Showing posts with label bankid. Show all posts
Showing posts with label bankid. Show all posts

20 November 2014

603. Mobile bankid; works fine in a VM too

Turns out I got it wrong in my earlier post -- mobile bankid has nothing to do with the telecom network.

How it works:
1. Phone: Start BankID on your phone. The program will say that it's waiting for a connection.
2. Computer: You go to your bank/government service web page, select Mobile BankID, then type in your 'person nummer' (like SSN).
3. Phone: BankID on your phone will then prompt you for your PIN.
4. Computer: You're logged in.

It's all happening over the internet. Sure, it might not work if you change SIM, for example, but at least it's not telephony based.

Best of all, I could get an activation code for mobile bankid using the win 7 bankid instance I set up in http://verahill.blogspot.com.au/2014/11/602-surviving-bankid-rant-moving-nge.html and now I never have to use it again.

[if you're on linux and in Scandinavia, just install mobile bankid on your phone or on android in a vm]

So, if you're on linux and you've been using the official bankid application and you happen to be a couple of continents removed from Scandinavia follow this post which basically does the following:
1. Install ubuntu 10.04 LTS in a VM
2. Install bankid 4.19.XXXX or earlier in the ubuntu VM
3. Copy your ~/.personal from your regular linux computer to the ubuntu VM
4. export your key using persadm export to a USB stick
5. Install windows 7 in a VM using the free, legal isos and the free, legal installation key. The copy will expire after 30 days (but will still continue working).
6. Install bankid in the Win 7 VM
7. Under File/Preferences in bankid add the directory on your USB stick with the exported bankid key
8. Log in to your BankID issuer (probably your bank) using bankid 'on file', and request a mobile bankid. You'll get an activation code
9. Install the bankid app on your phone (e.g. bankid from the play store on android)
10. Start the bankid app on your phone, and type in your personnummer and the activation code. Create a pin, which is your password
11. You're done.

I mean, sure, it's a very awkward way of going about it, but it works and is conceptually simple.

Android in a VM
And there's absolutely no reason you can't use mobile bankid it in a virtualbox VM if you want to -- I used an android 4.4 x86 iso and created a virtual machine, and then set up bankid which works fine.


19 November 2014

602. Surviving bankid + rant. Exporting bankid files from linux to windows

This post probably isn't interesting unless you live/have lived in Sweden (Scandinavia)/deal with Swedish(Scandinavian) banks and their unbelievably crappy electronic ID solution.

This post will not show you how to use BankID on Linux -- it will show you how to move bankid files from debian linux to windows 7. Nor is the method elegant as it involves using two VMs.

I should make a long rant about how the company, Finansiell ID teknik, behind BankID should be sued into oblivion and the Swedish  politicians allowing it to be used to access government service without requiring open specifications be jailed indefinitely. But I'm tired.

[looks like I got into a rant after all]
rant begin:
Long story short: BankID has always been a real pain in the backside to use on linux, and now support has ended altogether. Support for Windows XP has been dropped as well, which will become relevant later.


No more linux announcement: https://support.bankid.com/syskrav

Either way, there's no linux-friendly solution out there, as in moving from v4 to v5 of bankid the format has changed completely. To my understanding, that means that fribid also will not work with providers requiring bankid versions newer than

There's a linux-friendly solution: mobile bankid, which runs on android. However, it seems to require a Swedish (or northern European) SIM card. Actually, I have no idea how it works since there's hardly any bloody information out there -- the bankid.com website is incredibly bad. The most detailed info I've found is this, which says that it's SIM card and service provider dependent: https://www.bankid.no/Dette-er-BankID/BankID-pa-mobil/. On the other hand, this page says it isn't: http://www.stockholm.se/mobiltbankid

[NOPE -- that's not how it works -- it's actually a lot better. See here instead: linktocome ]

In the end it doesn't matter since you'll have to walk into a Swedish bank in person to order a new bankid set-up code. Not something you can do if you're abroad.

There's one other solution available -- ID via the Swedish tax office. Unfortunately it is only available for people residing in Sweden. Anyone who has business with Sweden but lives abroad is SOL.
rant end.


Step 1. Windows 7 in a VM -- overview
So, I had to find a pragmatic solution, and quickly since my current ID key is expiring. I have an old Windows XP disk that I could install in a VM, but since XP isn't supported anymore, that wouldn't work anyway.

