc-qdigidoc-4.5.1.drv
4vjv6mkbrfin2zza3lqawy230dll4aa1-qdigidoc-4.4.0.drv
aq70nnpwk28myzjqj75pf91j8ri722wv-qdigidoc-4.4.0.drv
blxvc790z8qwq3mpkqh06rsdfrs8pw7w-qdigidoc-4.4.0
cf2xm5w6csvqsjdcpnbp2wm25mdf3795-qdigidoc4-4.5.1.tar.gz.drv
d61vjsk8jcyjwp6z7lxyd60aigsw6dnp-qdigidoc-4.4.0
gq3z3djxk8889l77h4d6rkvjzr1gi3fw-qdigidoc4-4.4.0.tar.gz.drv
h3dn7hm1418sn02jbfnrbzm0dz673wad-qdigidoc-4.5.1
xjdnyj1y9p05ai4wy19c341hw4h9draj-qdigidoc4-4.5.1.tar.gz.drv

Locale: English / en_US.UTF-8

Application version: 4.5.1.0 (64 bit)
OS: NixOS 24.05 (Uakari) (x86_64/x86_64)
CPU: AMD Ryzen 5 PRO 4650U with Radeon Graphics
Kernel: Linux 6.6.48 #1-NixOS SMP PREEMPT_DYNAMIC Thu Aug 29 15:33:59 UTC 2024 x86_64

Libraries:
QT (5.15.14)
OpenSSL build (OpenSSL 3.0.14 4 Jun 2024)
OpenSSL current (OpenSSL 3.0.14 4 Jun 2024)

Arguments: qdigidoc4
Library paths: /run/wrappers/lib/qt-5.15.14/plugins;/home/getreu/.local/share/flatpak/exports/lib/qt-5.15.14/plugins;/var/lib/flatpak/exports/lib/qt-5.15.14/plugins;/home/getreu/.nix-profile/lib/qt-5.15.14/plugins;/nix/profile/lib/qt-5.15.14/plugins;/home/getreu/.local/state/nix/profile/lib/qt-5.15.14/plugins;/etc/profiles/per-user/getreu/lib/qt-5.15.14/plugins;/nix/var/nix/profiles/default/lib/qt-5.15.14/plugins;/run/current-system/sw/lib/qt-5.15.14/plugins;/nix/store/xyfd3kivhl8l19z6f1nca1sifw8qil5x-qtwayland-5.15.14-bin/lib/qt-5.15.14/plugins;/nix/store/3qbs5345yryd3hqa7k6rx62hy4lgnla2-qttools-5.15.14-bin/lib/qt-5.15.14/plugins;/nix/store/w6qv3dkfpaypz0la90qmqkw6iipgcgs5-qtdeclarative-5.15.14-bin/lib/qt-5.15.14/plugins;/nix/store/h3rmffy5vgrxnvrc33xmliv0qgd6z2i5-qtsvg-5.15.14-bin/lib/qt-5.15.14/plugins;/nix/store/il26vhy43mha5pwyjg9pr2qa9m6a3kzx-qtbase-5.15.14-bin/lib/qt-5.15.14/plugins;/nix/store/h3dn7hm1418sn02jbfnrbzm0dz673wad-qdigidoc-4.5.1/bin
URLs:
CONFIG_URL: https://id.eesti.ee/config.json
SID-PROXY-URL: https://dd-sid.ria.ee/v1
SIDV2-PROXY-URL: https://dd-sid.ria.ee/v1
SID-SK-URL: https://dd-sid.ria.ee/v1
SIDV2-SK-URL: https://dd-sid.ria.ee/v1
MID-PROXY-URL: https://dd-mid.ria.ee/mid-api
MID-SK-URL: https://dd-mid.ria.ee/mid-api
RPUUID: is set by default
TSL_URL: https://ec.europa.eu/tools/lotl/eu-lotl.xml
TSA_URL: https://eid-dd.ria.ee/ts
SIVA_URL: https://siva.eesti.ee/V3/validate
CDOC2:
CDOC2-DEFAULT: false
CDOC2-USE-KEYSERVER: true
CDOC2-DEFAULT-KEYSERVER: ria-test

TSL signing certs:
Patrick Kremer (Signature)
European Commission
European Commission
JEROEN ARNOLD L RATHE
APOSTOLOS APLADAS
CONSTANTIN-ADRIAN CROITORU

TSL cache:
eu-lotl-pivot-335.xml (335)
eu-lotl-pivot-341.xml (341)
eu-lotl.xml (346)
g0xdp6w34ric1mdh8g7r0v8h85idkcg1-eu-lotl-pivot-300.xml (300)

Central Configuration:

Smart Card service status: Running
Smart Card readers:
Alcor Micro AU9540 00 00 max APDU size 65536
Reader state: EMPTY
USB info:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 5986:2130 Bison Electronics Inc. Integrated Camera
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 002: ID 0489:e0cd Foxconn / Hon Hai MediaTek Bluetooth Adapter
Bus 007 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

[flokli]

You're using /nix/store/h3dn7hm1418sn02jbfnrbzm0dz673wad-qdigidoc-4.5.1, as can be seen all the way in the right of the library path. I don't know which nixpkgs checkout this is coming from.

I confirmed I also cannot sign with this, but I am able to by using one built straight from nixpkgs:

git clone https://github.com/NixOS/nixpkgs/
cd nixpkgs
$(nix-build -A qdigidoc)/bin/qdigidoc

That's /nix/store/nywycvjm6rrw3ghpm5gmvr5rrlfyr11k-qdigidoc-4.5.1 for me (you can also nix-store -r it). Please try executing qdigidoc from there (wiping ~/.digidocpp before, and making sure no other qdigidoc is running).

[getreu]

I followed your instructions hereabove in your comment. Same error, but maybe this helps:

Failed to sign container. Please check the access to signing services and network settings.
Details:
ASiC_E.cpp:371 Failed to sign container.
Connect.cpp:152 Failed to create ssl connection with host: 'eid-dd.ria.ee:443'
SSL routines:0 error:0A000086:SSL routines::certificate verify failed

./qdigidoc4
Failed to parse public key
QObject: Cannot create children for a parent that is in a different thread.
(Parent is QSigner(0x2156990), parent's thread is QThread(0x1f0fed0), current thread is QSigner(0x2156990)
"3BDB96..."
Loading: "opensc-pkcs11.so"
2024-10-08T12:27:28Z I [X509CertStore.cpp:63] - Loaded 0 certificates into TSL certificate store.
TSL loading finished
"OpenSC Project                   (2.20)" 
 "OpenSC smartcard framework       (0.25)" 
 Flags: 0
qdigidoc4.QSmartCard: Polling
qdigidoc4.QSmartCard: Read "Alcor Micro AU9540 00 00"
qdigidoc4.QSmartCard: Read card "EC1325287" info
"3BDB96..."
qdigidoc4.QSmartCard: Polling
qdigidoc4.QSmartCard: Read "Alcor Micro AU9540 00 00"
qdigidoc4.QSmartCard: Read card "EC1325287" info
"3BDB96..."
"3BDB96..."

My config:

  packages = with pkgs; [
      qdigidoc       # Digidoc
      web-eid-app    # Signing in browswer
      p11-kit        # Signing in browswer
      opensc         # Signing in browswer
     ...
]

  # Digidoc
  services.pcscd.enable = true;
  # Authentification
  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
    module: ${pkgs.opensc}/lib/opensc-pkcs11.so
  '';

[flokli]

Do you have some funny MITM proxy between your connection with eid-dd.ria.ee:443?

Even though I cannot reproduce your store path (and still not know which nixpkgs revision you're on) it suggests https://github.com/presto8/nixpkgs/commit/6fe31b59dda4539905e16b4f287f32f2c0f41016 is applied. At least if the config is indeed cleared / reset to defaults.

