{"id":19738939,"url":"https://github.com/fpopic/linux-egradjani","last_synced_at":"2025-06-29T09:02:52.712Z","repository":{"id":71942394,"uuid":"367015858","full_name":"fpopic/linux-egradjani","owner":"fpopic","description":"Steps on how to set up the Croatian e-Građani app for identification (Firefox/Chrome) and signing documents (LibreOffice) on Linux (Ubuntu).","archived":false,"fork":false,"pushed_at":"2024-05-09T13:33:01.000Z","size":23856,"stargazers_count":37,"open_issues_count":4,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-29T09:02:35.926Z","etag":null,"topics":["certificates","chrome","e-gov","e-gradani","e-gradjani","egradjani","eoi","firefox","identification","libreoffice","linux","nss-db","sign-documents","signature"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fpopic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-05-13T10:37:54.000Z","updated_at":"2025-06-13T16:31:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"691cbe52-1335-4c9a-a05e-924820e8fa1f","html_url":"https://github.com/fpopic/linux-egradjani","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fpopic/linux-egradjani","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fpopic%2Flinux-egradjani","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fpopic%2Flinux-egradjani/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fpopic%2Flinux-egradjani/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fpopic%2Flinux-egradjani/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fpopic","download_url":"https://codeload.github.com/fpopic/linux-egradjani/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fpopic%2Flinux-egradjani/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262566830,"owners_count":23329680,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","chrome","e-gov","e-gradani","e-gradjani","egradjani","eoi","firefox","identification","libreoffice","linux","nss-db","sign-documents","signature"],"created_at":"2024-11-12T01:15:46.653Z","updated_at":"2025-06-29T09:02:52.679Z","avatar_url":"https://github.com/fpopic.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# linux-egradjani\n\nSteps on how to set up the Croatian e-Građani app for identification (Chrome/Firefox) and signing documents (LibreOffice) on Linux (Ubuntu 21.04.)\n\n## Linux requirements\n\n1. Install smart-card reader tooling\n    ```bash\n    # if on Ubunt 22.04 LTS keep only `pcsc-tools` `opensc` packages and try without others\n    # in case modutil is missing install `libnss3-tools` as well  \n   sudo apt-get install -y libccid ccid pcsc-tools opensc\n    ```\n\n2. Start the service\n    ```bash\n    sudo systemctl start pcscd.service\n    sudo systemctl enable pcscd.service\n    ```\n\n## e-egradjani requirements\n\nTo use your ID certificates, you must activate your eOI, and check [eid.hr](https://eid.hr/hr/eosobna/clanci/aktiviraj-eoi) for steps.\n\nThere you should find the latest linux `.deb` package. For the previous versions check [here](https://eid.hr/hr/eosobna/clanci/ranije-verzije-middlewara).\n\n## Step-by-step\n\n1. Download `eidmiddleware` app that contains all services, certificates, etc.\n    ```bash\n    sudo dpkg -i eidmiddleware_vX.Y.Z_amd64.deb \n    ```\n\n2. Create a new local NSS db\n    ```bash\n    rm -rf $HOME/.pki/nssdb\n    mkdir -p $HOME/.pki/nssdb\n    # if on Ubunt 22.04 LTS skip this command\n    sudo chmod 777 /etc/pam_pkcs11/nssdb\n    certutil -d $HOME/.pki/nssdb -N --empty-password\n    sudo chmod 777 $HOME/.pki/nssdb/pkcs11.txt\n    ```\n\n2. Add  the named module `HR eID` to NSS module database with `PKCS #11` implementation libfile\n    ```bash\n    modutil \\\n      -dbdir sql:$HOME/.pki/nssdb \\\n      -add \"HR eID\" -libfile /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so \\\n      -mechanisms FRIENDLY \\\n      -force \n    ```\n   Flag `-mechanisms FRIENDLY` is required to work on Chromium/Chrome,\n   check [here](https://bugs.chromium.org/p/chromium/issues/detail?id=42073#c76) for details.\n\n    Alternative path for newer versions seems to be ``/usr/lib/akd/certiliamiddleware/pkcs11/libEidPkcs11.so`` so try changing path if this is not working for you.