I then decided to see how much a copy of Windows 7 costs. I'm not keen on throwing money at MS, but I was still at the point of simply investigating solutions. According to http://www.cheapaussiesoftware.com/microsoft-windows/microsoft-windows-7  the cheapest copy is $124. Not keen.

I am surrounded by computers with Windows 7 Pro OA stickers (that are running debian), so I figured if I could only get my hands on a DVD I could use the license that has already been paid for. I also had a vague memory of the Windows 7 isos being freely and legally available from Microsoft via download.

Using google a bit I eventually found it: http://www.heidoc.net/joomla/technology-science/microsoft/14-windows-7-direct-download-links
which provides Windows 7 isos freely and legally via Digital River. Note that you'll still need to find your own activation key.

Activation key -- you can either:
* get that legally by paying for it. Not interested in paying that much money for something I'm not going to use much.

* use google for a few minutes, find tons of activation keys which appear to work during installation but really don't allow you to activate your copy (go to Computer, Properties and click on Activate Now). This is obviously not legal.

* Put in an installation key (D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV... read more) which allows you to finish the installation but won't activate your copy. Actually, reading the linked post you might not have to enter anything.

Either way, after 30 days your copy will expire. You can still use it -- the only things that change is the background (goes black), you can't install updates anymore, and Aero turns off. See here. This is fine by me.

As OA licenses are limited and I really don't care about using Windows for anything but bankid, I went with the last option.

Installing Windows 7 Ultimate 64 bit in VirtualBox went without a hitch, and I awarded it 30 Gb HDD and 2 gb RAM (I have 4 Tb HDD and 8 Gb RAM on my system). So far so good..

From within Windows 7 I then downloaded bankid v 6.1 from here: https://install.bankid.com/ (ignore the whole linux/ubuntu link -- that's for v 4 which isn't supported by most banks anymore...)


Step 2. Ubuntu (yup) in a VM *yup).
At this point I figured I was doing pretty well. I connected a USB stick to my computer (i.e. debian) and ran persadm.
me@beryllium:/media/highio$ persadm export BankID Security Application 4.19.1 Available tokens: 0: (140110 yy.xx) Me - BankID on file 1: (130304 yy.xx) Me - BankID on file Choose token: 0 Enter pin: Enter removable media export directory (must exist): /media/fat32/bid Failed to export token. The reason might be that the export directory is not on a removable media, or that you don't have permission to write to it.
No matter what I tried in terms of permissions and destination file systems made any difference.

In desperation I then copied the ~/.personal structure containing the bankid keys from my debian box to my USB stick, fired up an old Ubuntu virtual machine with bankid installed (you may want to download bankid for ubuntu from here for THAT purpose: https://install.bankid.com/)

Running persadmin in the Ubuntu 10.04 LTS 32 bit VM worked perfectly, and I now had the exported .nge file in a folder on my USB stick.
me@me-desktop:~$ persadm export BankID Security Application 4.19.1 Available tokens: 0: (140110 yy.xx) Me - BankID on file 1: (130304 yy.xx) Me - BankID on file Choose token: 0 Enter pin: Enter removable media export directory (must exist): /media/fat32/bid Successfully exported token.
In retrospect you might be able to do this in a chrooted ubuntu instance under debian. Who knows?

Step 3. Importing the BankID key files
I then fired up the Windows 7 VM, started BankID and went to File/Preferences. Under locations I added the folder on the USB stick that held the exported BankID file, clicked Add, then Save, and everything was good.



Well, apart from the fact that I had to use two VMs, and am now stuck with a Windows 7 VM.

My Win 7 .vdi file is about 9 Gb, which as a tar.gz file is compressed to 3.8 Gb. I've backed it up in three different locations, so hopefully there won't be any issues with losing the bankid due to MS update idiocies.

