Skip to content

Instantly share code, notes, and snippets.

@arpanetus

arpanetus/ncalayer-guide-linux-en.md

Last active August 24, 2022 11:59
Show Gist options
  • Save arpanetus/2ad7d2ed7574e7df9661e33c14680196 to your computer and use it in GitHub Desktop.
Save arpanetus/2ad7d2ed7574e7df9661e33c14680196 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ncalayer-guide-linux-en.md

NCALayer proper installation guide [Linux]

NCALayer is a tool for signing documents and authorizing into Kazakhstani govt. services such as egov.kz. It's an application written in Java, and thus has to be installed into your machine. We won't discuss the inner mechanism of the app that much, yet I highly dislike the fact that it exists exactly like that.

One thing that we certainly have to mention is ✨safety✨ during the usage of it:

Installation

Let us assume you've downloaded installation files from the corresponding website (I assume you downloaded from the actual website, at least to have a reason to blame if anything suspicous happens). Before the actual installation remember to copy installation files into /tmp folder (I'll tell later why).

$ cp ncalayer.zip /tmp

Now you have to install it. You can launch it via terminal app unzipping it, and launching the install script:

$ cd /tmp
$ unzip ncalayer.zip
$ bash ncalayer.sh

(I created a smol script you can take a look)

You have actually two ways to install which eventually ends up being only one. And these are GUI install guide (the one written above) and CLI one (you add --nogui flag). But the cli one doesn't work at all. You can test it out, I hope it's only me who has that problem. But the script itself needs huge load of requirements to launch, I can't understand why it couldn't be simpler.

After launching the script, you have to choose the folder, and it has to be: /tmp . You can also choose some different temporary folder which cleares itself after every OS start.

The GUI has two flags (or three) to point out:

  1. Launch app during start
  2. Install certificates

Uncheck both of them. You don't need to install certificates right into your machine!

Use Firefox

Great. We have NCALayer running right now. Now let's open Firefox and install the certificates. I assume that Firefox is not your main browser, and you use it solely for egov & ncalayer needs. But if Firefox is your main browser, search for ones which are based on Firefox.

Certificates

  1. Read this link to find how to set up certificates from files. In order to instal certificates into firefox, you read this.
  2. Certificates located in ncalayer.zip file and they have .crt extenstion. At the last time, when this guide was written, certificates were located in /tmp/additions/cert folder.
  3. DO NOT INSTALL root_rca.rct file

Why Firefox?

You can't access govt. services without those certificates. But you have to isolate root CAs from the govt given one. Otherwise MITM might happen. And it's not necessarily distrust towards govt. but also the data security policies might lack from their side. I mean if govt. services or some middle node is hacked, they can basically sniff your https traffic easily, and that's not only about your private messages, but the bank card data might be sniffed as well. Better safe than sorry! Since Firefox is the only one which can do such thing, I prefer Firefox instead of having a VM.

Place it into temporary folder

We have already covered the installation into /tmp folder. Now let's ask why?! I don't know what's inside the given java bytecode (you can see it from the ncalayer.sh installation file, it has that bytecode). But the bytecode might contain anything (yet it would be better to use VM for such reasons, or apparmor, firejail). And we're not even covering the network side of the installation guide (in order to restrict connections towards websites other than the govt. ones). Yet placing it into /tmp one would make the ports of ncalayer for other website inaccessible, if deleted after every launch.

Why would other websites might knock into NCALayer, I thought it's only for govt. services and only?

There are some websites that use NCALayer, and that can use it. For example document signing services are able to do that (I don't want to advertise the one I used, it's absolutely horrible). 13579 and 8443 ports are knocked there, so using you're reducing the cases for unwanted websites trying to get some data from NCALayer (or you).

Download always the latest version

NCALayer is an app which requires a lot of security and safety. Since one can basically do whatever they'd like to with your signing data, you always have to sure that your app is up to date. I mean check for latest version whenver you use it, since security fixes may show up. And again, they're really vital!

Immediately stop it after the required usage session is ended

Same reason I mentioned above.

@arpanetus
Copy link
Author

arpanetus commented Aug 24, 2022
edited
Loading

Add some changes made by @carnotaur, thanks a lot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment