Using JsignPDF with eObcanka in Linux

So you've got your eObcanka and purchased a fully qualified certificate from some provider (PostSignum in my case). And you've decided to generate that cert to eObcanka's protected storage to be more secured and qualified as well :) Assuming you also have purchased some smart card reader which can ber used to read eObcanka's chip. Now how to use it in Linux to sign some document. 

1st you need the middleware software for that. They provide only an Ubuntu package but it can be used in other systems as well. In my case I didn't have to make any customizations in Debian Unstable.

Then you need a software to sign your PDF which is PKCS11 capable. Currently I know about three free Linux softwares which can digitally sign a document using some hardware token (PKCS11): LibreOffice, Okular (in it's latest development version with some supporting libraries - Poppler) and JSignPDF. So ... 

• LibreOffice still quite sucks because it can sign the document but you can not place a visible mark about that anywhere. But the configuration is quite easy, IMHO it uses the same configuration as Thunderbird does.
• Also Okular still quite sucks. Configuration is also the same as Thunderbird uses so it's good. But again, there is a problem with the visible mark of the digital signature. It's better than LibreOffice beacause at least you can place the visible mark somewhere. But you can not easily configure the text properties so it looks usually quite lousy.
• So from the three mentioned softwares I use JSignPDF where you can do some fine-tunning of the visible mark.

How to configure JSignPDF to use PKCS11

So you have downloaded the latest version of JSignPDF (now it is 2.2.0, to use PKCS11 you need at least version 2.0.0) for example in ~/prg/JSignPDF. Now edit the conf/pkcs11.cfg and fill it with:

name=eObcanka
library=/usr/lib/x86_64-linux-gnu/libeopproxyp11.so
slot=1

After that edit the file conf/conf.properties and uncomment the line

pkcs11config.path=conf/pkcs11.cfg

After this you can put your eObcanka to the card reader and run the jsignpdf.sh. It should behave like this: 

FINE Relaxing SSL security. 

FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg 

FINE PKCS11 provider registered with name SunPKCS11-eObcanka

FINE PKCS11 provider registered with name JSignPKCS11-eObcanka

Now you should see a new PKCS11 type of key and certificates storage.

Xorg, libinput, touchpad and mouse in docking station

Update (06. 02. 2017): after some recent updates of libinput and Xorg debian package, none of the following is needed. In fact I've commented the whole 20-natural-scrolling.conf config file.

---

Recently I've bought a new laptop. And decided to install a fresh new Debian testing without configuration burden from the past. One thing which I've spent the most time was to convince the X.org to invert the scrolling while using touchpad and don't invert scrolling while using the mouse to act the same way.

Yes, there is a way to do that simply with Gnome or XFCE settings manager, but that does not work for all window types. For example gnome-terminal ignores these settings :( Another way is to use directly xinput command to adjust the right property of the touchpad, but it won't survive the sleep/unsleep operation. However if someone needs that command, it is here:

xinput set-prop 12 281 1

the first number (12) can be obtained via simple xinput command, and the next (281) via xinput list-props 12 command. That is the property which description says something like

libinput Natural Scrolling Enabled (281): 0

But this is only a temporary quick-fix which won't last long and on the top of that, the xinput ID is changed every reboot.

So there are some guidelines how to do that permanently, like here or here or here. It hasn't work for me because when I looked in /var/log/Xorg.0.log I've realized that my touchpad is recognized as a regular mouse and so X.org applies the same rules on both. The final configuration is therefore little bit different and looks like this:

# cat /etc/X11/xorg.conf.d/20-natural-scrolling.conf

Section "InputClass"
       Identifier "libinput pointer catchall"
        MatchIsPointer "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
        #Option "NaturalScrolling" "true"
EndSection

Section "InputClass"
        Identifier "libinput touchpad catchall"
        MatchProduct "ImPS/2 BYD TouchPad"
        #MatchIsTouchpad "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
        Option "NaturalScrolling" "true"
EndSection

Usefull links:
https://wiki.gentoo.org/wiki/Xorg.conf – description of xorg.conf options
https://wiki.archlinux.org/index.php/Touchpad_Synaptics – commonly used tweaks for touchpad

Overgrive sync folder can not be changed during initial set up

One of the nice synchronization solution with Google drive and Linux is overGrive. However there is a bug in initial setup dialog for version 3.1.3 beta. I have just tried it in Debian testing and couldn't change the sync folder, which was by default /home/username/Google Drive. Clicking the button "change folder" didn't work. After I run the program from the terminal instead of just clicking the icon, I've realized that this occurs because '/home/username/Google Drive' doesn't exist. So I created that folder and then the changing procedure with folder select dialog run OK. In the end I had to delete that default folder. Please, The Fan Club, fix it on will.

I am writing it here because sadly I have no permission to submit the contact form on maintainer's pages :-/

CUPS backends not found after upgrade

Recently I upgraded CUPS package in my Debian. The version is now 2.0.3-10 but maybe it is not relevant. After the upgrade I had encountered a printing problem: the defined printers were not present in list. OK, I had to reinstall all the CUPS and related packages (foomatic, hplip, ...) - unfortunately I don't know which all. When all this pain was done, I was able to see the printers in the list once again. BUT: the window showing the printers said:

Backend /usr/lib/cups/backend/socket does not exist!
Backend /usr/lib/cups/backend/hp does not exist!

Google around for couple of hours and tried many different solutions. Finally I found this thread and that was it. No permission setting on /usr/lib/cups/backend/hp or parent directories was necessary. Only to invoke this command under root:

cupsenable Canon-iR-ADV-C5235-5240

Post mortem I realized, that the strange scratches through the printer icon (see the image) were not the error of the graphics driver but notification about CUPS disabled device.

Now I am about to find why the printer manager window freezes when I try to click on printer properties :)

By the way, the folder /usr/lib/cups/backend should have the proper rights:

drwxr-xr-x 2 root root 4096 lis 16 16:06 /usr/lib/cups/backend

Gluegen compilation with ANT

I have just spent two days googling and trying various things to compile Gluegen. Every time I ended with message

BUILD FAILED
/scratch/hanousek/gluegen2-2.0-rc5/make/build.xml:627: The following error occurred while executing this line:
/scratch/hanousek/gluegen2-2.0-rc5/make/build.xml:156: Problem: failed to create task or type antlr
Cause: the class org.apache.tools.ant.taskdefs.optional.ANTLR was not found.
        This looks like one of Ant's optional components.
Action: Check that the appropriate optional JAR exists in
        -/software/ant-1.9/1.9.4/lib
        -/root/.ant/lib
        -a directory added on the command line with the -lib argument
Do not panic, this is a common problem.
The commonest cause is a missing JAR.
This is not a bug; it is a configuration problem

Of course I had tried to install ANTLR, ATNLRv3 and even ANTLRv4, but with no success. Things like

ant -Dantlr.jar=/software/ant-1.9/1.9.4/lib/antlr.jar -Djunit.jar=/software/ant-1.9/1.9.4/lib/junit-4.11.jar

didn't work so don't spend a lot of time with that.
The solution is finally quite simple. Developers says that it should work with ant >= 1.8. This is wrong, at least for version 1.9.4 which I had installed. When I tried to use ant-1.6 and edited file make/build.xml to remove the ant version requirement section, everything went OK.

PSI and SSL in Debian

When you want to use a SSL/TLS plugin in jabber client PSI in Debian, you should have installed the qca-tls package.

Compiling documentation

When an error

Unknown option -force_html

appears during compilation or configuration of any documentation (for example of package xorg-doc), it means that you should have the lynx package installed.