Package Details: nhiicc 1:20240710.1-2

Git Clone URL: https://aur.archlinux.org/nhiicc.git (read-only, click to copy)
Package Base: nhiicc
Description: 台灣健保卡網路註冊憑證元件 (National Health Insurance IC Card)
Upstream URL: https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm
Licenses: custom
Submitter: None
Maintainer: yan12125 (louiswpf)
Last Packager: yan12125
Votes: 5
Popularity: 0.000000
First Submitted: 2020-03-19 03:58 (UTC)
Last Updated: 2024-08-23 10:44 (UTC)

Dependencies (5)

Required by (0)

Sources (4)

Latest Comments

« First ‹ Previous 1 2 3 Next › Last »

yan12125 commented on 2022-06-15 12:53 (UTC)

Sorry for the delay. I finally find time to review changes. I made two changes on top of your version:

  • Keep -t for install as it makes commands shorter
  • Move the comment about hard-coding to the correct place instead of removing it

Coincidentally, it is updated today.

Nice! I have a script for version checking at https://gitlab.com/yan12125/aur/-/blob/master/scripts/check-packages.py. I will improve it to use checksums instead of filenames for nhiicc.

louiswpf commented on 2022-06-09 15:54 (UTC) (edited on 2022-06-09 15:57 (UTC) by louiswpf)

That is indeed concerning. I should have got in touch with NHI in the first place.

I checked https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm again and found out the checksum is now updated to "af4c8e12bdadef7e6ab2b9b1dabb21d4".

Coincidentally, it is updated today.

$ curl -s -I https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm | grep Last-Modified
Last-Modified: Thu, 09 Jun 2022 03:01:35 GMT

yan12125 commented on 2022-06-09 13:09 (UTC)

Thanks for cleanups. Most of them look good. For the new version, I have a concern: checksums on https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm are still old ones, and I cannot find a source for new checksums. Mind to get in touch with NHI for clarification?

louiswpf commented on 2022-06-07 17:25 (UTC)

Hi, I've done some cleanups and updated the package to 20220530. Please take a look and consider merge my changes. Thank you.

https://github.com/louiswpf/nhiicc

yan12125 commented on 2022-02-16 11:28 (UTC)

By the way, upstream [1] released new one "20220110" [2] :) But!!! It is not gzip, it is XZ:

Seems not an issue for makepkg :)

You are right! Restarting the browser / System reboot helps!

Thanks for confirmation! I added a post-installation note.

starnight commented on 2022-02-14 12:09 (UTC)

You are right! Restarting the browser / System reboot helps!

yan12125 commented on 2022-02-13 17:05 (UTC)

Hmm, did you restart the browser after installing this package? I remember I need to do that for Firefox to load the newly generated certificate.

starnight commented on 2022-02-13 14:47 (UTC) (edited on 2022-02-13 14:48 (UTC) by starnight)

By the way, upstream [1] released new one "20220110" [2] :)

But!!! It is not gzip, it is XZ:

$ file mLNHIICC_Setup.20220110.tar.gz 
mLNHIICC_Setup.20220110.tar.gz: XZ compressed data, checksum CRC64

[1] https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm

[2] https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mLNHIICC_Setup.20220110.tar.gz

starnight commented on 2022-02-13 14:45 (UTC)

Thanks for the update!

Yap! The certificate trusting is a security problem. And, generating a new Root key/cert locally is needed.

However, update-ca-trust is not enough. The browser cannot access the test web page [1] successfully, until I browse the https://localhost:7777/ (The nhiicc web server) and force trust the certificate manually.

The certutil commands in the Install script from upstream are needed for the browsers, like Chromium and Mozilla Firefox.

Now, I think the problem is: The self signed certificate is not trusted by normal browsers, instead of secured web server being failed to run.

But, forcing trust the self signed certificate when browsing https://localhost:7777 is a workaround anyway.

[1] https://cloudicweb.nhi.gov.tw/cloudic/system/webtesting/SampleY.aspx

yan12125 commented on 2022-02-08 16:29 (UTC)

Hi, thanks for the patch. Instead of trusting ca.crt from upstream, I regenerate certificates upon installation like the upstream script does as there are two issues with ca.crt:

  • It has expired
  • It comes with the private key. That means everyone can issue certificates signed by ca.crt for whatever websites and results in man-in-the-middle attacks.

Please check if the latest changes fix your issue, thanks!