28 October 2014

599. Briefly: Suddenly bankid doesn't work/wont be recognised.

The system: firefox 31, nspluginwrapper 1.4.4, debian wheezy, amd64

I've used bankid with Swedish banks in the past. Right now I'm running into trouble though. When clicking on the login button on the bank website I'm taken to this page:
Starting firefox (v31, but the symlink is called firefox25) from the terminal to catch the error messages I get
(firefox25:5555): GLib-GObject-WARNING **: /tmp/buildd/glib2.0-2.33.12+really2.32.4/./gobject/gsignal.c:3397: signal name `load_complete' is invalid for instance `0x2b81340fc1f0' Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed Gtk-Message: Failed to load module "atk-bridge" *** NSPlugin Viewer *** ERROR: NP_Initialize() get args: Message argument mismatch *** NSPlugin Viewer *** ERROR: rpc_end_sync called when not in sync! *** NSPlugin Wrapper *** ERROR: NP_Initialize() wait for reply: Connection closed (firefox25:5555): GLib-GObject-WARNING **: /tmp/buildd/glib2.0-2.33.12+really2.32.4/./gobject/gsignal.c:3397: signal name `load_complete' is invalid for instance `0x2b812a4f52e0'

The solution was to do
/usr/lib/nspluginwrapper/x86_64/linux/npconfig  -a -v -u
Auto-update plugins from /usr/lib/mozilla/plugins Looking for plugins in /usr/lib/mozilla/plugins Auto-update plugins from /home/me/.mozilla/plugins Looking for plugins in /home/me/.mozilla/plugins Update plugin /home/me/.mozilla/plugins/npwrapper.libplugins.so nspluginwrapper ident mismatch, reinstalling plugin Install plugin /usr/local/lib/personal/libplugins.so into /home/me/.mozilla/plugins/npwrapper.libplugins.so

as described by the nspluginwrapper maintainer (David) in a reply on http://www.geeklab.info/2011/11/reconfigure-nspluginwrapper/

03 March 2013

354. Some Arch linux post-installation steps/observations

I decided to temporarily switch my laptop over to Arch linux while keeping all my other boxes running debian. Luckily I had an old HDD which had Windows XP and Ubuntu (after a long hiatus from playing with Fedora Core and Mepis I got serious with Hardy Heron) that I could use -- I nuked the ubuntu install but kept the XP install for...some reason.

Still under preparation: Item 20 (chrooted firefox)

Anyway, here are some of the post installation steps I went through and some of my observations. It might help the odd debian person who explores arch. These are in addition to cosmetic things like installing the frippery extensions and faenza icon set for GNOME.

Index
0. Home partition during installation
1. There's no update-grub in Arch
2. Thinkpad
3. Changing Wallpaper in gnome 3.6
4. Get gdm to autostart
5. Get guake and conky to autostart
6. Adding a windows partition to grub2
7. Mounting ntfs partition
8. Skype and wine
9. Dropbox
10. 'apt-file' on Arch
11. Finding foreign (AUR) packages
12. No texmaker
13. systemd and network interface names
14. Virtualbox
15. grub2 theme
16. BankID
17. Truecrypt and "Failed to set up a loop device"
18. Can boot via USB but not SATA --
      "unable to find root device"
19. Problems with Guake and transparency in new tabs


0. Home partition during installation
I've covered installation of arch before (e.g. here, here and here). To have a separate home, partition your disk accordingly, and install as normal. Don't make any user while in archchroot though. Instead, edit the /etc/fstab to include the home partition, and create the user on booting from the new arch install.

UUID=b59b7022-eda1-40b8-b1e0-ada3f172ba90 /home  ext4  defaults, user_xattr  0 0

1. There's no update-grub in Arch
Instead you use
grub-mkconfig -o /boot/grub/grub.cfg

It also means that e.g. any windows installations won't be auto-detected. See below for how to deal with that.

2. Thinkpad
To get the video working you need to install xf86-video-intel
To get the mouse pad working you need to install xf86-input-synaptics
Install lm_sensors and acpi and run sudo sensors-detect to set up temperature and fan speed sensors, and battery status (acpi).
The LEDs seem to work at times with tp_smapi. Not perfect.

Problems:
the mute button doesn't work (mute immediately followed volume down works), nor does mute mic. I've tried a lot of options but so far no luck.

3. Changing Wallpaper in gnome 3.6
The debian devs may think they are simplifying things, but are often making things more difficult to discover. To change wallpaper go to the gnome overview, open Background, and click on the wallpaper in the centre of the window. THAT brings up a list over installed wallpapers etc.

