Install Belgian eID on Atomic Fedora 42 (Kinoite/Silverblue)
Belgium provides the Belgian eID software also for Fedora, but on Atomic Fedora, the setup is a bit different. Let’s test eID authentication and PDF signing
To do my tax declaration in Belgium, I have several login methods. One of them is the Belgian eID (eidas). To use it, you need an ID card (or resident card) and a smart card reader. I use the smart card reader CardMan 3121 from OMNIKEY. The setup will also allow you to sign PDF documents and emails with your Belgian ID card. Neat! Other countries would require the purchase of additional certificates, but in Belgian you should have it already – free of charge.
Install Belgian eID on an Atomic Fedora desktop Permalink
sudo rpm-ostree install https://eid.belgium.be/sites/default/files/software/eid-archive-fedora-2021-1.noarch.rpm
# reboot now
sudo rpm-ostree install -A eid-viewer eid-mw
# optional reboot
You can check if everything is in order with rpm-ostree status. My output:
State: idle
Deployments:
fedora:fedora/42/x86_64/kinoite
Version: 42.20250429.1 (2025-04-29T19:10:59Z)
BaseCommit: 530f49cde70f792bb77daa1c0570e1e2e66e2e1ac15c5edcf8e4b2774e452105
Commit: b96d42074e4448754bd192650dd5efbdc4192ac004667adb35491db84cb47440
GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
Diff: 6 added
LayeredPackages: eid-mw eid-viewer [redacted]
LocalPackages: eid-archive-fedora-2021-1.noarch
● fedora:fedora/42/x86_64/kinoite
Version: 42.20250429.1 (2025-04-29T19:10:59Z)
BootedBaseCommit: 530f49cde70f792bb77daa1c0570e1e2e66e2e1ac15c5edcf8e4b2774e452105
Commit: 1a3e69661f9dbca3cd798c807c59d2c2c28331f7496b9ea0dab6d46986c6b740
LiveCommit: b96d42074e4448754bd192650dd5efbdc4192ac004667adb35491db84cb47440
LiveDiff: 6 added
GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
LayeredPackages: [redacted]
LocalPackages: eid-archive-fedora-2021-1.noarch
Unlocked: transient
Then, you need to install the Firefox plugin from https://addons.mozilla.org/en-US/firefox/addon/belgium-eid/.
Note that on Atomic Fedora desktops, Firefox is (as of May 2025) installed as system application and other browsers (such as Chromium) is installed in a flatpak sandbox. So it is very likely that other browsers than Firefox cannot access the eID setup on the system.
References:
- https://eid.belgium.be/en/linux-eid-software-installation on linux setup for Belgian eID
- https://rpmfusion.org/Howto/OSTree on the setup of third-party RPM repositories for rpm-ostree based distros (such as Fedora Kinoite/Silverblue)
First Test with eid-viewer Permalink
You should find now in your application menu eID Viewer. Or you lunch in the terminal eid-viewer. Enter your card. Then you should see the data on your card already.
Login with eID Permalink
You can now use the Belgian eID to access a governmental service, such as the tax declaration portal. Go to https://fin.belgium.be/fr/particuliers/declaration-impot/rentrer-declaration and choose eID as your mean for authentication. You will need to provide the PIN code that comes with the ID card. 
Sign PDFs with eID Permalink
This is not so clear yet. Okular is usually a flatpak. In order to have gpg find the card reader, I had to restart a service first:
gpg --card-status
# => can't connect to 'socket:///home/rriemann/.gnupg/log-socket': No such file or directory
systemctl restart pcscd
gpg --card-status
# can't connect to 'socket:///home/rriemann/.gnupg/log-socket': No such file or directory
# Reader ...........: OMNIKEY AG CardMan 3121 00 00
# Application ID ...: 534C4090413423078AA5B22712924134
# Application type .: PKCS#15
Okular supports as PDF signature backends both NSS and GnuPG (S/MIME). As it does not work with any option, I check in the app Kleopatra (KDE certificate manager) the smartcards. It turns out I have to configure the trust of various certificates belonging to the Belgian authorities.
Then, I restart Okular again and choose under Settings → Configure Backends… → PDF backend configuration the option Signature Backend to GnuPG (S/MIME). I get the following feedback:
When I then choose in the Okular Tools menu the signing option, I end up in a loop with a pinentry-qt dialogue:
Please insert the card with serial number:
[redacted serial number]
It does not work. So close!
An alternative for signing offers the command line tool pdfsig.
With pdfsig -backend GPG -list-nicks, I get a list of fingerprints. One of the hardware ones is for signing, one for authentication. The smartcard tab in the app Kleopatra also displays the names/purposes alongside the fingerprint. So it may be better suited. Otherwise, try out all to find the one for signing. Then, PDFs should be signed with:
pdfsig unsigned.pdf signed.pdf -add-signature -nick [redacted my fingerprint] -reason 'for fun!'
Unfortunately, I only get an error:
signDocument: error getting signature info
We can try briefly the NSS backend with pdfsig. For this, use pdfsig -list-nicks to check nick names:
Certificate nicknames available: BELPIC:Authentication BELPIC:Signature
Then, signing should work with:
pdfsig unsigned.pdf signed.pdf -add-signature -nick BELPIC:Signature -reason 'for fun!'
Then, I get queried for the pin and upon entry, the PDF is signed. This can be checked as follows:
# pdfsig signed.pdf
Digital Signature Info of: signed.pdf
Signature #1:
- Signature Field Name: 34B8E9A9E274A3BCE18E633ABD5B1ECA
- Signer Certificate Common Name: Robert Riemann (Signature)
- Signer full Distinguished Name: CN=Robert Riemann (Signature),serialNumber=[redacted],givenName=Robert,SN=Riemann,C=DE
- Signing Time: May 29 2025 14:58:22
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 515528], [535530 - 536032]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted.
It remains yet to determine why the certificate validation fails even though the certificate is marked trusted in Kleopatra. Let me know if you have an answer!