Qualified electronic signature for macOS

According to RBC и Tensor, in 2019 Russia will issue 4,6 million certificates of qualified electronic signatures (QES) that meet the requirements of 63-FZ. It turns out that out of 8 million registered individual entrepreneurs and LLCs, every second entrepreneur uses an electronic signature. In addition to CEP for EGAIS and cloud-based CEP for reporting issued by banks and accounting services, universal CEP on secure tokens are of particular interest. Such certificates allow you to log in to government portals and sign any documents, making them legally significant.

Thanks to the CEP certificate on a USB token, you can remotely conclude an agreement with a counterparty or a remote employee, send documents to the court; register an online cash desk, settle tax debts and submit a declaration in your personal account on nalog.ru; learn about debts and upcoming inspections at the State Services.

The guide below will help work with CEP under macOS – without studying the CryptoPro forums and installing a virtual machine with Windows.

Content

What you need to work with CEP under macOS:

Installing and configuring CEP for macOS

1. Install CryptoPro CSP
2. Install Rutoken drivers
3. Installing certificates
   3.1. Delete all old GOST certificates
   3.2. Installing root certificates
   3.3. Download certificates of a certification authority
   3.4. Install certificate with Rutoken
4. Install a special browser Chromium-GOST
5. Installing browser extensions
   5.1 CryptoPro EDS Browser plug-in
   5.2. Plugin for public services
   5.3. Setting up a plugin for public services
   5.4. Activate extensions
   5.5. Setting up the CryptoPro EDS Browser plug-in extension
6. Checking that everything is working
   6.1. Go to the CryptoPro test page
   6.2. We go to the Personal Account on nalog.ru
   6.3. Go to public services
7. What to do if it stops working

Changing the container PIN

1. Finding out the name of the CEP container
2. Changing the PIN with a command from the terminal

Signing files in macOS

1. We find out the hash of the CEP certificate
2. Signing a file with a command from the terminal
3. Installing Apple Automator Script

Check the signature on the document

All information below is obtained from reputable sources (CryptoPro #1 и #2, Rutoken, Korus-Consulting, Ural Federal District of the Ministry of Telecom and Mass Communications), and it is offered to download the software from trusted sites. The author is an independent consultant and is not affiliated with any of the companies mentioned. By following these instructions, you assume all responsibility for any actions and consequences.

What you need to work with CEP under macOS:

1. CEP on USB-token Rutoken Lite or Rutoken EDS
2. crypto container in CryptoPro format
3. with built-in license for CryptoPro CSP

eToken and JaCarta carriers in conjunction with CryptoPro under macOS are not supported. The Rutoken Lite carrier is the best choice, it costs 500..1000 = rubles, it works smartly and allows you to store up to 15 keys.

Crypto providers VipNet, Signal-COM and LISSI are not supported on macOS. There is no way to convert containers. CryptoPro is the best choice, the cost of the certificate should be about 1300 = rubles. for individual entrepreneurs and 1600 = rub. for YL.

Usually, an annual license for CryptoPro CSP is already included in the certificate and is provided by many CAs for free. If this is not the case, then you need to buy and activate a perpetual license for CryptoPro CSP strictly version 4 worth 2700=. CryptoPro CSP version 5 under macOS does not work at the moment.

Installing and configuring CEP for macOS

Obvious things

• all downloaded files are downloaded to the default directory: ~/Downloads/;
• in all installers we do not change anything, we leave everything by default;
• if macOS displays a warning that the software being launched is from an unidentified developer, you need to confirm the launch in the system settings: System Preferences —> Security & Privacy —> Open Anyway;
• if macOS asks for a user password and permission to manage the computer, you need to enter the password and agree with everything.

1. Install CryptoPro CSP

Checking in on the CryptoPro website and download pages download and install version CryptoPro CSP 4.0 R4 for MacOS - download.

2. Install Rutoken drivers

The site says that it is optional, but it is better to put it. So download pages download and install on the Rutoken website Keychain support module (KeyChain) - download.

Next, connect the usb token, launch the terminal and execute the command:

/opt/cprocsp/bin/csptest -card -enum -v

The answer should be:

Active Rutoken…
Card present…
[ErrorCode: 0x00000000]

3. Install certificates

3.1. Delete all old GOST certificates

If earlier there were attempts to run CEP under macOS, then you need to clean up all previously installed certificates. These commands in the terminal will only delete CryptoPro certificates and will not affect regular certificates from Keychain in macOS.

sudo /opt/cprocsp/bin/certmgr -delete -all -store mroot

sudo /opt/cprocsp/bin/certmgr -delete -all -store uroot

/opt/cprocsp/bin/certmgr -delete -all

The response of each command should be:

No certificate matching the criteria

or

Deleting complete

3.2. Installing root certificates

Root certificates are common to all CEPs issued by any certification authority. Download from download pages Ural Federal District of the Ministry of Telecom and Mass Communications:

• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=4BC6DC14D97010C41A26E058AD851F81C842415A
• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=8CAE88BBFD404A7A53630864F9033606E1DC45E2
• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=0408435EB90E5C8796A160E69E4BFAC453435D1D

Install with commands in the terminal:

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/4BC6DC14D97010C41A26E058AD851F81C842415A.cer

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/8CAE88BBFD404A7A53630864F9033606E1DC45E2.cer

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/0408435EB90E5C8796A160E69E4BFAC453435D1D.cer

Each command must return:

Installation:
...
[ErrorCode: 0x00000000]

3.3. Download certificates of a certification authority

Next, you need to install the certificates of the certification authority in which you issued the CEP. Typically, the root certificates of each CA are located on its website in the downloads section.