4. Get gdm to autostart
systemctl enable gdm

5. Get guake and conky to autostart
sudo cp /usr/share/applications/guake.desktop /etc/xdg/autostart/

Create /usr/share/applications/conky.desktop:
[Desktop Entry]
Encoding=UTF-8
Name=Conky
Comment=Conky
TryExec=conky
Exec=conky
Icon=conky
Type=Application
Categories=GNOME;GTK;System;Utility
StartupNotify=true
sudo cp /usr/share/applications/conky.desktop /etc/xdg/autostart/

6. Adding a windows partition to grub2
You'll need to edit or create something aking to /etc/grub.d/40_custom
menuentry "Microsoft Windows XP" {
    insmod part_msdos
    insmod ntfs
    insmod search_fs_uuid
    insmod ntldr\
    search --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 B8AC3A4BAC3A0482
ntldr /ntldr
}
7. Mounting ntfs partition
sudo pacman -S ntfs-3g
sudo mkdir -p /media/winxp
sudo chown $USER /media/winxp

Edit /etc/fstab
UUID=B8AC3A4BAC3A0482 /media/winxp ntfs-3g noauto,uid=1000 0 0

8. Skype and wine
You need to edit /etc/pacman.conf and uncomment the multilib repos.
[multilib] SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist

sudo pacman -Syu
sudo pacman -S wine 
sudo pacman -S skype lib32-libpulse

I originally had a qt/qt4 conflict, but updating magically took care of that. Somehow.

NOTE that to get a useable 32 bit wine install you will need to specify this. See e.g. https://wiki.archlinux.org/index.php/Wine#Using_WINEARCH

9. Dropbox
You need to get dropbox and dropbox-nautilus from AUR. Create /etc/xdg/autostart/dropbox.desktop
[Desktop Entry] Encoding=UTF-8 Name=Dropbox daemon TryExec=dropboxd Exec=dropboxd Startupnotify=true

(I first tried systemctl enable dropbox@$USER but it didn't get nautilus running properly with dropbox. The method above works.)
10. 'apt-file' on arch
...is done with pkgfile.

sudo pacman -S pkgfile
pkgfile --update
pkgfile -s libXv.so.1

11. Finding foreign (AUR) packages.
AUR packages won't update themselves so you need to uninstall and rebuild each time. To find your AUR builds, do
pacman -Qm

12. No texmaker
Texmaker is in AUR and builds fine. It's also easy to build on your own, but installing it with pacman makes it easier to keep tabs on it.

13. systemd and network interface names
My network interfaces always end up with weird names in Arch (w5pls etc.). To manually name your interfaces create e.g. 70-persistent-net.rules in /etc/udev/rules.d/
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:27:9e:27:9b:20", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:23:fb:b3:d2:c8", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan0"

14.Virtualbox
sudo pacman -S virtualbox virtualbox-host-modules linux-headers
sudo usermod -G vboxusers -a $USER

To load the vboxdrv module manually do
sudo modprobe vboxdrv

To auto-load on boot do
sudo su
echo "vboxdrv">> /etc/modules-load.d/virtualbox.conf
exit 

To sort out dkms:
sudo pacman -S dkms virtualbox-host-dkms
sudo systemctl enable dkms
sudo dkms install vboxhost/4.2.8


15. grub2 theme
The stock grub2 startup screen in arch is a bit bland. To spice it up, install grub2-theme-archlinux from AUR.

Edit /etc/default/grub and add
GRUB_THEME="/boot/grub/themes/Archlinux/theme.txt"
Then do
sudo grub-mkconfig -o /boot/grub/grub.cfg

It looks a lot like the mockup here: http://xcracx.deviantart.com/art/Archlinux-Grub2-mockup-121231574

16. BankID

Install bankid via AUR:
wget https://aur.archlinux.org/packages/ne/nexuspersonal/nexuspersonal.tar.gz
tar xvf nexuspersonal.tar.gz
cd nexuspersonal
makepkg -s
sudo pacman -U nexuspersonal-4.19.1.11663-4-x86_64.pkg.tar.xz
sudo pacman -S nspluginwrapper firefox
sudo nspluginwrapper --install /usr/local/lib/personal/libplugins.so

It should now work under firefox. NOTE that in order to be able to test it using test.bankid.com you must change your useragent (see e.g. http://verahill.blogspot.com.au/2013/02/341-upgradinginstalling-bankid-on-64.html). However, it will work with e.g. skatteverket and sparbanken without changing the user agent.