[getreu]

I compiled qdigidoc following your instructions after cloning nixpkgs. The artifacts are in ./nixpkgs/result/bin/qdigidoc and ./nixpkgs/result/share/... and therefore have no hash in their storage path. But isn't libdigidocpp the actual problem?

ls *libdigidocpp*
59j8wad1bkz2rg9nk218yp9xfqs70pz3-libdigidocpp-3.17.1.drv
dc3y58r8x5s07lm8rwymnadnzs9d4nr0-libdigidocpp-3.17.1.tar.gz.drv
f4a3l47imc8anm5w00rs4gcn7svqfiz9-libdigidocpp-3.17.1.drv
ilrayi5kcm91xg1bsfy4fd8aifq42s15-libdigidocpp-3.16.0.drv
j9v33k5qmxgih3kip6zlnsjz7vz1a8gk-libdigidocpp-3.16.0.tar.gz.drv
ns0yya24jj8i120y6kvzjhv9c3x3bygv-libdigidocpp-3.17.1.drv
pdm2i1advhd2gjjp9qprkr6l4f0xi8rj-libdigidocpp-3.17.1.tar.gz.drv
s9ybzjzvgaqrlvswgj0apyn2f4df25qj-libdigidocpp-3.17.1.tar.gz.drv
z3x057dngvzhhbh4bj0dbw9fz5p1cp5f-libdigidocpp-3.16.0.drv

4plvmqlwmjs42hrnpswfpzpbmayciglm-libdigidocpp-3.17.1: etc
d7gb8b6y4p8xw85r2h4da30v97zh8fl0-libdigidocpp-3.16.0-lib: lib
gb1yr7pmb9s2pkg54fkzijj34yx96z8c-libdigidocpp-3.17.1: etc
mmxklqaj2aqivp3rbdwx5n7xgq834s89-libdigidocpp-3.17.1-lib: lib
mvy1c4ql11ph3msr2f483kwbm08xpcmk-libdigidocpp-3.17.1-lib: lib
pjwvjxv50b21d0c0shlfz5s9pw7j6wb0-libdigidocpp-3.17.1: etc
pv08kn69z1knd48hvh13c99a5izaq1qm-libdigidocpp-3.17.1-lib: lib
vk4p8dnff5xa5l2qi3hrf8zdg61pml5r-libdigidocpp-3.16.0: etc
vz7l7sgngi3x9sym4jbplgdkmcwvcy4q-libdigidocpp-3.16.0-lib: lib
yvwlncvznx4sgzc8zcm5w25hy70kf693-libdigidocpp-3.16.0: etc

Do you have some funny MITM proxy between your connection with eid-dd.ria.ee:443?

No proxy. In Firefox I can reach https://eid-dd.ria.ee/. It returns an empty white page.

[flokli]

Check the location of the result symlink, it points back into the Nix store. Also, the rev in git show, so I know which nixpkgs commit you're on.

[getreu]

The symlink points to /nix/store/nywycvjm6rrw3ghpm5gmvr5rrlfyr11k-qdigidoc-4.5.1

git show
commit 146e83d76bd8378bf56c0db8f9a19573e6e74c5d (HEAD -> master, origin/master, origin/HEAD)
Merge: 8af94f7ca2b8 611b1d53b74a
Author: Florian Klink <flokli@flokli.de>
Date:   Tue Oct 8 13:09:11 2024 +0300

    dhcpcd: enable sandboxing options (#208780)

[flokli]

Can you check out this PR? https://github.com/NixOS/nixpkgs/pull/350685

It bumps libdigidoc and qdigidoc to their latest versions.

[getreu]

Deleted my config in ~/.digidocpp then I compiled your patch, it did not help:

Please find attached all versions and the hashes of the dependencies in the diagnostics log:

qdigidoc4_4.6.0.0_diagnostics.txt

[flokli]

I really don't understand what's going on here, but it looks like it's either something with your network connection or configuration of which certificate roots you trust. Or maybe an incompatible combination of library versions?

We could at least rule out the library combination bits, can you $(nix-store -r /nix/store/2kln9y140vya6iqd9r2akjk0frm183av-qdigidoc-4.6.0)/bin/qdigidoc4 (that's qdigidoc from current nixpkgs master) and check if that allows you to sign?