Alternatively, certificates of any CA can be downloaded from website of the Ural Federal District of the Ministry of Telecom and Mass Communications. To do this, in the search form, you need to find the CA by name, go to the page with certificates and download all acting certificates - that is, those that have in the field 'Acting' the second date has not yet arrived. Download from the link in the field 'Imprint'.

Screenshots

On the example of CA Korus-Consulting: you need to download 4 certificates from download pages:

• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=15EB064ABCB96C5AFCE22B9FEA52A1964637D101
• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=B9F1D3F78971D48C34AA73786CDCD138477FEE3F
• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=55EC48193B6716D38E80BD9D1D2D827BC8A07DE3
• https://e-trust.gosuslugi.ru/Shared/DownloadCert?thumbprint=A0D19D700E2A5F1CAFCE82D3EFE49A0D882559DF

Install the downloaded CA certificates with commands from the terminal:

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/B9F1D3F78971D48C34AA73786CDCD138477FEE3F.cer

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/A0D19D700E2A5F1CAFCE82D3EFE49A0D882559DF.cer

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/55EC48193B6716D38E80BD9D1D2D827BC8A07DE3.cer

sudo /opt/cprocsp/bin/certmgr -inst -store mroot -f ~/Downloads/15EB064ABCB96C5AFCE22B9FEA52A1964637D101.cer

where after ~/Downloads/ are the names of the downloaded files, for each CA they will be different.

Each command must return:

Installation:
...
[ErrorCode: 0x00000000]

3.4. Install certificate with Rutoken

Command in terminal:

/opt/cprocsp/bin/csptestf -absorb -certs

The command should return:

OKAY.
[ErrorCode: 0x00000000]

4. Install a special browser Chromium-GOST

To work with state portals, you will need a special assembly of the Chromium browser - Chromium-GOST. The source code of the project is open, link to repository on GitHub given on CryptoPro website. From experience, other browsers CryptoFox и Yandeks.Brauzer are not suitable for working with state portals under macOS. It is worth considering that in some builds of Chromium-GOST, the personal account on nalog.ru may freeze or the scroll stops working altogether, so the old proven one is offered build 71.0.3578.98 - download.


Download and unpack the archive, install the browser by copying or drag&drop to the Applications directory. After installation Force close Chromium and do not open it yet, we work from Safari.

killall Chromium-Gost

5. Install browser extensions

5.1 CryptoPro EDS Browser plug-in

With download pages download and install on the CryptoPro website CryptoPro EDS Browser plug-in version 2.0 for users - download.

5.2. Plugin for public services

With download pages download and install on the State Services portal Plugin for working with the public services portal (macOS version) - download.

5.3. Setting up a plugin for public services

We download the correct configuration file for the extension of the State Services from the CryptoPro website - download.

Execute commands in terminal:

sudo rm /Library/Internet Plug-Ins/IFCPlugin.plugin/Contents/ifc.cfg

sudo cp ~/Downloads/ifc.cfg /Library/Internet Plug-Ins/IFCPlugin.plugin/Contents


sudo cp /Library/Google/Chrome/NativeMessagingHosts/ru.rtlabs.ifcplugin.json /Library/Application Support/Chromium/NativeMessagingHosts

5.4. Activate extensions

Launch the Chromium-Gost browser and type in the address bar:

chrome://extensions/

Enable both installed extensions:

• CryptoPro Extension for CAdES Browser Plug-in
• Extension for the public services plugin

Screenshot

5.5. Setting up the CryptoPro EDS Browser plug-in extension

In the address bar of Chromium-Gost we type:

/etc/opt/cprocsp/trusted_sites.html

On the page that appears, add sites in turn to the list of trusted hosts:

https://*.cryptopro.ru
https://*.nalog.ru
https://*.gosuslugi.ru

Click "Save". A green box should appear:

The list of trusted hosts has been successfully saved.

Screenshot

6. Check that everything works

6.1. Go to the CryptoPro test page

In the address bar of Chromium-Gost we type:

https://www.cryptopro.ru/sites/default/files/products/cades/demopage/cades_bes_sample.html

It should say “Plugin loaded” and your certificate should be listed below.
Select a certificate from the list and click Sign. The certificate PIN will be requested. As a result, it should display

Signature generated successfully

Screenshot

6.2. We go to the Personal Account on nalog.ru

You may not be able to access links from the nalog.ru site, because checks will not be passed. You need to go to the direct links:

• Personal account FE: https://lkipgost.nalog.ru/lk
• Personal account Yul: https://lkul.nalog.ru

Screenshot

6.3. Go to public services

When authorizing, select "Login using an electronic signature." All certificates, including root and CA, will be displayed in the “Select a certificate of the electronic signature verification key certificate” list that appears, you need to select yours from the usb token and enter the PIN.

