According to RBC и Tensor, in 2019 Russia will issue 4,6 million certificates of qualified electronic signatures (QES) that meet the requirements of 63-FZ. It turns out that out of 8 million registered individual entrepreneurs and LLCs, every second entrepreneur uses an electronic signature. In addition to CEP for EGAIS and cloud-based CEP for reporting issued by banks and accounting services, universal CEP on secure tokens are of particular interest. Such certificates allow you to log in to government portals and sign any documents, making them legally significant.
Thanks to the CEP certificate on a USB token, you can remotely conclude an agreement with a counterparty or a remote employee, send documents to the court; register an online cash desk, settle tax debts and submit a declaration in your personal account on nalog.ru; learn about debts and upcoming inspections at the State Services.
The guide below will help work with CEP under macOS – without studying the CryptoPro forums and installing a virtual machine with Windows.
Content
What you need to work with CEP under macOS:
Installing and configuring CEP for macOS
Install CryptoPro CSP
Install Rutoken drivers
Installing certificates
3.1. Delete all old GOST certificates
3.2. Installing root certificates
3.3. Download certificates of a certification authority
3.4. Install certificate with Rutoken
Install a special browser Chromium-GOST
Installing browser extensions
5.1 CryptoPro EDS Browser plug-in
5.2. Plugin for public services
5.3. Setting up a plugin for public services
5.4. Activate extensions
5.5. Setting up the CryptoPro EDS Browser plug-in extension
Checking that everything is working
6.1. Go to the CryptoPro test page
6.2. We go to the Personal Account on nalog.ru
6.3. Go to public services
What to do if it stops working
Changing the container PIN
Finding out the name of the CEP container
Changing the PIN with a command from the terminal
Signing files in macOS
We find out the hash of the CEP certificate
Signing a file with a command from the terminal
Installing Apple Automator Script
Check the signature on the document
All information below is obtained from reputable sources (CryptoPro #1 и #2, Rutoken, Korus-Consulting, Ural Federal District of the Ministry of Telecom and Mass Communications), and it is offered to download the software from trusted sites. The author is an independent consultant and is not affiliated with any of the companies mentioned. By following these instructions, you assume all responsibility for any actions and consequences.
What you need to work with CEP under macOS:
CEP on USB-token Rutoken Lite or Rutoken EDS
crypto container in CryptoPro format
with built-in license for CryptoPro CSP
eToken and JaCarta carriers in conjunction with CryptoPro under macOS are not supported. The Rutoken Lite carrier is the best choice, it costs 500..1000 = rubles, it works smartly and allows you to store up to 15 keys.
Crypto providers VipNet, Signal-COM and LISSI are not supported on macOS. There is no way to convert containers. CryptoPro is the best choice, the cost of the certificate should be about 1300 = rubles. for individual entrepreneurs and 1600 = rub. for YL.
Usually, an annual license for CryptoPro CSP is already included in the certificate and is provided by many CAs for free. If this is not the case, then you need to buy and activate a perpetual license for CryptoPro CSP strictly version 4 worth 2700=. CryptoPro CSP version 5 under macOS does not work at the moment.
Installing and configuring CEP for macOS
Obvious things
all downloaded files are downloaded to the default directory: ~/Downloads/;
in all installers we do not change anything, we leave everything by default;
if macOS displays a warning that the software being launched is from an unidentified developer, you need to confirm the launch in the system settings: System Preferences —> Security & Privacy —> Open Anyway;
if macOS asks for a user password and permission to manage the computer, you need to enter the password and agree with everything.
The site says that it is optional, but it is better to put it. So download pages download and install on the Rutoken website Keychain support module (KeyChain) - download.
Next, connect the usb token, launch the terminal and execute the command:
/opt/cprocsp/bin/csptest -card -enum -v
The answer should be:
Active Rutoken…
Card present…
[ErrorCode: 0x00000000]
3. Install certificates
3.1. Delete all old GOST certificates
If earlier there were attempts to run CEP under macOS, then you need to clean up all previously installed certificates. These commands in the terminal will only delete CryptoPro certificates and will not affect regular certificates from Keychain in macOS.
Root certificates are common to all CEPs issued by any certification authority. Download from download pages Ural Federal District of the Ministry of Telecom and Mass Communications:
3.3. Download certificates of a certification authority
Next, you need to install the certificates of the certification authority in which you issued the CEP. Typically, the root certificates of each CA are located on its website in the downloads section.
Alternatively, certificates of any CA can be downloaded from website of the Ural Federal District of the Ministry of Telecom and Mass Communications. To do this, in the search form, you need to find the CA by name, go to the page with certificates and download all acting certificates - that is, those that have in the field 'Acting' the second date has not yet arrived. Download from the link in the field 'Imprint'.
Screenshots
On the example of CA Korus-Consulting: you need to download 4 certificates from download pages:
where after ~/Downloads/ are the names of the downloaded files, for each CA they will be different.
Each command must return:
Installation:
...
[ErrorCode: 0x00000000]
3.4. Install certificate with Rutoken
Command in terminal:
/opt/cprocsp/bin/csptestf -absorb -certs
The command should return:
OKAY.