17. Truecrypt and "Failed to set up a loop device"
The module loop isn't loaded. Either modprobe it, or make it load automatically on boot:
sudo su
echo "loop">> /etc/modules-load.d/loop.conf
exit

18. Arch won't boot -- "unable to find root device"
I could boot from the hdd when it was tethered via USB, but not when it was attached via a sata cable. The error was something along the lines of "unable to find root device".
I solved it by following this post. http://fanweiphysicist.blogspot.com.au/2012/02/unable-to-find-root-device-archlinux.html

19. Guake bug
On my laptop, with the xf86-video-intel drivers install, opening a new tab gives me a black background instead of a transparent one.
Not sure what the proper solution to this is, but when I set up an installation on another hdd and installed the f86-video-nv and ati drivers as well, I no longer had any issues with transparency.
(Long story short: I first installed Arch on a spinning 2.5" drive and used my laptop with it for a week. Satisfied that it worked well enough, I installed Arch to my SSD by tethering it via USB to a desktop with an external nvidia card and onboard ati graphics -- so I installed all three video drivers. Putting the hdd in the laptop, guake behaved as it should with proper transparency for all tabs. Not sure what the original issue was)

20. chrooted firefox -- in progress.
For now I've installed sandfox from AUR.

First of all, read this exchange to get a feel for the scope of chroots: http://kerneltrap.org/mailarchive/linux-kernel/2007/9/19/263398/thread#mid-263398. It's not perfect as a security tool, as it wasn't meant to be one. Having said that, security works in layers and this is one which is easy to implement and adds a little bit of security.

Chrooting a programme doesn't give you any privacy or prevents firefox from leaving traces (use an encrypted and anonymous tunnel and put the chroot in a truecrypt container to cover yourself a bit more).

sudo pacman -S devtools xorg-xhost
mkdir -p $HOME/tmp/jail
sudo mkarchroot $HOME/tmp/jail/arch64 base sudo firefox flashplugin
sudo chroot $HOME/tmp/jail/arch64
passwd
useradd -m sandbox
passwd sandbox
echo "sandbox ALL=(ALL) ALL" >> /etc/sudoers
echo 'export LC_ALL="C"'>>/etc/bash.bashrc
echo 'export LANG="C"'>>/etc/bash.bashrc
echo 'DISPLAY=:0.0' >> /etc/bash.bashrc
source /etc/bash.bashrc
exit

Launch the chroot with a script with something like this in it:
xhost +
sudo cp /etc/resolv.conf $HOME/tmp/jail/arch64/etc/resolv.conf
sudo mount -o bind /proc $HOME/tmp/jail/arch64/proc
sudo mount -o bind /sys $HOME/tmp/jail/arch64/sys
sudo mount -o bind /dev $HOME/tmp/jail/arch64/dev
sudo chroot $HOME/tmp/jail/arch64

You could also put 8.8.8.8 in resolv.conf (google dns).
Still not working properly (firefox segfaults)

19 February 2013

341. Upgrading/installing BankID on 64 bit linux

Note: the post below is aimed at installing BankID on Debian (should be ok for ubuntu/mint too). For Arch Linux, see here (item 16)

There are a few ways to get around the rotten behaviour of bankid. This is one of them:

NOTE: to install nspluginwrapper you need to enable the stable/squeeze repos by e.g. adding
deb http://ftp.au.debian.org/debian/ squeeze main contrib non-free
to your /etc/apt/sources.list.

That's normally reasonably safe since apt by default pulls in the newest package and I haven't had any issues. Just be careful though.

You can also install nspluginwrapper by compiling it as shown here: http://verahill.blogspot.com.au/2013/03/366-nspluginwrapper-on-debian.html


Note that there's a FOSS alternative in Fribid (http://verahill.blogspot.se/2012/02/debian-testing-wheezy-64-fribid-as.html) which seems to be working perfectly -- and if you can use it, use it. The main limitation is that in practice you'll have to collect your certificate/ID with it, since newer versions of BankID saves the ID in an incompatible format. Like many foreigners, I don't have the opportunity to visit Sweden for the sole sake of picking up a new ID, so I'm stuck with BankID. But you may not be.