Screenshot

7. What to do if it stops working

1. We reconnect the usb token and check that it is visible using the command in the terminal:

   sudo /opt/cprocsp/bin/csptest -card -enum -v


2. We clear the browser cache for all time, for which we type in the address bar of Chromium-Gost:

   
chrome://settings/clearBrowserData


3. Reinstall the CEP certificate using the command in the terminal:

   /opt/cprocsp/bin/csptestf -absorb -certs

Changing the container PIN

Default user PIN code for Rutoken 12345678and you can't leave it like this. Rutoken PIN code requirements: 16 characters max., can contain Latin letters and numbers.

1. Find out the name of the CEP container

Multiple certificates can be stored on the usb token and other storages, and you need to choose the right one. With the usb token inserted, we get a list of all containers in the system with the command in the terminal:

/opt/cprocsp/bin/csptest -keyset -enum_cont -fqcn -verifycontext

The command must output at least 1 container and return

[ErrorCode: 0x00000000]

The container we need looks like

.Active Rutoken liteXXXXXXXX

If several such containers are displayed, it means that several certificates are recorded on the token, and you are aware of which one you need. Meaning XXXXXXXX after the slash, you need to copy and paste into the command below.

2. Changing the PIN with a command from the terminal

/opt/cprocsp/bin/csptest -passwd -qchange -container "XXXXXXXX"

where XXXXXXXX – the name of the container obtained in step 1 (required in quotation marks).

A CryptoPro dialog will appear asking for the old PIN to access the certificate, then another dialog to enter the new PIN. Ready.

Screenshot

Signing files in macOS

On macOS, files can be signed in the software CryptoArm (the cost of the license is 2500 = rub.), or by a simple command through the terminal - for free.

1. We find out the hash of the CEP certificate

There can be several certificates on the token and in other stores. It is necessary to uniquely identify the one with which we will henceforth sign documents. It is done once.
The token must be inserted. We get a list of certificates in the repositories with a command from the terminal:

/opt/cprocsp/bin/certmgr -list

The command must output at least 1 certificate of the form:

Certmgr 1.1 © "Crypto-Pro", 2007-2018.
program for managing certificates, CRLs and stores
= = = = = = = = = = = = = = = = = = = = = =
1---
Issue: [email protected],… CN=LLC KORUS Consulting CIS…
Subject: [email protected],… CN=Zakharov Sergei Anatolyevich…
Serial: 0x0000000000000000000000000000000000
SHA1 Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
Container: SCARDrutoken_lt_00000000 000 000
...
= = = = = = = = = = = = = = = = = = = = = =
[ErrorCode: 0x00000000]

The certificate we need in the Container parameter must have a value of the form SCARDrutoken…. If there are several certificates with such values, then several certificates are recorded on the token, and you are aware of which one you need. Parameter value SHA1 Hash (40 characters) must be copied and substituted into the command below.

2. Signing a file with a command from the terminal

In the terminal, go to the directory with the file to sign and execute the command:

/opt/cprocsp/bin/cryptcp -signf -detach -cert -der -strict -thumbprint ХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХ FILE

where XXXX… is the hash of the certificate obtained in step 1, and FILE – file name for signing (with all extensions, but without the path).

The command should return:

Signed message is created.
[ErrorCode: 0x00000000]

An electronic signature file with the *.sgn extension will be created - this is a detached signature in CMS format with DER encoding.

3. Install Apple Automator Script

In order not to work with the terminal every time, you can install Automator Script once, with which you can sign documents from the Finder context menu. To do this, download the archive - download.

1. Unpacking the archive 'Sign with CryptoPro.zip'
2. Run automator
3. Find and open the unpacked file 'Sign with CryptoPro.workflow'
4. In the block Run Shell Script change text XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX to the parameter value SHA1 Hash CEP certificate received above.
5. Save the script: ⌘Command + S
6. Run the file 'Sign with CryptoPro.workflow' and confirm the installation.
7. Go to System Preferences -> Extensions -> Finder and check that Sign with CryptoPro quick action is checked.
8. In the Finder we call the context menu of any file, and in the section Quick Actions and / or Services select item Sign with CryptoPro
9. In the CryptoPro dialog that appears, enter the user's PIN code from CEP
10. A file with the *.sgn extension will appear in the current directory - a detached signature in CMS format with DER encoding.

Screenshots

Apple Automator window:

SystemPreferences:

Finder context menu:

Check the signature on the document

If the content of the document does not contain secrets and mysteries, then the easiest way is to use the web service on the State Services portal - https://www.gosuslugi.ru/pgu/eds. So you can take a screenshot from an authoritative resource and be sure that everything is ok with the signature.

Screenshots

Source: habr.com