Package Details: sac-core 10.7.77-2

Git Clone URL: (read-only, click to copy)
Package Base: sac-core
Description: SafeNet Authentication Client for eToken 5110/5300 & IDPrime (core package with no GUI tools)
Upstream URL:
Keywords: etoken sac safenet
Licenses: custom
Submitter: s3rj1k
Maintainer: grawity
Last Packager: grawity
Votes: 7
Popularity: 0.002769
First Submitted: 2015-08-10 09:03 (UTC)
Last Updated: 2021-01-16 17:56 (UTC)

Dependencies (2)

Required by (0)

Sources (2)

Latest Comments

ecruz1986 commented on 2021-12-15 19:21 (UTC)

Hi, thanks for maintaining this! Why are the GUI tools not included? They were useful to me on my previous Ubuntu setup. If it's not too hard, could they be included?

grawity commented on 2021-03-10 13:22 (UTC) (edited on 2021-03-10 13:23 (UTC) by grawity)

Accessing the certificate isn't the problem. Literally any program implementing PKCS#11 can access the certificate through SafeNet's PKCS#11 module, so that's probably 95% of all certificate-related programs.

The problem is in dealing with the actual documents. What document formats are you working with? What signature formats do you need? There are plenty, and saying "like in windows" really doesn't say a lot.

If you don't need any special formats and you're just signing those PDFs straight in Acrobat Reader, then I think KDE's Okular has recently gained the ability to do that. LibreOffice might work too. It looks like LO uses NSS so you'll need to load the PKCS#11 module using modutil (or through Firefox GUI). I don't know what Okular uses, but it might be p11-kit (in which case you use ~/.config/pkcs11/modules), I'll try to check it later.

For Word .docx documents (not legacy .doc), LibreOffice's XML-DSig support looks like it might work, but the last time I tried it, it wasn't entirely compatible with MS Office. I think it was more oriented towards .odt than .docx at the time.

Creating for example .asice or .bdoc files (for government documents in Europe) is a different matter.

cristi2021 commented on 2021-03-10 13:04 (UTC)

@grawity Is there a Linux free app that can access/manage the certificate on the key through this driver? I am trying to use it to sign documents like in windows (docs and pdfs). Can you share any specific example in this direction?

grawity commented on 2021-03-10 11:49 (UTC)

I can only provide support if you're using this AUR package. If you're rolling your own via debtap, well, you're on your own – there's no way I can provide support for that...

Note that the SafeNet Authentication Client only contains the drivers for your smartcard (USB token) – it does not actually include any sort of document signing application.

Whichever document signing software you use will usually have a way to specify the smartcard's PKCS#11 module (in your case it's probably /usr/lib/ It might be a setting directly in the application, or through NSS, or through p11-kit.

cristi2021 commented on 2021-03-10 10:55 (UTC)

Hi, I installed the package but do not know how to use it. Any help would be appreciated. I would like to use my USB key to sign pdfs and other .doc documents. My signature provider indicated I should use safenetauthenticationclient_10.7.77_amd64.deb. I tried to install it using debtap but it didn't work (says it's missing libssl.1.0.0, libssl.1.0.2 and lsb-base). I tried to circumvent lsb-base with ld-lsb, also it seems I have libssl.1.0.0 installed and I do not know why it's not detecting it. I would very much appreciate it if you could offer support also for this software, or help me get it working.

s3rj1k commented on 2021-01-10 12:01 (UTC) (edited on 2021-01-10 12:02 (UTC) by s3rj1k)

@grawity you can adopt package, I no longer use eToken.

grawity commented on 2021-01-10 11:20 (UTC)

FYI, there is a newer version 10.7.77 available from

Note that 10.7 no longer supports the CardOS-based eToken, which is EOL (though the JavaCard-based eToken 72K might still work).

