[PLUG] Anyone using Digital Signature on Linux?

Thu Jul 28 14:57:25 IST 2011

On Tue, Jul 26, 2011 at 09:29:34AM +0530, Mayuresh wrote:
> Most DSC vendors have instructions tailored for MSIE and aren't sure about
> "support" on Linux.
> 
> Has anyone tried digital signatures on Linux or knows some of these
> points:

Yes, I have. It worked pretty smoothly on firefox 4 on Fedora 15 for
filing ITR.

There was no assurance from vendor that it would work and no contact of
anybody who might have tried it. I just took my chances and it worked.

> 1. Enrollment process: When you enroll for a DSC, till you download your
> certificate from your DSC vendor's site, it is advised that you do not
> upgrade your OS or touch your installation in any way. I think this is
> because the key pair that was generated should not change. But where does
> this key reside anyway till I download a DSC anyway? I checked "my
> certificates" etc. in firefox and there is nothing over there though I
> could successfully enroll.

firefox does store the keys that are generated. I don't know where.
Probably in keys.db. When you download the certificate from vendor site,
it appears in "Your certificates". From there one can export (firefox
calls it Backup) it. Firefox calls it p12 file while IE or apps like ITR
call it pfx file. You can just rename it to pfx.

pfx file is what ITR filing requires (otherwise a USB token).

> 2. There is this "USB Token" thingy that is supposed to store your DSC on
> an encrypted drive. It appears MSIE has something by which it
> automatically recognizes such drive and uses your signature. Do these USB
> tokens work on Linux. (I got contact address of the token vendor from a
> DSC vendor. I am checking with them as well.) (I don't necessarily need
> the convenience of storing etc. Point is few applications that support
> DSC, support it it in a "USB token" form directly.)

I have not tried USB token, though it appears it should work. The token
vendor has provided software for Linux and that installed fine.

> 3. What is a pfx file - particularly, does it contain the private key as
> well? When you file IT returns with DSC, it asks you to upload pfx file.
> Why should an app ask you to load a file that includes a private key?

Hmm. It does contain your private keys. Store it carefully and do not
expose to any untrusted app. ITR app perhaps just extracts public key from
this. A Govt app - one should trust perhaps!

But if you use the token method, you are safer, since it is designed such
that the private key never leaves the device.

> 4. On Linux, are there ways to sign a pdf document digitally -
> particularly one generated with latex?

None found yet. Will post if I do.

> A general remark: DSCs do not appear very cost effective in India as yet.
> A common application is to use it for ITR filing. There aren't yet too
> many places where DSC is accepted. If anyone knows any other applications,
> please do post.

I'm going to try and push its use in financial transactions that otherwise
require physical signatures. Let's see how it goes. Will definitely take
some push.

> Mayuresh.