Arch Linux User Repository

I just tried the latest version of DigiSignClient (4:4.3.2_8863-1) on Arch Linux. If DigiSignClient is running, Firefox delegates the PIN dialog correctly to DigiSignClient. If it is not running, Firefox shows its own dialogs multiple times, and does not explicitly ask which PIN the user should enter.

I also tried Atostek ID (4.3.0.0) on Ubuntu 24.04 with regular Firefox (non-snap). PIN dialogs are shown by Firefox (multiple times), even though the Atostek ID app is running in the background. Well, at least the Firefox dialogs now explicitly tell which PIN it wants in this Atostek PKCS#11 module implementation.

In summary, it seems that the Atostek PKCS#11 module works equally bad with Firefox both in Arch Linux and Ubuntu.

FWIW I don't remember needing to enter my PIN several times with DigiSignClient. But I use it very seldomly. Currently installing this to see how it fares.

@ewtoombs I'm afraid what you are describing is the expected behaviour in the Linux version of Atostek ID. When using the PKCS #11 module via Firefox, the PIN dialogs come from Firefox and they will appear multiple times per operation. IIRC, this was also how it worked with the previous software DigiSignClient. It also seems that that some browsers fail to ask which PIN to use. If you have set different PINs for PIN1 and PIN2, it can be very confusing.

In Windows, when authenticating with a web browser, the PIN dialogs are correctly delegated to the Atostek ID application and you only need to enter the PIN once per operation. Unfortunately, Linux seems to be second class citizen in terms of features for now.

atosekid does work, but at least in Firefox, I have to enter my password four times, every single time I log into any website using my henkilökortti. Can this be avoided somehow?

About -installSCSCA: There was a UI, though. I was running it in sway, with xwayland. Maybe root doesn't have access to a user's wayland or X session.

❗Possible breaking change introduced in commit 851734d. The PKCS #11 module Atostek-ID-PKCS11.so was moved from /usr/lib/ to /usr/lib/pkcs11/, because the latter is the proper directory in Arch Linux for PKCS #11 modules. If you have configured any program with absolute paths, e.g. /usr/lib/Atostek-ID-PKCS11.so, please reconfigure accordingly.

@neonmoe, Thanks for the heads up.

I have created another AUR package (libqpdf29) that provides an older version (29) of the QPDF library that is compatible with atostekid. The package contains only the library /usr/lib/libqpdf.so.29{,.10.1} and license files. In other words, it can coexist with the current system qpdf package.

I'm getting the following error since the latest update to the qpdf package:

atostekid: error while loading shared libraries: libqpdf.so.29: cannot open shared object file: No such file or directory

Downgrading from qpdf-12.0.0-1 to qpdf-11.10.1-1 made atostekid work again. Rebuilding this package didn't seem to fix the issue. Since this is a .deb, and not built from source, maybe this needs an upstream update to fix?

In any case, the qpdf version requirement could be specified in this package's dependencies, so it'd be a bit easier to see what should be downgraded to which version to make this work.

@ewtoombs thank you for the bug report.

That issue seems to occur when installing via a non-GUI session. atostekid appears to require a GUI session even for the -installSCSCA option, which extracts the Signature Creation Service (SCS) certificate. I added error handling for that case.

The actual software seems to work fine on firefox after I add /usr/lib/Atostek-ID-PKCS11.so as a Security Device. Maybe this should also be in the post-install information.

That is a good idea. But as there are also other browsers, I'm afraid it would become a huge info dump :) Maybe this package would benefit from a page in the Arch Wiki.

It would also be nice to make /usr/lib/Atostek-ID-PKCS11.so available as a Security Device to Firefox and other browsers directly via the install script. And to do it such a way that it would be available to all users. I am not sure what would be the best way achieve that though. The official Debian package of atostekid has install scripts that do some unorthodox things. For example, they scan the home directory of the user who installs the package for all browsers and profiles and then modifies those settings. That is a bit concerning. Installing a system package should not touch a user's home directory. I avoided such behaviour in this AUR package even though it is what the upstream does.

I got a bunch of errors from the install script:

(1/2) installing atostekid                                                                                                               [###################################################################################] 100%
==> NOTE: Extracting certificate
Authorization required, but no authorization protocol specified

qt.qpa.xcb: could not connect to display :0
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: offscreen, minimal, linuxfb, xcb, minimalegl, vnc, eglfs, vkkhrdisplay.

/tmp/alpm_J6LZuu/.INSTALL: line 20:  5817 Aborted                 (core dumped) atostekid -installSCSCA
install: cannot stat '/tmp/tmp.UCofPRtI6z/.local/share/Atostek Oy/Atostek ID/scsca.cer': No such file or directory
==> NOTE: Trusting Atostek ID Local SCS CA
p11-kit: couldn't open and map file: /etc/atostekid/scsca.cer: Unknown error 2
p11-kit: failed to parse file: /etc/atostekid/scsca.cer
==> WARN: atostekid requires that the PC/SC Smart Card Daemon systemd service (pcscd.service) is running. Please ensure it is running before launching atostekid.
Optional dependencies for atostekid
    gnome-shell-extension-appindicator: System tray indicator extension for GNOME desktop
    libappindicator-gtk3: System tray support for desktop environments

The actual software seems to work fine on firefox after I add /usr/lib/Atostek-ID-PKCS11.so as a Security Device. Maybe this should also be in the post-install information.