Bug 24131 - Estonian ID software needs updating
Summary: Estonian ID software needs updating
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://www.ria.ee/en/information-sys...
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-05 00:30 CET by Sander Lepik
Modified: 2019-01-18 23:53 CET (History)
4 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Sander Lepik 2019-01-05 00:30:45 CET
Description of problem:
The old DigiDoc3 software doesn't work anymore. I have updated needed parts of the software and have done some tests on my own system to confirm that things seem to work as they should.

Suggested advisory:
========================
DigiDoc3 cannot be used for signing documents from 1 January 2019 due to outdated software; neither will it support the new ID-card to be issued at the end of 2018 or the beginning of 2019. This update adds DigiDoc4 client and updates other related components to make the ID software work again.

References:
https://www.ria.ee/en/information-system-authority/announcements/new-id-card-software-digidoc4-available.html
========================

Updated/added packages in core/updates_testing:
========================
chrome-token-signing-1.0.8-1.mga6
libdigidocpp-3.13.8-1.mga6
lib(64)digidocpp1-3.13.8-1.mga6
qdigidoc4-4.2.0-2.mga6
qdigidoc4-nautilus-4.2.0-2.mga6
task-esteid-4.2.0-1.mga6


Source RPMs: 
chrome-token-signing-1.0.8-1.mga6.src.rpm
libdigidocpp-3.13.8-1.mga6.src.rpm
qdigidoc4-4.2.0-2.mga6.src.rpm
task-esteid-4.2.0-1.mga6.src.rpm
Comment 1 Jüri Ivask 2019-01-08 10:53:50 CET
1. In up-to-date Mageia 6 drakrpm enabled core/updates_testing repository.
2. Refreshed repositories and opened upgradeable packages.
3. Marked for upgrade packages:
- chrome-token-signing-1.0.8-1.mga6.x86_64
- lib64digidocpp1-3.13.8-1.mga6.x86_64
- lib64opensc6-0.19.0-1.mga6.x86_64
- libdigidocpp-3.13.8-1.mga6.x86_64
- opensc-0.19.0-1.mga6.x86_64
4. Searched for and marked for installation the package:
- qdigidoc4-4.2.0-2.mga6.x86_64 - that causes the removal of (previous) qdigidoc package.
5. Performed upgrade/install of marked packages.
6. Tested chrome-token-signing by logging into my internet bank account using PIN1 and made a transfer by signing it with PIN2.
7. Launched qdigidoc4, was able to load my photo after insering PIN1, checked my ID card certificates, opened existing digitally signed documents and created and signed a new document.
8. Everything that was tested worked as expected.

CC: (none) => jyri2000

Comment 2 Herman Viaene 2019-01-11 11:16:39 CET
MGA6-32 MATE on IBM Thinkpad R50e
Installation issue:
When selecting task-esteid-4.2.0-1.mga6 in MCC it draws in qdigidoc-3.16.xxx and selecting then qdigidoc4-4.2.0-2.mga6 is refused because of incompatibility with the older version.
After installing all packages under test, but thus the older versions of qdigidoc4, I could then upgrade to qdigidoc4-4.2.0-2.mga6.x86_64 which removes the older version.
I obviously have no Estonian id card, but I made sure it does not affect reading my Belgian eid. That is OK.

CC: (none) => herman.viaene

Comment 3 Lewis Smith 2019-01-17 22:32:31 CET
@Jüri Ivask, thank you for your careful, comprehensive and and well documented test.
--------------
Trying M6/64

