Description of problem: qDigiDoc software fails to sign BDOC-formatted signature containeres with Finnish ID-card. BDoc.cpp:528 Failed to sign BDOC container. QSigner.cpp:482 Failed to sign document Version-Release number of selected component (if applicable): qdigidoc-3.9.1.1369-2.fc20.x86_64 How reproducible: Always. Well, actually this has never succeeded that we know. :-/ Steps to Reproduce: 1. Update to qdigidoc-0.4.1-4.fc20 koji test-build packages. 2. Start qdigidocclient and plug in Finnish ID-card (http://fineid.fi). 3. Create a new container, add some file into it. 4. try to sign it with Finnish card's second signature-certificate. It fails. Expected results: Signed BDOC-container. Additional info: This is more or less a tracking bug to follow this issue. If we get this working, this will be pushed into f20 too. Package is from: http://koji.fedoraproject.org/koji/buildinfo?buildID=594194 estonianidcard-3.8.1-2.fc20.noarch.rpm libdigidocpp-3.9.0.1237-2.fc20.x86_64.rpm firefox-esteidpkcs11loader-3.8.0.1052-4.fc20.noarch.rpm libdigidocpp-doc-3.9.0.1237-2.fc20.x86_64.rpm firefox-esteid-plugin-3.8.0.1115-4.fc20.x86_64.rpm qdigidoc-3.9.1.1369-2.fc20.x86_64.rpm libdigidoc-3.9.1.1191-1.fc20.x86_64.rpm qesteidutil-3.8.0.1106-7.fc20.x86_64.rpm
# rpm -q --requires qdigidoc /bin/sh /bin/sh /bin/sh hicolor-icon-theme libQt5Core.so.5()(64bit) libQt5Gui.so.5()(64bit) libQt5Network.so.5()(64bit) libQt5PrintSupport.so.5()(64bit) libQt5Widgets.so.5()(64bit) libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libcrypto.so.10()(64bit) libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) libcrypto.so.10(libcrypto.so.10)(64bit) libdigidocpp.so.0()(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) liblber-2.4.so.2()(64bit) libldap-2.4.so.2()(64bit) libm.so.6()(64bit) libpcsclite.so.1()(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libssl.so.10()(64bit) libssl.so.10(libssl.so.10)(64bit) libstdc++.so.6()(64bit) libstdc++.so.6(CXXABI_1.3)(64bit) libstdc++.so.6(GLIBCXX_3.4)(64bit) libstdc++.so.6(GLIBCXX_3.4.11)(64bit) libstdc++.so.6(GLIBCXX_3.4.15)(64bit) libstdc++.so.6(GLIBCXX_3.4.9)(64bit) opensc(x86-64) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rtld(GNU_HASH) rpmlib(PayloadIsXz) <= 5.2-1
It's not all bad, this was the first time qDigiDoc actually saw and display's finnish card's information in main view.
$ rpm -q opensc fedora-release opensc-0.14.0-1.fc20.x86_64 fedora-release-20-3.noarch $ qdigidocclient . . . DEBUG [SignatureBES.cpp:771] - Digest { 97 49 80 4F B6 84 78 9B 77 E4 D5 11 04 C3 84 BF EC 35 78 D1 D1 0C B9 9B E5 A5 43 DC 31 BC AC 7B }:32 DEBUG [OCSP.cpp:418] - OCSP status: GOOD HOLY SHIT, it works. It only took 14 years to happen. Paint a big black cross on wall. Next thing is to send a container to finnish official and sue them not accepting it, even law has mandatated it for all this time since 1999.
So, let's leave this bug open and discuss, can we update opensc to 0.14 in Fedora-20?
I can confirm that signing with the Finnish ID card works on Fedora 21 Beta out-of-the-box (well, post-beta, pre-release...)
Re: comment #4 Per Juha's requests for 0.14 builds for f20, and discussion on freenode #fedora-devel yesterday, I offered to create a copr for additional testing/feedback, https://copr.fedoraproject.org/coprs/rdieter/opensc/
Confirmed, updated package from COPR-repo in comment 6 fixes this issue. $ rpm -q system-release opensc qdigidoc package system-release is not installed opensc-0.14.0-1.fc20.x86_64 qdigidoc-3.9.1.1369-2.fc20.x86_64 I will be using this version in my desktop system and will notify if there is any side issues with this compilation.
BTW, opensc pkcs11 plugin in firefox works too. That's usually the part that breaks first. Looks good.
# rpm -q openvpn opensc openvpn-2.3.6-1.fc20.x86_64 opensc-0.13.0-11.fc20.x86_64 # openvpn --show-pkcs11-ids /usr/lib64/pkcs11/onepin-opensc-pkcs11.so Wed Apr 29 16:22:43 2015 PKCS#11: Cannot add provider '/usr/lib64/pkcs11/onepin-opensc-pkcs11.so' 6-'CKR_FUNCTION_FAILED' Wed Apr 29 16:22:43 2015 Exiting due to fatal error # dnf copr enable rdieter/opensc # dnf update # rpm -q openvpn opensc openvpn-2.3.6-1.fc20.x86_64 opensc-0.14.0-1.fc20.x86_64 # openvpn --show-pkcs11-ids /usr/lib64/onepin-opensc-pkcs11.so The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. Certificate DN: C=FI, serialNumber=10000350X, GN=JUHA, SN=TUOMALA, CN=TUOMALA JUHA 10000350X Serial: 3BA8D0D3 Serialized id: VRK\x2DFINEID/PKCS\x2315/4600015067524093/HENKILOKORTTI\x20\x28perustunnusluku\x29/45
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I will use this bug as a reference example when someone next time says "Could you fill a bug report about that?" I wont. Complete waste of time, once again.
It wasn't a complete waste of time, we got good testing and a working copr out of it at least.
People who can, like package maintainers etc, should help endusers to get around problems that prevent them doing their tasks. That will make distro better and more popular. I personally gain from popularity. I can rebuild packages for myself if needed. No need to make bug reports about that. If I'm only one thinking like this, collective effort is waste of time.
Sorry you feel that way, but *I* as a maintainer did try helping you. That attitude of yours makes me regret making the effort a bit. My efforts to assist and making the copr seem wasted on someone who doesn't appreciate it.
It's waste of time if there is a clear problem, we find a clear solution for it and it's not pushed ahead for some reason. If the reason is release version that is supported on paper and promises, but not in reality, it's waste of time from all of us and bad reputation for distribution. Less users and we all loose because smaller ecosystem. Don't mix my apprecitiation or feelings to the facts that this is all about. I could very well use the very same argument, but won't. This is about fixing bugs and making distribution better if it's _supported_. Even a week from reporting date.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.