Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 12-03-2017, 01:22 PM   #1
LQ Newbie
Registered: Dec 2017
Posts: 3

Rep: Reputation: Disabled
Unhappy Need software for QES (qualified electronic signature)

Hello everyone,

I'm trying to use QES with GNU/Linux.

My setup consists of a Debian Stretch (64-bit) operating system, a Kobil KAAN TriBank card reader and a chip card from T-Systems.

Before I get to explain my actual problem, I'd like to share what happened so far as I familiarized myself with QES. (If you don't want to read everything, just scroll down to the bold part.)

My experiences so far seem to be somehow paradox: On the one hand, I'm having trouble finding helpful information for my use case, but on the other hand it turns out to be more straight-forward than I expected. Yet, I got a headache anyway.

Step 1: Find a regulation CA

QES requires a certificate that must be issued by a QES-approved CA. The first choice I thought of was the local savings bank - but it turned out that DSV has discontinued their QES service. So I went through the list of accredited QES CAs (which is quite short) and it turned out that the majority of them was useless for me because they restrict their service to internal purposes or a particular profession. Only 2 or 3 actually offer QES certificates to the general public. I finally settled for T-Systems.

STep 2: Order a QES smart card

Ordering the smart card was quite straight-forward. I filled in a web form, then performed a PostIdent. A few days later, T-Systems sent me an email requesting a copy of my ID card. This surprised me at first but a quick Google search revealed that legislation had been changed recently such that photocopies of ID cards were legal again. So I copied my ID card, sent it to T-Systems and after another few days, I had my signature card in the mail. I haven't paid a single cent for this service yet because T-Systems still has to send me an invoice. (Electronic invoices no longer require QES, so I can rule that out as a reason for the delayed invoice.)

STep 3: Find the card reader

My card reader is already about a decade old and it's been 3 relocations since I tried to use it. Therefore, I expected several hours of searching but luckily I just needed a few minutes. I was worried that the reader might not work with QES, but after some googling, it turned out that the device was approved for QES.

Step 6: Activate the card

DTAG was so kind to send me a detailled step-by-step instruction for activating the card. Card activation consists of two steps: First, the PIN codes have to be changed and then, I have to confirm to DTAG that I've received the card so they can publish my QES certificate in their directory. And this was the point where QES started causing me headaches: The beer software that DTAG wanted me to use for this purpose is only available for Macintosh and Windows Computers but not for GNU/Linux.

Step 8: Sign some documents

I thought it might be worth a try trying to use QES without having the card activated.

Step 7: Find some software for QES

To do so, I needed some program that would do this. Headache #2: There is very little information on the net on this and there seem to be no debian packages. But after some googling I found a JWS application called “secSigner” that would do the job. Java Web Start is not my favorite choice but unlike other programs, this one seemed to work, although even this program has several issues. One of them is that the program tries to list my home directory and if there are any strange characters in there, I'm unable to access any file in there. Renaming files until the problem files were identified was out of the question, so I ended up using another account as a work-around.

Step 4: Install some packages for chipcard support

Next issue was that secSigner detected neither my card reader nor the card. After some googling, I found a page on a wiki ( ) which explained to me that I had to install the following packages: libccid, libpcsclite1, pcscd, pcsc-tools.

Back to Step 8: Sign some documents

Now that the packages were installed, secSigner detected card reader and chip card out of the box. This was a relief. I was expecting some big problems here but the driver part just worked. What didn't work at this point was document signing. secSigner refused to sign my document because the card wasn't activated yet. So... back to step 6.

Back to Step 6: Card activation

I thought it might be worth a try to run TeleSec SignLive (the beer program recommended by DTAG) in wine. Although the program seemed to be stable, it was unable to find the card reader and the card and DTAG was so ignorant to not even acknowledge the existence of operating systems other than Windoof and MacOS. Ironically, the whole program is written in Java which is supposed to be platform-independant.

STep 5: Find software for card activation

So I had to find some software that would allow me to activate the card. Google wasn't helpful on this but after some searching, I found out that SecCommerce, the company behind secSigner, offers another tool called secCardAdmin that would allow me to activate the card.

Back to Step 6: Card activation

Card activation with secSigner worked fine, no problems.

Back to Step 8: Sign some documents

I was still trying to sign my test document. With secSigner, the PCSC packages, card activation and the seperate user workaround in place, it actually worked.

Step 9: Validate some signatures

I wanted to be sure that my signature was OK, so I ran secSignerVerify (the other part of secSigner) to check it. And the signature on my own document turned out to be valid. I also checked another document which I had found somewhere on the net and I got a validation error. I don't know why this is happening, maybe it's because the signature was PDF-Inline with Austrian QES, not PKCS#7 detached with German QES.