\n\n3. Check whether `HR eID` is added to NSS db\n    ```bash\n    modutil -dbdir sql:$HOME/.pki/nssdb/ -list\n    ```\n\n4. Turn on Client and Signer apps.\n\n## Identification\n\n1. Go to [gov.hr](https://gov.hr) and login with eOsobna option\n    - Chrome:\n\n         \u003cimg src=\"img/chrome-popup1.png\" alt=\"drawing\" width=\"500\"/\u003e\n\n         \u003cimg src=\"img/chrome-popup2.png\" alt=\"drawing\" width=\"500\"/\u003e\n\n    - Firefox:\n\n         \u003cimg src=\"img/firefox-popup.png\" alt=\"drawing\" width=\"500\"/\u003e\n\n## Signing documents\n\nTo sign documents using `LibreOffice` go to\n\n```\nLibreOffice \u003e Tools \u003e Options \u003e Security \u003e Certificate... \u003e  Select NSS path\n```\n\nand navigate to folder `$HOME/.pki/nssdb` and press OK and restart LibreOffice. Go to\n\n```\nFile \u003e Digital Signatures \u003e Digital Signatures... \u003e Sign Document...\n```\n\nand pop-ups for Signature/Identification will appear.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"img/libreoffice-signature.png\" alt=\"drawing\" width=\"500\"/\u003e\u003c/p\u003e\n\n## Debugging\n\nInspect the content of eidmiddleware:\n```bash\n$ tree /usr/lib/akd/eidmiddleware/\n\n/usr/lib/akd/eidmiddleware/\n├── certificates\n│   ├── AKDCARoot.pem   \u003c---------------- ca root certificate\n│   └── HRIDCA.pem  \u003c---------------- ca certificate\n├── Client  \u003c---------------- identification app\n├── lib\n│   ├── libp11.so.2\n│   ├── libpkcs11.so\n│   ├── libQt5Core.so.5\n│   ├── libQt5DBus.so.5\n│   ├── libQt5Gui.so.5\n│   ├── libQt5PrintSupport.so.5\n│   ├── libQt5Widgets.so.5\n│   └── libQt5XcbQpa.so.5\n├── License.bin\n├── pkcs11\n│   ├── libEidPkcs11.so  \u003c---------------- pkcs11 driver\n│   └── libEidPkcs11.so.lic\n├── plugins\n│   ├── imageformats\n│   │   ├── libqjp2.so\n│   │   └── libqjpeg.so\n│   ├── platforms\n│   │   └── libqxcb.so\n│   └── printsupport\n│       └── libcupsprintersupport.so\n├── qt.conf\n└── Signer \u003c---------------- signer app\n```\n\nI use FER (university usb card reader) ACR38U-A1.\n\n```bash\n$ modutil -dbdir sql:$HOME/.pki/nssdb/ -list\n\nListing of PKCS #11 Modules\n-----------------------------------------------------------\n  1. NSS Internal PKCS #11 Module\n\t   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.49\n\t slots: 2 slots attached\n\tstatus: loaded\n\n\t slot: NSS Internal Cryptographic Services\n\ttoken: NSS Generic Crypto Services\n\t  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203\n\n\t slot: NSS User Private Key and Certificate Services\n\ttoken: NSS Certificate DB\n\t  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203\n\n  2. HR eID\n\tlibrary name: /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so\n\t   uri: pkcs11:library-manufacturer=AKD;library-description=AKD%20eID%20Middleware%20PKCS11;library-version=1.7\n\t slots: 5 slots attached\n\tstatus: loaded\n\n\t slot: ACS ACR 38U-CCID 00 00  \u003c---------------- my usb card reader (when you plug in your ID you should see here two tokens: `AKD eID Card (Identification)` and `AKD eID Card (Signature)`)\n\ttoken: \n\t  uri: pkcs11:\n\n\t slot: Virtual Slot 2\n\ttoken: \n\t  uri: pkcs11:\n\n\t slot: Virtual Slot 3\n\ttoken: \n\t  uri: pkcs11:\n\n\t slot: Virtual Slot 4\n\ttoken: \n\t  uri: pkcs11:\n\n\t slot: Virtual Slot 5\n\ttoken: \n\t  uri: pkcs11:\n-----------------------------------------------------------\n```\n\n## Firefox supports UI to add certificates and secured devices\n\nDownload and import manually certificates to Firefox\n- `/usr/lib/akd/eidmiddleware/certificates/*`  (Firefox \u003e View Certificates \u003e Import)\n- `/usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so` (Firefox \u003e Security Devices \u003e Load)\n\n![firefox-device-manager](./img/firefox-device-manager.png)\n\n## References\n\n- https://www.eid.hr/hr\n- https://hr.comp.os.linux.narkive.com/7ObBGSco/eoi-na-ubuntu (Thanks!)\n- https://bugs.chromium.org/p/chromium/issues/detail?id=42073\n- https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffpopic%2Flinux-egradjani","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffpopic%2Flinux-egradjani","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffpopic%2Flinux-egradjani/lists"}