Can not sign with package qdigidoc and eID card
#334397
Comments
flokli
changed the title
qdigidocqdigidoc and eID card
|
I can reproduce. The "Signing" animation is shown for a while, and then an error too: The error message mentions
This hostname does not even have a DNS record. I spotted open-eid/libdigidocpp@2b5db85#diff-1e7de1ae2d059d21e1dd75d5812d5a34b0222cef273b7c3a2af62eb747f9d20aR25 changing the "Default TSA URL". I found this URL in my qdigidoc settings too:
Changing it to the new URL unfortunately also didn't help, as it doesn't like the Digicert certificate. Maybe unrelated, maybe not - I also see a This looks like an issue in the application itself / some config shipped somewhere, but nothing NixOS-specific. I propose opening an issue upstream in qdigidoc, maybe linking to here for context. |
|
I tried manually bumping Opened an issue upstream: open-eid/DigiDoc4-Client#1281 |
|
@getreu I got a link to open-eid/DigiDoc4-Client#1276, mentioning a workaround. However it looks like the libdigidocpp changes linked there are not a sufficient fix, so I cannot patch this in nixpkgs, and it for now requires each user to manually set that address and import certificates. |
|
As I understand Update OpenSSL 3.0.14 by metsma · Pull Request #597 · open-eid/libdigidocpp now fixes this issue with the related commit: Uppdate OpenSSL 3.0.14 (#597) · open-eid/libdigidocpp@2b5db85. |
|
Unless I'm missing something, open-eid/libdigidocpp@2b5db85#diff-1e7de1ae2d059d21e1dd75d5812d5a34b0222cef273b7c3a2af62eb747f9d20aR25 is the only relevant change for us from this commit (which sets the The patch doesn't apply, but IIRC I tried setting this manually via I can try again tomorrow or so, re-rolling that patch and trying to sign again with a fresh profile.
Yes, absolutely, if there's a patch we can apply to fix this for nixpkgs users, at least when starting with empty state I'd like to do it. |
|
I did apply the TSA_URL change in PR is up at #345532, please test and report back there. |
This applies the same change as in open-eid/libdigidocpp@2b5db85, updating the default TSA URL to the new default. Fixes #334397 (cherry picked from commit f031a75)
|
I installed the patched version and still get an error when signing: |
|
Did you reset your settings to the defaults / wipe application state? |
|
I deleted the |
|
And this is a |
|
|
You're using I confirmed I also cannot sign with this, but I am able to by using one built straight from nixpkgs: That's |
|
I followed your instructions hereabove in your comment. Same error, but maybe this helps: My config: packages = with pkgs; [
qdigidoc # Digidoc
web-eid-app # Signing in browswer
p11-kit # Signing in browswer
opensc # Signing in browswer
...
]
# Digidoc
services.pcscd.enable = true;
# Authentification
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
module: ${pkgs.opensc}/lib/opensc-pkcs11.so
''; |
This applies the same change as in open-eid/libdigidocpp@2b5db85, updating the default TSA URL to the new default. Fixes NixOS#334397 (cherry picked from commit f031a75)
|
Do you have some funny MITM proxy between your connection with Even though I cannot reproduce your store path (and still not know which nixpkgs revision you're on) it suggests presto8@6fe31b5 is applied. At least if the config is indeed cleared / reset to defaults. |
|
I compiled
No proxy. In Firefox I can reach |
|
Check the location of the |
|
The symlink points to |
|
Can you check out this PR? #350685 It bumps libdigidoc and qdigidoc to their latest versions. |
|
Deleted my config in
Please find attached all versions and the hashes of the dependencies in the diagnostics log: |
|
I really don't understand what's going on here, but it looks like it's either something with your network connection or configuration of which certificate roots you trust. Or maybe an incompatible combination of library versions? We could at least rule out the library combination bits, can you |
|
The path is right. It opens Digidoc 4. Still the same error: "Failed to create SSL connection..." See screenshot above. Note: "TSL eu-lotl.xml signature is invalid" and "Loaded 0 certificates into TSL certificate store." BTW: I am able to connect: |
|
Fwiw, I can sign with ID card now: see open-eid/DigiDoc4-Client#1281 (comment) But I am still not able to sign with smart ID. |
|
SmartID is tracked in #307927, let's keep this issue on topic. |
|
Fwiw, the certificate got updated recently, again. I ran this command to obtain the latest certificate:
|
|
@hellwolf Could you elaborate a bit? |
|
|
@hellwolf : It works! Thank you a lot!
@flokli Does the certificate (step 1) live in your package? Could you add it? |
|
I don't know if/where qdigidoc does pin this certificate, and why this keeps failing. Users on other distros clearly don't need to manually do this config change every time, so it'd be good to understand what goes wrong in our case and how to get it to work without manual user intervention. |
|
I am not sure what is it for, but I found this patch used by the rpm packaged by fedora: https://src.fedoraproject.org/rpms/qdigidoc/blob/rawhide/f/sandbox.patch |
|
Yeah, they also just vendor in the XML file essentially. Maybe we can get a stable permalink from there, so we can avoid vendoring it in nixpkgs, but I'd also assume it'd compress sufficiently and changes rarely. Let's see if it fixes the issues. |
Yes, I think so also. Besides, shipping Digidoc with default well known certificates, as e.g. Fedora does (see @hellwolf), is far more secure than letting Digidoc download them at runtime. |
|
Fedora had to embed it because the build system doesn't check hash of the cert downloaded (during build). The way we package in nixpkgs doesn't require that patch, since there is hash checks. |
|
I also think the certificate rolling has one month period; so I guess it makes packing this package a bit more timely than otherwise during Oct/Nov. |
These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes NixOS#334397. Fixes NixOS#307927.
These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes NixOS#334397. Fixes NixOS#307927.
|
I checked for the XML file on archive.org, It does regularly get updated, so we'd need to periodically keep these files refreshed, as does fedora. I tried updating our packaging to do the same thing as fedora, and after a lot of back and forth ended up going with the same patch as them. PR at #357428, PTAL. |
These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes #334397. Fixes #307927. (cherry picked from commit 0e29f00)
These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes #334397. Fixes #307927. (cherry picked from commit 0e29f00)
These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes NixOS#334397. Fixes NixOS#307927. (cherry picked from commit 0e29f00)
Hello,
please find below a bug report about the Nix package qdidgidoc:
Description
I can not sign any more since the 24.5 update.
Error message
Failed to sign container. Please check the access to signing services
and network settings.
ASiC_E.cpp:371 Failed to sign container.
Connect.cpp:95 Failed to connect to host: 'dd-at.ria.ee:80'
DECODER routines:0 error:1E08010C:DECODER routines::unsupported
BIO routines:0 error:10080002:BIO routines::system lib
Additional tests
I also checked if I am able to authenticate with https://web-eid.eu/ .
Both, authentication and singing works.
Diagnostic output
For completeness, here my diagnostics output:
Locale: English / en_US.UTF-8
Application version: 4.5.1.0 (64 bit)
OS: NixOS 24.05 (Uakari) (x86_64/x86_64)
CPU: AMD Ryzen 5 PRO 4650U with Radeon Graphics
Kernel: Linux 6.6.44 #1-NixOS SMP PREEMPT_DYNAMIC Sat Aug 3 06:54:42
UTC 2024 x86_64
Libraries:
QT (5.15.14)
OpenSSL build (OpenSSL 3.0.14 4 Jun 2024)
OpenSSL current (OpenSSL 3.0.14 4 Jun 2024)
Arguments: qdigidoc4
Library paths: /run/wrappers/lib/qt-
5.15.14/plugins;/home/getreu/.local/share/flatpak/exports/lib/qt-
5.15.14/plugins;/var/lib/flatpak/exports/lib/qt-
5.15.14/plugins;/home/getreu/.nix-profile/lib/qt-
5.15.14/plugins;/nix/profile/lib/qt-
5.15.14/plugins;/home/getreu/.local/state/nix/profile/lib/qt-
5.15.14/plugins;/etc/profiles/per-user/getreu/lib/qt-
5.15.14/plugins;/nix/var/nix/profiles/default/lib/qt-
5.15.14/plugins;/run/current-system/sw/lib/qt-
5.15.14/plugins;/nix/store/h8m7pcd6d20jsx7hn81rsgkq0h884893-qtwayland-
5.15.14-bin/lib/qt-
5.15.14/plugins;/nix/store/vc9wklk5w3cskkymp52g7js83my4d9ch-qttools-
5.15.14-bin/lib/qt-
5.15.14/plugins;/nix/store/plix80gx31963j2qpsws7rid1gfr6cyn-
qtdeclarative-5.15.14-bin/lib/qt-
5.15.14/plugins;/nix/store/h32d5q8ngcy68nddbw5vja3r316s20p3-qtsvg-
5.15.14-bin/lib/qt-
5.15.14/plugins;/nix/store/fbddznz5ln765jbl2i2mfnf8h7rkkmd9-qtbase-
5.15.14-bin/lib/qt-
5.15.14/plugins;/nix/store/h4li58h9pni11wigz8xldad9kgzc0q3c-qdigidoc-
4.5.1/bin
URLs:
CONFIG_URL: https://id.eesti.ee/config.json
SID-PROXY-URL: https://dd-sid.ria.ee/v1
SIDV2-PROXY-URL: https://dd-sid.ria.ee/v1
SID-SK-URL: https://dd-sid.ria.ee/v1
SIDV2-SK-URL: https://dd-sid.ria.ee/v1
MID-PROXY-URL: https://dd-mid.ria.ee/mid-api
MID-SK-URL: https://dd-mid.ria.ee/mid-api
RPUUID: is set by default
TSL_URL: https://ec.europa.eu/tools/lotl/eu-lotl.xml
TSA_URL: http://dd-at.ria.ee/tsa
SIVA_URL: https://siva.eesti.ee/V3/validate
CDOC2:
CDOC2-DEFAULT: false
CDOC2-USE-KEYSERVER: true
CDOC2-DEFAULT-KEYSERVER: ria-test
TSL signing certs:
Patrick Kremer (Signature)
European Commission
European Commission
JEROEN ARNOLD L RATHE
APOSTOLOS APLADAS
CONSTANTIN-ADRIAN CROITORU
TSL cache:
EE.xml (65)
eu-lotl-pivot-335.xml (335)
eu-lotl-pivot-341.xml (341)
eu-lotl.xml (343)
g0xdp6w34ric1mdh8g7r0v8h85idkcg1-eu-lotl-pivot-300.xml (300)
Central Configuration:
Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: