To do my tax declaration in Belgium, I have several login methods. One of them is the Belgian eID (eidas). To use it, you need an ID card (or resident card) and a smart card reader. I use the smart card reader CardMan 3121 from OMNIKEY. The setup will also allow you to sign PDF documents and emails with your Belgian ID card. Neat! Other countries would require the purchase of additional certificates, but in Belgian you should have it already – free of charge.

Install Belgian eID on an Atomic Fedora desktop Permalink

sudo rpm-ostree install https://eid.belgium.be/sites/default/files/software/eid-archive-fedora-2021-1.noarch.rpm
# reboot now
sudo rpm-ostree install -A eid-viewer eid-mw
# optional reboot

You can check if everything is in order with rpm-ostree status. My output:

State: idle
Deployments:
  fedora:fedora/42/x86_64/kinoite
                  Version: 42.20250429.1 (2025-04-29T19:10:59Z)
               BaseCommit: 530f49cde70f792bb77daa1c0570e1e2e66e2e1ac15c5edcf8e4b2774e452105
                   Commit: b96d42074e4448754bd192650dd5efbdc4192ac004667adb35491db84cb47440
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
                     Diff: 6 added
          LayeredPackages: eid-mw eid-viewer [redacted]
            LocalPackages: eid-archive-fedora-2021-1.noarch

● fedora:fedora/42/x86_64/kinoite
                  Version: 42.20250429.1 (2025-04-29T19:10:59Z)
         BootedBaseCommit: 530f49cde70f792bb77daa1c0570e1e2e66e2e1ac15c5edcf8e4b2774e452105
                   Commit: 1a3e69661f9dbca3cd798c807c59d2c2c28331f7496b9ea0dab6d46986c6b740
               LiveCommit: b96d42074e4448754bd192650dd5efbdc4192ac004667adb35491db84cb47440
                 LiveDiff: 6 added
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
          LayeredPackages: [redacted]
            LocalPackages: eid-archive-fedora-2021-1.noarch
                 Unlocked: transient

Then, you need to install the Firefox plugin from https://addons.mozilla.org/en-US/firefox/addon/belgium-eid/.

Note that on Atomic Fedora desktops, Firefox is (as of May 2025) installed as system application and other browsers (such as Chromium) is installed in a flatpak sandbox. So it is very likely that other browsers than Firefox cannot access the eID setup on the system.

References:

• https://eid.belgium.be/en/linux-eid-software-installation on linux setup for Belgian eID
• https://rpmfusion.org/Howto/OSTree on the setup of third-party RPM repositories for rpm-ostree based distros (such as Fedora Kinoite/Silverblue)

First Test with eid-viewer Permalink

You should find now in your application menu eID Viewer. Or you lunch in the terminal eid-viewer. Enter your card. Then you should see the data on your card already.

Login with eID Permalink

You can now use the Belgian eID to access a governmental service, such as the tax declaration portal. Go to https://fin.belgium.be/fr/particuliers/declaration-impot/rentrer-declaration and choose eID as your mean for authentication. You will need to provide the PIN code that comes with the ID card.

Sign PDFs with eID Permalink

This is not so clear yet. Okular is usually a flatpak. In order to have gpg find the card reader, I had to restart a service first:

gpg --card-status
# => can't connect to 'socket:///home/rriemann/.gnupg/log-socket': No such file or directory
systemctl restart pcscd
gpg --card-status
# can't connect to 'socket:///home/rriemann/.gnupg/log-socket': No such file or directory
# Reader ...........: OMNIKEY AG CardMan 3121 00 00
# Application ID ...: 534C4090413423078AA5B22712924134
# Application type .: PKCS#15

Okular supports as PDF signature backends both NSS and GnuPG (S/MIME). As it does not work with any option, I check in the app Kleopatra (KDE certificate manager) the smartcards. It turns out I have to configure the trust of various certificates belonging to the Belgian authorities.

Then, I restart Okular again and choose under Settings → Configure Backends… → PDF backend configuration the option Signature Backend to GnuPG (S/MIME). I get the following feedback:

When I then choose in the Okular Tools menu the signing option, I end up in a loop with a pinentry-qt dialogue:

Please insert the card with serial number:

[redacted serial number]

It does not work. So close!

An alternative for signing offers the command line tool pdfsig.

With pdfsig -backend GPG -list-nicks, I get a list of fingerprints. One of the hardware ones is for signing, one for authentication. The smartcard tab in the app Kleopatra also displays the names/purposes alongside the fingerprint. So it may be better suited. Otherwise, try out all to find the one for signing. Then, PDFs should be signed with:

pdfsig unsigned.pdf signed.pdf -add-signature -nick [redacted my fingerprint] -reason 'for fun!'

