Ordering Estonian ID on Linux!

I’m an Estonian passport holder, not living in Estonia for a long time. I don’t get to interact with Estonian government services much, even though I kind of miss the simplicity of that interaction. I have never in my life had to run around different Estonian government buildings to get things resolved. Things are always resolved digitally from the comfort of my home.

This is something you don’t appreciate until you travel around and see how far ahead Estonia is in its digitization, even compared to richer countries like the Netherlands. And don’t get me started on countries like Thailand, where there’s an entire service industry that helps you deal with the annoyances of government-required paperwork—it’s a lucrative business for a reason.

But let’s get back to Estonia and the main reason I’m writing this blog post. I have to change my passport and ID every 5 years—it’s possible to do digitally, but only if one manages to securely identify themselves.

In my case, the only option is the ID card. This requires a special device to read the smart card. As a long-time Linux user, I often scratch my head figuring out how to make such devices work, since Linux support is rarely advertised and the documentation has zero information related to Linux.

But I wanted to avoid wasting two days traveling to The Hague (to request a new document and to actually receive it) and request a new ID card online.

So, how do you read an Estonian ID card on a Manjaro-powered Linux machine? The id.ee website offers a basic manual on how to proceed. They claim to support Linux, but most of their guides are focused on Debian-based distros (primarily Ubuntu), and I found that some steps are missing.

Getting a smart card reader to work

I don’t know much about smart card readers and the differences between them. Most readers I’ve used worked just fine on all Linux machines, even if they don’t market their Linux support.

After a quick search on Amazon, I ordered a Lindy USB 2.0 Smart Card Reader. Linux support is not advertised, but I was pretty sure it would work (or else I’d just return it).

Once I plugged it in, the lights came on, which was a good sign. DigiDoc4 client is used to read data from ID cards. This package is available through Flatpak on most Linux distributions.

But once I opened the DigiDoc client, I was met with a surprising error.

“The PSCS service, required for using the ID-card, is not working”

Issues with the ID-card reader page gave me a useful tip, that I just need to enable pcscd server via systemctl.

systemctl enable pcscd.socket  
sudo systemctl start pcscd.socket

Now the error was gone, but DigiDoc couldn’t identify my card reader and showed another interesting error.

“No card readers found”

The smart card reader was definitely there—it was blinking with red/blue lights, and the lsusb command actually showed the device in the list.

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Bus 001 Device 003: ID 0489:e0d8 Foxconn / Hon Hai Bluetooth 5.2 Adapter [MediaTek MT7922]
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 002: ID 13d3:5293 IMC Networks Integrated Camera
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 008: ID 0bda:0165 Realtek Semiconductor Corp. Smart Card Reader Interface
Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

It turned out I was missing some packages that would allow the DigiDoc client to find and use the smart card reader.

sudo pacman -S ccid opensc libp11 engine_pkcs11

At this point, restart the DigiDoc4 client, and personal data should show up (I’m not adding any screenshots here, as it’s private). This ensures that the card reader is operational and the ID card is not damaged and can be used.

But the goal here is to sign/verify things through the browser so I can request a new document online.

Integrating the card reader with Firefox

I’m using Firefox for this example, and according to the manual from id.ee, it requires just two extensions to work:

But nothing worked. The police website told me that my software was outdated and I needed to update.

The old web authorization method for smart cards had a lot of stability issues in the past. So it turns out that now Estonian government services rely on web-eid, and it requires a native client called web-eid on the machine for authorization to work.

First, import certificates to ensure we’re using the correct source:

gpg --keyserver keyserver.ubuntu.com --recv-keys 1282B0F8809D0DC632C85A3F86B611CE24492160
gpg --keyserver keyserver.ubuntu.com --recv-keys D1EBC666EFCBFBD3CFC2EBAA90C0B5E75C3B195D

Then, install the native client and the WebExtension wrapper that communicates with the browser:

sudo pamac -S web-eid-native web-eid-firefox

The web-eid.eu page has a way to test that both signing and authorization work as expected—and it did.

Conclusion

As often happens with documentation, id.ee has slightly outdated documentation and forgot to mention a couple of crucial steps. It’s not surprising because they have to maintain documentation in three different languages—easy to forget things.

This small manual isn’t that interesting for most people around the globe, just for the million or so Estonians who have to use eGovernment services. But I’m sure I’ll be thankful for publishing this after 5 years (by the time I need to change some documents again).