Since about a month, I've been working for a customer whose customer is FedICT, and am now helping out with maintaining the official software for the Belgian electronic ID card (eID). One of the first things I did was revamp the way in which the official Linux binaries are built and distributed, and also made work of the (somewhat overdue) new release for Linux.

Previously, the website contained downloadable packages for a number of distributions: two .deb files (one for i386 and one for amd64, for all .deb-based distributions), and a number of RPM files (one each for fedora 15, 16, and red hat enterprise 5, also for both architectures).

The builds as well as the supported distributions were somewhat outdated. This was a problem in and of itself, as eID cards issued since March 2014 are signed by the new government CA3 certificate rather than the older CA2 one, which required minor updates for the middleware to work. Since the Linux packages available on the website predated the required change, they wouldn't work for more recent cards.

Moreover, the actual distributions that were supported were also outdated—Fedora 16 hasn't been supported in over a year by the Fedora project, for instance—and there was a major gap in our list of supported distributions, in that openSUSE RPMs were not provided.

If you check out the install on Linux pages now, however, you'll see that the installation instructions have been changed somewhat. Rather than links to packages to install, we now pass you an 'eid-archive' package that you can install; this package adds relevant configuration for your distribution, after which you can install the packages you need—eid-mw for the PKCS#11 library and the firefox and chrome plugins; eid-viewer for the graphical viewer application to view and possibly print data from your id card.

Apart from the fact that there are now repositories rather than just single-file downloads, the repositories (and in case of RPM packages, the RPM files themselves) are now also signed with an OpenPGP key. Actually, they are signed with two OpenPGP keys; the first one is for officially released builds (i.e., builds that have seen some extensive testing before they were deemed "working"), while the second one is for automatic builds that are generated through a continuous integration system after each and every commit. These untested packages are also in a separate repository that is disabled by default. In addition, there's also support for openSUSE now—which required more work than I expected, but wasn't a major problem.


(for clarity: while I now work at FedICT, there's an obvious reason why I'm publishing this on my blog and not on any website—don't assume this is an official Belgian message or anything...)

Interesting post Wouter... I only used their tokens to sign in :D Do you have any figures/statistics by FOD available regarding the linux user base in Belgium? Great to see Belgium steadily increasing their linux support.
Comment by skx7 Fri 20 Jun 2014 09:27:24 PM CEST
Good that there is some progress in the installation of the EID-software. I'll hope that they fix tat nasty bug when a reader is plugged in when the computer is starting up. In that case the card-reader is unusable and you'll have to unplug it (which causes a core-dump in package pcscd. It looks that the driver is still active, as it switches the power-led of the eid-reader off. After rebooting without the eid-reader, all is functioning well again. If this problem can't be solved soon, it would be fine, that the user is warned, else it can be hard to figure out why your eid-reader isn't seen by the eid-viewer, although it remains in the list of active usb-devices.
Comment by Bernard Sat 21 Jun 2014 09:16:42 PM CEST
Great to see the linux packages are made better and up to date. Also great to see that the eID now also works fine in Chrome. However, installation could be more automated if the addition of the PKCS #11 Module in the .pki homedir for each user would be included in the package installation scripts. You still have to add these modules yourself in order to make the eID work in Chrome. Thanks!
Comment by Peter Dedecker Mon 23 Jun 2014 05:03:17 AM CEST

Wouter, nice to see some more progress on the linux front for EID. I ran into a bit of trouble a couple of days ago though with the repo information not being correct. So i couldn't get a list of available packages in yum. I tried to communicate this to Fedict (takes some searching as there is no obvious place to report technical issues), but i'm not sure it has been picked up as i didn't receive any reply to my "ticket".

I have no idea if you still work on eid or have any influence in the matter, but maybe you can get the repo filelist redone. That way the packages should show up in the package manager, instead of having to get them manually from the repo. It's for both FC19 and FC20, the continuous branch seemed to have correct repo information.

Thank you for improving linux support.

Comment by Samuel Mon 14 Jul 2014 09:39:49 PM CEST

@Samuel - your ticket (or at least a ticket saying the same thing) did reach my desk, yes. It was a stupid mistake on my end due to having to do too many things manually and forgetting a step. In that light, see my most recent blog post ;-)

I've fixed the issue today; if you try again, it should Just Work(TM) now.

Comment by wouter Wed 16 Jul 2014 02:03:39 PM CEST