Unfortunately, I only get an error:

signDocument: error getting signature info

We can try briefly the NSS backend with pdfsig. For this, use pdfsig -list-nicks to check nick names:

Certificate nicknames available: BELPIC:Authentication BELPIC:Signature

Then, signing should work with:

pdfsig unsigned.pdf signed.pdf -add-signature -nick BELPIC:Signature -reason 'for fun!'

Then, I get queried for the pin and upon entry, the PDF is signed. This can be checked as follows:

# pdfsig signed.pdf
Digital Signature Info of: signed.pdf
Signature #1:
  - Signature Field Name: 34B8E9A9E274A3BCE18E633ABD5B1ECA
  - Signer Certificate Common Name: Robert Riemann (Signature)
  - Signer full Distinguished Name: CN=Robert Riemann (Signature),serialNumber=[redacted],givenName=Robert,SN=Riemann,C=DE
  - Signing Time: May 29 2025 14:58:22
  - Signing Hash Algorithm: SHA-256
  - Signature Type: adbe.pkcs7.detached
  - Signed Ranges: [0 - 515528], [535530 - 536032]
  - Total document signed
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Certificate issuer isn't Trusted.

It remains yet to determine why the certificate validation fails even though the certificate is marked trusted in Kleopatra. Let me know if you have an answer!

The interview has been conducted by Jose Pomeyrol and published originally in Spanish on MuyLinux. Find the English version here below.

The other day I noticed something curious: after updating one of the apps I use regularly, it now shows a bold message when starting up — “Made with ❤️ Europe.” It’s similar to the tagline on the credits page of EU OS, a new Linux distribution being discussed in various tech-focused forums these last days. What do these two projects have in common? Among other things, they are both developed in Europe — or at least, their final form is.

Europe, and the European Union in particular, is preparing to face challenges unprecedented in recent history: tensions with Russia and calls for rearmament among Eurozone members; Trump’s return to the White House and a new wave of protectionist policies; and China’s technological rise, especially in AI. Europe must respond on multiple fronts — and the complexity of these issues doesn’t make things any easier.

To explore all this, we exchanged via email with Robert Riemann, master in physics and PhD in computer science, Head of Digital Transformation in the Technology and Privacy Unit of one body of the EU, and project lead of EU OS, a Linux distribution with institutional ambitions… proudly “Made with ❤️ in Brussels.”

Mastodon: How to configure custom signup questions

19 Apr 2025 in Digitalisation on Linux, Mastodon

Mastodon administrators can enable manual review for signups. This blog post shows how to add a custom question to receive relevant input for this manual review.

The Mastodon instance eupolicy.social is geared towards people who identify themselves as part of the EU Bubble. Purposfully, there is no definition provided and indeed the instance is a bit flexible on what EU Bubble would mean.

To help the instance keep this focus (and avoid spam), the admins have opted for approval-based registration of signups. New users can during their signup process provide some text about themselves. To make this more relevant, eupolicy.social decided to customise the text that instructs the users to describe their relation with the instance.

Singles’ Night in the fancy Impérial Premium Bar Brussels

09 Feb 2025 in Travels on Brussels, Belgium

I’ve been there so you don’t have to: Singles’ Night in Brussels organised by ‘Coeur à Coeur’ in the Impérial Premium Bar Brussels.

texte en français ci desous

After the blog post on the Sauna adventure in 2013 in Marseille (German), this is the 2nd story of unexpected and awkward evenings. Unfortunately, this one is sad and no recommendation to try yourself. To the contrary.

Low value for money, bad service, few people, people smoke inside, 0 out of 5 stars.

When a friend cancelled a dinner and home party invitation as he caught the flu, Jeanne (name changed) and I thought of other plans for Saturday night. We could not agree on a night out for dancing due to divergences on music taste (Jamaican music: one vote in favour, one vote against). Then, I proposed to go instead to the pretenious and stylish Imperial Premium Bar Brussels (map) who would host at this day event orgainsed by ‘Coeur à Coeur’: Grande Soirée Célibataire (on Facebook, on Eventbrite). After some hesitation and some giggling 🤣🤣, Jeanne and I decide to actually give it a try. 4 hours before the start, we can still buy an early bird ticket for 10€. On top, 1.68€ on Eventbrite fees.

I tried to setup eduroam for the Humboldt University of Berlin (Humboldt Universität in Berlin) using the app advertised in the manual: geteduroam

Unfortunately, the app crashes on my Android phone. If this is your case as well, proceed as follows:

1. download the CA certificate hu-ca-2024.crt¹
2. go to your wifi settings and select eduroam to setup this wifi
3. use TTLS/PAP (I forgot which one)
4. add anonymous identity: eduroam@hu-berlin.de
5. add username as username@hu-berlin.de (use username@physik.hu-berlin.de or username@mathematik.hu-berlin.de if your account is with those faculties)
6. add as CA certificate the file downloaded before
7. do not verify this certificate
8. add as domain: hu-berlin.de

Note that other universities may require other setups.