If you update to 10.7, then I will re-upload the 10.0.37 package as "sac-core-legacy" as I still use eToken 64K and 72K.

tdussa commented on 2020-10-15 10:10 (UTC) (edited on 2020-10-15 10:10 (UTC) by tdussa)

I have my Aladdin eToken working fine with gpgsm and Firefox and Chromium and openvpn and so on, but for some reason SSH won't play ball:

  $ ssh
  Enter PIN for 'SafeNet eToken 5110': 
  C_SignInit failed: 99
  pkcs11_get_key failed
  sign_and_send_pubkey: signing failed for RSA "SSH": error in libcrypto

I can't seem to find anything helpful on the net. Does anyone have any idea?

spidla commented on 2020-07-25 20:21 (UTC)

SSL is now working on download link.

s3rj1k commented on 2020-07-24 11:18 (UTC)

@caltlgin Added URL, thanks.

s3rj1k commented on 2020-07-24 11:14 (UTC) (edited on 2020-07-24 11:18 (UTC) by s3rj1k)

@spidla, please fix SSL or provide a link without SSL

danimac13 commented on 2020-07-23 18:03 (UTC)

curl: (60) SSL certificate problem: certificate has expired

Problem with the certificate.

spidla commented on 2020-04-20 09:25 (UTC)

Link fixed.

noraj commented on 2020-04-20 08:38 (UTC) -> dead link

Moso commented on 2020-02-23 20:11 (UTC)

Is there a way of to use this package on a Raspberry Pi 4?

osc commented on 2020-02-10 22:28 (UTC)

Hi @s3rj1k, I am unable to use the token. Any hints?

Bus 002 Device 004: ID 0529:0620 Aladdin Knowledge Systems Token JC

I have an updated system...

Moso commented on 2019-08-03 22:35 (UTC)

Hi s3rj1k!

Could you please create a "sac-full" package from this .deb file?

SafenetAuthenticationClient-10.0.37-0_amd64.deb ->

I tried but couldn't.


s3rj1k commented on 2019-08-03 11:18 (UTC)

@risto3 what bits are missing?

risto3 commented on 2019-08-02 21:08 (UTC)

seems like the IDPrime bits, needed e.g. for CertEurope cards, is skipped.. Why not install the package as intended then add the config bits needed for your eToken?

s3rj1k commented on 2019-04-17 18:48 (UTC)

Thanks everyone, updated package to newer SAC

viniciusfazio commented on 2019-04-17 03:37 (UTC)

Hello! I noticed that the link for SAC is broken. Here is an working link (although it is a zip many files inside):

Just extract it and copy Installation/Core/DEB/SafenetAuthenticationClient-core-9.1.7-0_amd64.deb to the git folder.

Then change the following line in PKGBUILD (just remove http://packages...): source_x86_64=('SafenetAuthenticationClient-core-9.1.7-0_amd64.deb')

Finally, just makepkg -si

spidla commented on 2019-04-16 11:23 (UTC)

Hello there, I have updated this package to adopt a new version of DEB.

Using x64 version 10.0.37 of SAC Core.

New PKGBUILD is here:

grawity commented on 2019-01-28 18:25 (UTC) (edited on 2019-01-28 18:26 (UTC) by grawity)

There is a 10.0.32 deb at:

Release notes primarily mention added eToken 5110 FIPS or IDPrime MD 830/840 token support.

grawity commented on 2018-05-08 09:54 (UTC) (edited on 2018-05-08 10:07 (UTC) by grawity)

Yes, now it lists the token in slot and I'm able to list certificates and sign stuff via PKCS#11.

s3rj1k commented on 2018-05-08 09:37 (UTC)


added back, can you try again with 64k etoken?

grawity commented on 2018-05-08 08:49 (UTC)

So apparently the difference is that 72k is based on JavaCard, but 64k runs Siemens CardOS...

I've obtained an eToken 64k, will see what's missing. Initial test shows that is trying to load /usr/lib/ after peeking at the card.

rafaelff commented on 2018-04-23 20:41 (UTC)

Not all eToken seems work on linux. My token, for example, wasn't recognized by SAC core nor full. (my specs:

grawity commented on 2018-04-23 20:31 (UTC)

@Serus I just tried with my eToken 72K – both VeraCrypt and pkcs11-tool work perfectly fine as long as pcscd.service is running (which is the service providing smartcard access, anyway).

@s3rj1k None of those programs you just listed use p11-kit? Earlier you were talking about p11-kit list-modules.

s3rj1k commented on 2018-04-23 19:56 (UTC)

@grawity perfectly working with firefox, chrome via nss-tools and openssh via ssh-agent

grawity commented on 2018-04-23 12:31 (UTC)

@s3rj1k I'm very curious which of the existing modules recognizes the etoken, then

s3rj1k commented on 2018-04-23 11:39 (UTC)

@Serus maybe you need sac daemon to be loaded?