Step 7: Find software for QES

Unfortunately, I'm not done at this point. Although I'm able to sign documents with secSignerSign, I cannot use this program for all of my correspondance. QES can use (at least) 3 different signature formats - PKCS#7 enveloped (which stores document and signature in a container file), PKCS#7 detached (which uses two seperate files and PDF-Inline (which embeds the signature inside the PDF document). secSignerSign only creates detached signatures but not enveloped or PDF-Inline signatures. However, some of the authorities that I wish to go paperless with are telling me that they can accept electronic documents only in PDF-Inline format, not enveloped or even detached. Since I have no intention of suing the municipality over formal requirements, I need to find a method for creating PDF-Inline signatures. (Btw, the court would accept detached signatures but not the municipality.)

I've tried several other programs but most products I found turned out to be useless for me. Some require a certificate file (which I don't have, my cert is on a smart card), others don't seem to work at all. One product which looked promising (Governikus Signer Basic Edition) seems to be unable to detect my card reader and my chip card.

And that brings us to the reason why I'm posting here. I need a program which:

• allows me to sign documents with QES (mandatory)
• supports PDF-Inline, PKCS#7 enveloped and PKCS#7 detached signatures (mandatory)
• actually detects my card reader and my smart card (mandatory)

If possible, the program should also be free software and be available as a Debian package. It should be able to navigate the file system without choking on my umlaut files.

Can anybody help?

Another question I'd like to ask is whether it's possible to convert an existing signature between enveloped, detached and PDF-Inline format. My first thought on this was “no way, that would change the document and break the signature” but ... actually that depends on the formats involved. As far as I know, an enveloped signature should be no different from a detached one, except that the two files (document and signature) are placed in a container file. However, PDF-Inline might be more tricky. Does someone know?

Last edited by erebus42; 12-03-2017 at 01:24 PM.
Old 12-03-2017, 11:53 PM   #2
LQ Guru
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,483

Rep: Reputation: 995Reputation: 995Reputation: 995Reputation: 995Reputation: 995Reputation: 995Reputation: 995Reputation: 995
Try this: before you get too sold on electronic signatures, just think of the problems. The ability to steal someone else's signature is the primary problem. Once identity thieves have your info, they can generate certificates to impersonate your signature! And proving it will require investigative work.

Relying on everyone to be honest is the road to ruin. I just heard of a girl who gave her Paypal login credentials in reply to an email asking for them. If there are people like that in the world, QES won't work either.

Last edited by AwesomeMachine; 12-04-2017 at 12:06 AM.
Old 12-04-2017, 01:46 AM   #3
LQ Newbie
Registered: Dec 2017
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the suggestion. InfoNotary looks like an interesting program - but it somehow doesn't want to interface with my chip card. pcsc_scan detects my chip card as
Deutsche Telekom AG, TeleSec PKS ECC Signature Card (PKI)
but InfoNotary e-Doc Signer denies the existence of both signature card and card reader.

InfoNotary Smart Card Manager Lite acknowledges the presence of an unknown card if I install a package called bit4id-ipki. Another package called opensc makes SCM-lite detect my card reader as empty.
Old 12-04-2017, 03:38 AM   #4
LQ Newbie
Registered: Dec 2017
Posts: 3

Original Poster
Rep: Reputation: Disabled
Ok, I think I found something that explains the trouble I'm experiencing. I still have to understand how PC/SC, libccid and OpenSC interact with each other. What I know for sure is that my own signature card (ATR: 3B 9F 96 81 31 FE 9D 00 64 05 A0 03 04 31 C0 73 F7 01 D0 00 90 00 28) is a TCOS card with Eliptic Curve Crypto. This is a big surprise because usually DTAG doesn't use modern crypto unless you can fit a camel through the eye of a needle.

TCOS cards with ECC are not supported by OpenSC ( ) which means that the whole setup is not going to work as long as I have to rely on OpenSC. That raises a question: Why does secSigner work if OpenSC has no chipcard driver?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Electronic design software for linux tommyttt Linux - Software 3 02-11-2012 06:39 AM
LXer: The Coming Electronic Health Record Software Disaster LXer Syndicated Linux News 0 09-25-2007 11:00 PM
LXer: A Tale of Modern Electronic Medical Record Software LXer Syndicated Linux News 0 08-05-2007 11:46 PM
LXer: BSA Raise Reward Up to $1 Million for Qualified Reports of Software Piracy LXer Syndicated Linux News 0 07-03-2007 12:31 AM
Electronic Design Software Integration/Application Engineer munichtexan LQ Job Marketplace [Archive] 0 10-02-2006 09:07 PM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:13 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration