BTrust MacOS setup

build_signTextJS.md

Building signTextJS

1. Clone https://github.com/angelyordanov/signTextJS
2. Run travis/osx..install script or open it and run the steps manually
3. Run travis/osx..script
4. If all goes well you'll have a signtextjs_plus-0.0.0-macos.dmg in the repo root

setup_btrust.md

BTrust MacOS setup

1. Install Gemalto drivers. Open https://www.b-trust.bg/services/signature-installation, enter your email and install just the Gemalto drivers (the one behind the MacOS link).

2. Install firefox 68 ESR and disable auto updates (source)

   • Mount Firefox 68.12.0esr.dmg and copy Firefox.app to /Applications renamed as Firefox 68 ESR

   • Remove quarantine set by macOS.

     xattr -r -d com.apple.quarantine Firefox\ 68\ ESR.app

     If you see an error on startup that says: Firefox is damaged and can’t be opened. You should move it to the Trash.. This means that you did not run this command.

   • Deploy policies.json with auto updates disabled

     cd Firefox\ 68\ ESR.app/Contents/Resources
     mkdir distribution
     cd distribution
     tee policies.json << EOF
     {
         "policies": {
             "AppAutoUpdate": false
         }
     }
     EOF

3. Add the following root certificates to the firefox chain.

   • B-Trust Root Qualified CA

   • B-Trust Operational Qualified CA

   • B-Trust Root Advanced CA

   • B-Trust Operational Advanced CA

   • The "Advanced" certificates are only required if you want to use the https://test.b-trust.org and not get a SSL error

   Option 1: Open B-Trust certification chains page in firefox and install the certificates by clicking on the PEM link and adding all checkboxes in the dialog that FF shows.

   Option 2:
   1. Set firefox to use the keychain root certs by setting security.enterprise_roots.enabled to true in about:config
   2. Open B-Trust certification chains page and download the certificates by clicking on the DER link
   3. Add them to the keychain by double clicking on each
   4. Open Keychain Access, find the certificates and move them to System
   5. Open each certificate in Keychain Access and set Always Trust on all fields

   Note: Only option 1 seems to work, as option 2 gives the error error:internalError. Probably manually trusting the root certificate authorities inside Firefox View Certificates... will work but has not been tested. See this issue for details jasp00/signTextJS#29 (comment) (translation)

4. Install the https://addons.mozilla.org/bg/firefox/addon/signtextjs-plus/ extension to firefox

5. Install signtextjs' native backend

   1. Make sure you have a folder /Library/Application Support/Mozilla/NativeMessagingHosts/ (check the correct name in here)
   2. Open the signtextjs_plus-0.0.0-macos.dmg created with the build_signTextJS.md (or one downloaded from https://github.com/jasp00/signTextJS/releases)
   3. Move the two files signtextjs_plus.app and signtextjs_plus.json in the NativeMessagingHosts folder that should be symlinked in the DMG

6. Load the Gemalto PKSC#11 Module in Firefox

   1. In Preferences open Security Devices (at the bottom of the page)
   2. Press Load and enter Gemalto PKSC#11 Module as the module name and /Library/Gemalto/libidprimepkcs11.dylib as the module filename
   3. Close the device manager and verify your smart card by opening View Certificates... and selecting the tab Your Certificates

7. Verify signtext js installation by downloading locally https://raw.githubusercontent.com/jasp00/signTextJS/master/test/html/test.html and opening it in Firefox

8. Thank me later :)

setup_btrust_win.md

1. Install Gemalto drivers. Open https://www.b-trust.bg/services/signature-installation, enter your email, download the installer and unarchive it wit 7zip, install just the Gemalto drivers.

2. Install firefox 78 ESR and disable automatic updates by placing the following policies.json in folder distribution next to where the firefox EXE is.

   C:\Program Files\Mozilla Firefox\distribution\policies.json
   
   {
     "policies": {
       "AppAutoUpdate": false
     }
   }
   

3. Add the following root certificates to the firefox chain.

   • B-Trust Root Qualified CA

   • B-Trust Operational Qualified CA

   • B-Trust Root Advanced CA

   • B-Trust Operational Advanced CA

   • The "Advanced" certificates are only required if you want to use the https://test.b-trust.org and not get a SSL error

   Open B-Trust certification chains page in firefox and install the certificates by clicking on the PEM link and adding all checkboxes in the dialog that FF shows.

4. Install the https://addons.mozilla.org/bg/firefox/addon/signtextjs-plus/ extension to firefox

5. Install signtextjs' native backend vy downloading the latest release from the github page https://github.com/jasp00/signTextJS

6. Load the Gemalto PKSC#11 Module in Firefox

   1. In Preferences open Security Devices (at the bottom of the page)
   2. Press Load and enter Gemalto PKSC#11 Module as the module name and /Library/Gemalto/libidprimepkcs11.dylib as the module filename
   3. Close the device manager and verify your smart card by opening View Certificates... and selecting the tab Your Certificates

7. Verify signtext js installation by downloading locally https://raw.githubusercontent.com/jasp00/signTextJS/master/test/html/test.html and opening it in Firefox

Amazing! Thanks a ton!

Хвала тебе, Ангеле! F*ck you, B-trust!

Take my internet points, bro. Thanks

For mac computers with Apple silicon (M1), take a look on https://doncho.net/2021/09/nastroika-macbook-m1-macos-big-sur-b-trust-nap-pdf/comment-page-1/