0. Things to install:
sudo apt-get install iceweasel nspluginwrapper ia32-libs

1. Download BankID and uninstall any previous installations
cd ~/Downloads
mkdir bankid
cd bankid
wget https://install.bankid.com/Download?defaultFileId=Linux -O bankid.tar.gz
tar xvf bankid.tar.gz
cd BISP-4.19.1.11663/
sudo sh install.4.19.1.11663.sh u

2. If you're upgrading, make sure to remove any previous libplugins.so
sudo updatedb && locate libplugins.so
/home/me/Downloads/bankid/BISP-4.19.1.11663/libplugins.so /usr/lib/mozilla/plugins/libplugins.so /usr/lib/mozilla/plugins/npwrapper.libplugins.so /usr/lib/nspluginwrapper/plugins/npwrapper.libplugins.so
sudo nspluginwrapper -r /usr/lib/mozilla/plugins/npwrapper.libplugins.so sudo rm /usr/lib/mozilla/plugins/libplugins.so sudo rm /usr/lib/nspluginwrapper/plugins/npwrapper.libplugins.so

3. Install the new version
sudo sh install.4.19.1.11663.sh i
Installing BankID Security Application ln: failed to create symbolic link `/usr/lib/firefox-addons/plugins': No such file or directory WARNING: Failed installing plugin for Firefox 3. Manually add symlink to libplugins.so in your Firefox 3 plugin directory if this browser is to be used. Installation complete.
sudo nspluginwrapper --install /usr/local/lib/personal/libplugins.so

4. Test your installation
Don't bother with test.bankid.com since the idiots won't let you test anything that identifies itself as 64 bit (more about that later). Instead
5. Testing against test.bankid.com
Everything is in working order but for some idiotic reason bankid.com won't even allow you to test you fancy new 64 bit installation -- and it all boils down the useragent string in iceweasel/firefox identifying itself as running on a 64 bit system (paradoxically, a real 32 bit browser running in a chroot won't work either since the kernel is 64 bit -- in schroot you can use personality=linux32 to get around it, but good luck dealing with the massive memory leaks).

Anyway,
  • open your iceweasel browser
  • type in about:config in the address bar
  • promise that you'll be careful
  • right-click on the page, select New, String
  • In the first box, type general.useragent.override
  • In the second box paste Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Iceweasel/10.0.12
You can now go to https://test.bankid.com. I find this a bit humiliating though, and you can use bankid everywhere but bankid.com without having to set the useragent to identify your system as being i686.


If you're having issues, the first thing to check is about:plugins in firefox:


26 February 2012

79. Bankid/nexus personal and iceweasel on Debian Testing

Update 19 Feb. 2013:
Here's an updated post: http://verahill.blogspot.com.au/2013/02/341-upgradinginstalling-bankid-on-64.html -- see that one instead, in particularly if you're upgrading.

Note that you may have to compile your own nspluginwrapper:
http://verahill.blogspot.com.au/2013/03/366-nspluginwrapper-on-debian.html

and you will need to enable multiarch to install ia32-libs:
sudo dpkg --add-architecture i386
sudo apt-get update

Original post:
Swedish banks and government institutions use bankid/nexus personal for electronic id verification. Sadly, it's a horrible solution -- it seems to be closed source, the bankid website is a POS which prevents me from downloading the 64 bit version claiming that it's not supported (I've used it for a few years now, so it's clearly bunkum).

Note that there's a FOSS alternative in Fribid (http://verahill.blogspot.se/2012/02/debian-testing-wheezy-64-fribid-as.html) which seems to be working perfectly -- and if you can use it, use it. The main limitation is that in practice you'll have to collect your certificate/ID with it, since newer versions of BankID saves the ID in an incompatible format. Like many foreigners, I don't have the opportunity to visit Sweden for the sole sake of picking up a new ID, so I'm stuck with BankID. But you may not be.

* A Swedish how-to is available here: http://ubuntu-se.org/wiki/NexusPersonal#Installation_p.C3.A5_64-bitarssystem

* Another, more recent how-to is here: http://popqvarnstrom.blogspot.com.au/2011/06/bankid-nexus-personal-on-ubuntu-1104-64.html

Note: I have never 'exported' my ID, but have always copied the ~/.personal directory between computers. The problem with exporting is that you are only allowed to do it once. The problem with Nexus allowing your to copy the file itself is that anyone with physical access to your computer can copy the key.