[ErrorCode: 0x00000000]
4. Install a special browser Chromium-GOST
To work with state portals, you will need a special assembly of the Chromium browser - Chromium-GOST. The source code of the project is open, link to repository on GitHub given on CryptoPro website. From experience, other browsers CryptoFox и Yandeks.Brauzer are not suitable for working with state portals under macOS. It is worth considering that in some builds of Chromium-GOST, the personal account on nalog.ru may freeze or the scroll stops working altogether, so the old proven one is offered build 71.0.3578.98 - download.
Download and unpack the archive, install the browser by copying or drag&drop to the Applications directory. After installation Force close Chromium and do not open it yet, we work from Safari.
killall Chromium-Gost
5. Install browser extensions
5.1 CryptoPro EDS Browser plug-in
With download pages download and install on the CryptoPro website CryptoPro EDS Browser plug-in version 2.0 for users - download.
5.2. Plugin for public services
With download pages download and install on the State Services portal Plugin for working with the public services portal (macOS version) - download.
5.3. Setting up a plugin for public services
We download the correct configuration file for the extension of the State Services from the CryptoPro website - download.
It should say “Plugin loaded” and your certificate should be listed below.
Select a certificate from the list and click Sign. The certificate PIN will be requested. As a result, it should display
Signature generated successfully
Screenshot
6.2. We go to the Personal Account on nalog.ru
You may not be able to access links from the nalog.ru site, because checks will not be passed. You need to go to the direct links:
Personal account FE: https://lkipgost.nalog.ru/lk
Personal account Yul: https://lkul.nalog.ru
Screenshot
6.3. Go to public services
When authorizing, select "Login using an electronic signature." All certificates, including root and CA, will be displayed in the “Select a certificate of the electronic signature verification key certificate” list that appears, you need to select yours from the usb token and enter the PIN.
Screenshot
7. What to do if it stops working
We reconnect the usb token and check that it is visible using the command in the terminal:
sudo /opt/cprocsp/bin/csptest -card -enum -v
We clear the browser cache for all time, for which we type in the address bar of Chromium-Gost:
chrome://settings/clearBrowserData
Reinstall the CEP certificate using the command in the terminal:
/opt/cprocsp/bin/csptestf -absorb -certs
Changing the container PIN
Default user PIN code for Rutoken 12345678and you can't leave it like this. Rutoken PIN code requirements: 16 characters max., can contain Latin letters and numbers.
1. Find out the name of the CEP container
Multiple certificates can be stored on the usb token and other storages, and you need to choose the right one. With the usb token inserted, we get a list of all containers in the system with the command in the terminal:
The command must output at least 1 container and return
[ErrorCode: 0x00000000]
The container we need looks like
.Active Rutoken liteXXXXXXXX
If several such containers are displayed, it means that several certificates are recorded on the token, and you are aware of which one you need. Meaning XXXXXXXX after the slash, you need to copy and paste into the command below.
2. Changing the PIN with a command from the terminal
where XXXXXXXX – the name of the container obtained in step 1 (required in quotation marks).
A CryptoPro dialog will appear asking for the old PIN to access the certificate, then another dialog to enter the new PIN. Ready.
Screenshot
Signing files in macOS
On macOS, files can be signed in the software CryptoArm (the cost of the license is 2500 = rub.), or by a simple command through the terminal - for free.
1. We find out the hash of the CEP certificate
There can be several certificates on the token and in other stores. It is necessary to uniquely identify the one with which we will henceforth sign documents. It is done once.
The token must be inserted. We get a list of certificates in the repositories with a command from the terminal:
/opt/cprocsp/bin/certmgr -list
The command must output at least 1 certificate of the form:
The certificate we need in the Container parameter must have a value of the form SCARDrutoken…. If there are several certificates with such values, then several certificates are recorded on the token, and you are aware of which one you need. Parameter value SHA1 Hash (40 characters) must be copied and substituted into the command below.
2. Signing a file with a command from the terminal
In the terminal, go to the directory with the file to sign and execute the command:
where XXXX… is the hash of the certificate obtained in step 1, and FILE – file name for signing (with all extensions, but without the path).
The command should return:
Signed message is created.
[ErrorCode: 0x00000000]
An electronic signature file with the *.sgn extension will be created - this is a detached signature in CMS format with DER encoding.
3. Install Apple Automator Script
In order not to work with the terminal every time, you can install Automator Script once, with which you can sign documents from the Finder context menu. To do this, download the archive - download.
Unpacking the archive 'Sign with CryptoPro.zip'
Run automator
Find and open the unpacked file 'Sign with CryptoPro.workflow'
In the block Run Shell Script change text XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX to the parameter value SHA1 Hash CEP certificate received above.
Save the script: ⌘Command + S
Run the file 'Sign with CryptoPro.workflow' and confirm the installation.
Go to System Preferences -> Extensions -> Finder and check that Sign with CryptoPro quick action is checked.
In the Finder we call the context menu of any file, and in the section Quick Actions and / or Services select item Sign with CryptoPro
In the CryptoPro dialog that appears, enter the user's PIN code from CEP
A file with the *.sgn extension will appear in the current directory - a detached signature in CMS format with DER encoding.
Screenshots
Apple Automator window:
SystemPreferences:
Finder context menu:
Check the signature on the document
If the content of the document does not contain secrets and mysteries, then the easiest way is to use the web service on the State Services portal - https://www.gosuslugi.ru/pgu/eds. So you can take a screenshot from an authoritative resource and be sure that everything is ok with the signature.