/usr/bin/SACSrv in original debian package

s3rj1k commented on 2018-04-23 11:37 (UTC)

@grawity PKCS#11 tools (browser integration and ssh-agent) work perfectly without p11-kit integration.

Even without integration i can see etoken using

p11-kit list-modules

I do not see any need for p11-kit config file for etoken.

grawity commented on 2018-04-23 07:57 (UTC)

@Serus: Do you have pcscd.service running?

(also @s3rj1k etoken does work with all open-source PKCS#11 tools I've tried; what would be the point of sac-core otherwise?)

Serus commented on 2018-04-23 07:45 (UTC)

I'm not exactly sure, but veracrypt doesn't want to work with my Aladdin eToken Pro 32K 4.2B when the daemon is not running. Same goes for opensc, it shows no available slots.

grawity commented on 2018-04-11 18:26 (UTC)

@Serus Exactly what functionality does the daemon provide?

s3rj1k commented on 2018-04-11 18:09 (UTC)

@Serus what do you mean by 2016 version?

currently package uses latest available version from Safenet (9.1.7)

Serus commented on 2018-04-11 07:54 (UTC)

Please restore to the 2016 version, I need the etoken service for it to work with veracrypt.

s3rj1k commented on 2018-01-26 10:55 (UTC)

@grawity, removed explicit calls in post_install and pre_install hooks, replaced with message.

no point in p11-kit integration as etoken never worked correctly with open source PCKS11 tools.

grawity commented on 2018-01-26 05:29 (UTC)

There is no need to run ldconfig (especially not before the transaction) – pacman does it by itself.

Starting services in post_install also seems unnecessary and in general goes against Arch's packaging policy; it would be better to show a message instead.

(As for wanting the package to "just work", I'd instead argue for bringing back the p11-kit integration...)

GI_Jack commented on 2017-04-20 16:00 (UTC)

@s3rj1k Let me be more specific, where is the full package? Giving the file name doesn't help much.

s3rj1k commented on 2017-04-20 14:16 (UTC)

@GI_Jack As package name implies this is core only package, full version can be found by this name SafenetAuthenticationClient-9.0.43-0_amd64.deb

GI_Jack commented on 2017-04-19 20:51 (UTC)

@s3rj1k Cannot seem to find it, where is the full package with management and everything. inquiring minds want to know

s3rj1k commented on 2016-02-11 05:39 (UTC)

Fixed typo in license, tnx @josephgbr This package provides bare minimum software deps for eToken authentication. You can try to add etoken pkcs so file to you browser cert manager to see if it works or you cat do it with ssh, but currently you will have to install patched version of openssh, support for etoken is broken in upstream, should be fixes in next major release.

rafaelff commented on 2016-02-06 02:13 (UTC) (edited on 2016-02-06 02:13 (UTC) by rafaelff)

Thanks for this package. Saved me some time. First, a typo in PKGBUILD: license should be an array, but currently it is not - just add parentheses. Next, how it works? I build, installed, etoken.service started, but my aladdin etoken pro 64k didn't light up. What did I miss?

s3rj1k commented on 2016-01-18 10:32 (UTC)

Update PKGBUILD with some suggestions from @grawity - added to p11-kit - now using sources_i686=(…), sources_x86_64=(…) 3) are there management tools, or just the PKCS#11 module? This is core package, no management utils. For management utils you need to use full packege witch bring QT based GUI utils for configuration. 2) is it really safe for the udev rules to change device permissions to 0777? shouldn't they use TAG+="uaccess" or at least groups? This was setup by upstream package, leaving it as it is.

grawity commented on 2015-10-14 06:07 (UTC) (edited on 2015-10-14 06:10 (UTC) by grawity)

1) this should probably include a p11-kit config file: ln -s ../ "$pkgdir/usr/lib/pkcs11/" echo "module:" > "$pkgdir/usr/share/p11-kit/modules/safenet-etoken.module" (test using `p11-kit list-modules`) 2) is it really safe for the udev rules to change device permissions to 0777? shouldn't they use TAG+="uaccess" or at least groups? 3) are there management tools, or just the PKCS#11 module? 4) sources_i686=(…), sources_x86_64=(…)