--START HERE --
 Here's a summary of how to get it working on debian testing wheezy:

In theory you should install nexus personal from here:
https://install.bankid.com/

I've got v 4.17.0.11 installed on a 64 bit system. The message on this page is a load of bollocks:


Whatever -- the good guys over at Arch supply a link:
wget http://install.bankid.com/Repository/BISP-4.19.0.11351.tar.gz

EDIT: you can use this generic url instead  https://install.bankid.com/Download?defaultFileId=Linux

tar -xvf  BISP-4.19.0.11351.tar.gz
cd  BISP-4.19.0.11351
 sudo sh install.4.19.0.11351.sh i
 Installing BankID Security Application
ln: failed to create symbolic link `/usr/lib/firefox-addons/plugins': No such file or directory
WARNING: Failed installing plugin for Firefox 3. Manually add symlink to libplugins.so in your Firefox 3 plugin directory if this browser is to be used.
Installation complete.

Since the plugin is 32 bit, you need to link it with nspluginwrapper, and you need 32 bit libs, so

sudo apt-get install nspluginwrapper ia32-libs




Also, as far as I can tell, you need iceweasel/firefox. Chrome/ium won't work.

sudo nspluginwrapper -i /usr/local/lib/personal/libplugins.so  

Check to see if it's installed:
nspluginwrapper -l
 /usr/lib/mozilla/plugins/npwrapper.libplugins.so 
 Original plugin: /usr/local/lib/personal/libplugins.so 
Plugin viewer: /usr/lib/nspluginwrapper/i386/linux/npviewer
Wrapper version string: 1.3.0  
And visit  the following page to make sure
 https://test.bankid.com/
Or your bank.


Your  key -- on a computer where you've used bankid before -- will be in ~/.personal -- don't bother trying to import or export it using the bankid/nexus personal programme (http://popqvarnstrom.blogspot.com.au/2011/06/bankid-nexus-personal-on-ubuntu-1104-64.html) since you're apparently only allowed to do that a certain number of times.

If you just plain copy the files, however, you can do it as many times as you want. I told you the programme is a POS. Anyway,

tree .personal
.personal
|-- backup
|   |-- config
|   |   `-- Personal.cfg
|   `-- store
|-- config
|   `-- Personal.cfg
`-- store
    |-- 1.ngp
    `-- 2.ngp


Nexus Personal/BankID is installed in /usr/local/lib/personal/

Links to this page:
http://popqvarnstrom.blogspot.se/2011/06/bankid-nexus-personal-on-ubuntu-1104-64.html

78. Fribid as an alternative to nexus personal on debian

Anyone who has needs to interact electronically with banks and government agencies in Sweden will become a victim of BankID/Nexus Personal.

It's a piece of crap. I've used it for several years, and have managed to get by. Now, however, if you try to download a newer version (I currently have 4.17.0.11) from a 64 bit debian machine you end up on a page that says:
 And there's little hope of getting past it.

Luckily, there's apparently an open-source project, fribid, which may be able to replace bankid/nexus personal for those who don't want to get stuck with 32 bit linux (seriously -- why does 4.17 work on 64 bit and future versions won't? And why won't you let me download an older, supported version? And why can't I chose what version I download? 32 bit windows from a 64 bit linux box -- and vice versa -- SHOULD BE POSSIBLE)

Anyway, fribid:


wget http://fribid.se/releases/source/fribid-1.0.0.tar.bz2
tar -xvf fribid-1.0.0.tar.bz2
cd fribid-1.0.0
./configure
make
sudo make install



I didn't have to do anything to 'install' it beyond that. Navigating in iceweasel to a website requiring bankid started fribid as it should and prompted me for the key file.

I can't explore the functionality beyond this, as fribid can only read keys downloaded with bankid/nexus v 4.10 or earlier -- pk12. The clincher here is that you can download the keys using fribid to begin with instead of first downloading them with bankid.

Lock-in, anyone?





Error:
ERROR: Unsatisfied dependencies:
  gtk+-2.0 >= 2.12
  gdk-2.0
  glib-2.0

Solution:
sudo apt-get install libgtk2.0-dev