[getreu]

The path is right. It opens Digidoc 4. Still the same error: "Failed to create SSL connection..." See screenshot above. This is dumped to the console:

$(nix-store -r /nix/store/2kln9y140vya6iqd9r2akjk0frm183av-qdigidoc-4.6.0)/bin/qdigidoc4
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
Failed to parse public key
QObject: Cannot create children for a parent that is in a different thread.
(Parent is QSigner(0x2d0d5160), parent's thread is QThread(0x2cf7c920), current thread is QSigner(0x2d0d5160)
Loading: "opensc-pkcs11.so"
2024-10-29T20:12:12Z I [Container.cpp:122] - Libxml2 version: 2.13.4
2024-10-29T20:12:12Z I [Container.cpp:123] - Xmlsec1 version: 1.3.5
2024-10-29T20:12:12Z I [Container.cpp:124] - digidocpp version: 4.0.0.0
"OpenSC Project                   (2.20)" 
 "OpenSC smartcard framework       (0.25)" 
 Flags: 0
2024-10-29T20:12:13Z E [TSL.cpp:275] - TSL eu-lotl.xml signature is invalid
2024-10-29T20:12:13Z I [X509CertStore.cpp:61] - Loaded 0 certificates into TSL certificate store.
TSL loading finished

Note: "TSL eu-lotl.xml signature is invalid" and "Loaded 0 certificates into TSL certificate store."

BTW: I am able to connect:

[hellwolf]

Fwiw, I can sign with ID card now: see https://github.com/open-eid/DigiDoc4-Client/issues/1281#issuecomment-2453452094

But I am still not able to sign with smart ID.

[flokli]

SmartID is tracked in https://github.com/NixOS/nixpkgs/issues/307927, let's keep this issue on topic.

[hellwolf]

Fwiw, the certificate got updated recently, again.

I ran this command to obtain the latest certificate:

$ openssl s_client -showcerts -connect eid-dd.ria.ee:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > eid-ts.pem

[getreu]

@hellwolf Could you elaborate a bit? How can I update the certificate to solve my signing problem? Concering NixOS: what package needs to be updated?

[hellwolf]

@hellwolf Could you elaborate a bit? How can I update the certificate to solve my signing problem? Concering NixOS: what package needs to be updated?

1. $ openssl s_client -showcerts -connect eid-dd.ria.ee:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > eid-ts.pem

2. go to the settings of qdigidoc4 -> signing services -> use manually configured access -> select the certificate you obtained via step (1).

[getreu]

@hellwolf : It works! Thank you a lot! Your solution with screenshot:

1. Download certificate:

   $ openssl s_client -showcerts -connect eid-dd.ria.ee:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > eid-ts.pem

2. Goto:

   Settings of qdigidoc4 -> 
   signing services ->
   (Access to Time-Stamping service) 
   use manually configured access -> 
   [ADD CERTIFICATE] ->
   select the certificate you obtained via step (1).

@flokli Does the certificate (step 1) live in your package? Could you add it?

[flokli]

I don't know if/where qdigidoc does pin this certificate, and why this keeps failing. Users on other distros clearly don't need to manually do this config change every time, so it'd be good to understand what goes wrong in our case and how to get it to work without manual user intervention.

[hellwolf]

I am not sure what is it for, but I found this patch used by the rpm packaged by fedora:

https://src.fedoraproject.org/rpms/qdigidoc/blob/rawhide/f/sandbox.patch

[flokli]

Yeah, they also just vendor in the XML file essentially. Maybe we can get a stable permalink from there, so we can avoid vendoring it in nixpkgs, but I'd also assume it'd compress sufficiently and changes rarely. Let's see if it fixes the issues.

[getreu]

I'd also assume it'd compress sufficiently and changes rarely

Yes, I think so also. Besides, shipping Digidoc with default well known certificates, as e.g. Fedora does (see @hellwolf), is far more secure than letting Digidoc download them at runtime.

[hellwolf]

Fedora had to embed it because the build system doesn't check hash of the cert downloaded (during build).

The way we package in nixpkgs doesn't require that patch, since there is hash checks.

[hellwolf]

I also think the certificate rolling has one month period; so I guess it makes packing this package a bit more timely than otherwise during Oct/Nov.

[flokli]

I checked for the XML file on archive.org, It does regularly get updated, so we'd need to periodically keep these files refreshed, as does fedora.

I tried updating our packaging to do the same thing as fedora, and after a lot of back and forth ended up going with the same patch as them. PR at #357428, PTAL.