BEFORE update,
I tried to install the pkgs cited in comment 0, but could not find
 qdigidoc4
 qdigidoc4-nautilus
However, 'task-esteid' pulled in also 'qdigidoc' & 'qdigidoc-nautilus'.
Here are the relevant pkgs installed (x = not in the c0 update list):
x ccid-1.4.24-1.mga6.x86_64
- chrome-token-signing-1.0.6-1.mga6.x86_64
x esteidcerts-3.8.0-5.mga6.noarch
x lib64digidoc2-3.10.2-2.mga6.x86_64
- lib64digidocpp1-3.13.2-1.mga6.x86_64
x lib64nautilus-gir3.0-3.24.1-1.mga6.x86_64
x lib64opensc6-0.19.0-1.mga6.x86_64
x libdigidoc-3.10.2-2.mga6.x86_64
- libdigidocpp-3.13.2-1.mga6.x86_64
x locales-et-2.22-7.mga6.x86_64
x mozilla-esteid-3.12.0-2.mga6.noarch
x nautilus-python-1.1-9.mga6.x86_64
x opensc-0.19.0-1.mga6.x86_64
x pcsc-lite-1.8.20-1.mga6.x86_64
- qdigidoc-3.13.6-1.mga6.x86_64
- qdigidoc-nautilus-3.13.6-1.mga6.x86_64
x qesteidutil-3.12.7-2.mga6.x86_64
- task-esteid-3.13.3-1.mga6.noarch
x xml-security-c-1.7.3-2.1.mga6.x86_64
 Complicated!
Found DigiDoc3 Client & Crypto in Office sub-menu, started the former, clicked things, it looked good. Changed the languages. BUT Settings-Server Access Certificate said "Valid to 03/01/2019 (expired)". Crypto looked equally good.
============================
UPDATE
Referencing Updates_Testing,
 qdigidoc4
 qdigidoc4-nautilus
were *not* listed by MCC-Update System. These are all I could find:
- chrome-token-signing-1.0.8-1.mga6.x86_64
- lib64digidocpp1-3.13.8-1.mga6.x86_64
- libdigidocpp-3.13.8-1.mga6.x86_64
- task-esteid-4.2.0-1.mga6.noarch
which were updated OK. The last did *not* pull in the 2 missing pkgs.
As did others, I manually installed:
 # urpmi qdigidoc4
which uninstalled 'qdigidoc-3.13.6-1.mga6.x86_64' because of conflict with 
'qdigidoc4-4.2.0-2.mga6.x86_64'; and
'qdigidoc-nautilus-3.13.6-1.mga6.x86_64' because it wanted, unsatisfied,
'qdigidoc == 3.13.6-1.mga6'.
 /core/updates_testing/qdigidoc4-4.2.0-2.mga6.x86_64.rpm was installed.
qdigidoc-nautilus-3.13.6-1.mga6.x86_64 & qdigidoc-3.13.6-1.mga6.x86_64.
were uninstalled.
 # urpmi qdigidoc4-nautilus
 .../core/updates_testing/qdigidoc4-nautilus-4.2.0-2.mga6.x86_64.rpm was installed.
 Complicated again!
In the Office sub-menu, DigiDoc Crypto has gone, only DigiDoc4 Client remains. This looks radically different, but OK, and nominally works.

So the end result of this update is *good*, and warrants OKs. Doubt:
-------------------------------------------------------------------
@Sander: the business of qdigidoc[-nautilus] -> qdigidoc4[-nautilus] is iffy. It does not look (I may be wrong) that it would happen automatically by a system update. We all had to fiddle manually. Can you comment on this? Should the two pkgs be made dependancies of task-esteid (which they were before, because that is how I got them installed)?

CC: (none) => lewyssmith
Keywords: (none) => feedback

Comment 4 Sander Lepik 2019-01-17 22:50:11 CET
DigiDoc4 includes multiple applications in one, so it's OK if DigiDoc Crypto is gone after installing DigiDoc4. The update is not meant to install DigiDoc4 automatically. People have to do it before or after the update manually and this will remove DigiDoc3. It's a bit messy and maybe I'll figure out something better if I'm forced to push another mandatory update but right now I'd let it be as it is. It's better than having just DigiDoc3 which can't be used to sign new documents anymore.

Keywords: feedback => (none)

Comment 5 Lewis Smith 2019-01-18 10:00:49 CET
Thank you for the quick response. It does look a question of dependencies; '--requires' alone does not show it, so it must be one of the other directly dependant packages:
BEFORE: task-esteid-3.13.3-1.mga6
 $ urpmq --requires-recursive task-esteid | grep qdigidoc
 qdigidoc
 qdigidoc-nautilus
AFTER: task-esteid-4.2.0-1.mga6
 $ urpmq --media 'updates testing' --requires-recursive task-esteid | grep qdigidoc
 $

BTAIM, to get this out ASAP, could we mention in the advisory (which I could do):
- That you will need to install manually the 'qdigidoc4' and 'qdigidoc4-nautilus' packages after the update?
- That old separate DigiDoc3 Client & Crypto are replaced by new DigiDoc4 Client.
Lewis Smith 2019-01-18 19:21:55 CET

Keywords: (none) => feedback

Comment 6 Lewis Smith 2019-01-18 21:41:12 CET
Because this is urgent, I am sending this update on its way, with the additions I noted in c5 added to the advisory from comment 0 (+ bug title).

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: feedback => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2019-01-18 23:20:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2019-0005.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 Sander Lepik 2019-01-18 23:53:03 CET
I had a really busy day, but thanks for pushing the update. I agree with the updated advisory :)

Note You need to log in before you can comment on or make changes to this bug.