Opensc 0.20 packages for Ubuntu 16.04?

Do you intend to provide prebuilt packages for Ubuntu 16.04 LTS for opensc 0.20 as well? On https://github.com/Nitrokey/opensc-build there is still only 0.19 and it is quite aged by now. Would appreciate an update and hope it will be possible to have 0.20 even for the older Ubuntu 16.04.

If you do not intend to provide them on your own - is there an explicit build script (activated compile options, path values, etc.) that was used for 0.19 and could be reused for 0.20?

Thank you very much in advance!

Hi @daubsi !

I believe we are not supporting Ubuntu 16.04 LTS anymore, only 18.04 and up. We do not have the v0.20 packages indeed, which should be corrected. As for the build scripts, these are integrated already with the repository.

@nitroalex - could you run the build with a new version?
If that would not make trouble, please build for 16.04 as well but without testing, and mark it as experimental/untested.

That would be great thank you! I compiled opensc last night from scratch, however I am never 100% sure, whether I used the same/correct options/paths so that the new version really replaces an existing one in the right places and leaves no zombie artifacts that are then mixed and might cause problems, etc. Thus I really appreciate you providing a proper built that fits the previous versions file system layout wise. Thanks

It’s quite safe to compile and install OpenSC or sc-hsm-embedded via configure, make, make install. Just make sure you first uninstall the OpenSC package that comes with the distribution.

The main difference is, that local builds install in /usr/local, so they don’t usually interfere with distribution install locations.

I just wanted to add, that one can use checkinstall on Ubuntu/Debian to manage the installation from sources, like any Debian package.

Cool. Didn’t know that. Thanks

So checkinstall is like an installation monitor? Ok I didn’t know I need to remove all previous packages, because I thought I would break and/or remove quite a lot of additional packages that are in turn installed with opensc for example…

FYI:

This is the way I built opensc-0.20

> wget https://github.com/OpenSC/OpenSC/archive/0.20.0.tar.gz
> mkdir opensc-0.20
> cd opensc-0.20
> tar xzf ../0.20.0.tar.gz
> cd OpenSC-0.20.0/
> ./bootstrap
> ./configure --prefix=/usr --sysconfdir=/etc
> sudo apt-get install -y apt-src wget scdaemon libccid pcscd
> ./configure --prefix=/usr --sysconfdir=/etc/opensc
> cd ..
> wget https://github.com/frankmorgner/openpace/releases/download/1.1.0/openpace-1.1.0.tar.gz
> tar xzf openpace-1.1.0.tar.gz
> cd openpace-1.1.0/
> autoreconf --verbose --install
> ./configure --prefix=/usr --sysconfdir=/etc
> make all
> sudo make install
> cd ..
> cd opensc-0.20/
> sudo apt install libpcsclite-dev
> ./configure --prefix=/usr --sysconfdir=/etc
> make all

Then verifying operation via:

src/tools/pkcs11-tool --module src/pkcs11/.libs/opensc-pkcs11.so -I
src/tools/pkcs11-tool --module src/pkcs11/.libs/opensc-pkcs11.so --verbose -t --pin <mypin> --id 2
src/tools/pkcs11-tool --module src/pkcs11/.libs/opensc-pkcs11.so --generate-random 16 | hexdump -C

So far still refraining from doing a full “make install”

Is this the proper setup?
Would you suggest now to run “checkinstall sudo make install”?
Which packages do I need to uninstall to be on the safe side?

Also, I remember I had to build the pkcs11 engine for openssl like this:

git clone https://github.com/OpenSC/libp11.git
cd libp11/
libtoolize
aclocal
autoconf
automake --add-missing
autoreconf
./configure
make
/usr/local/ssl/bin/openssl engine dynamic -pre SO_PATH:/tmp/libp11/src/.libs/pkcs11.so -PRE ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
sudo cp pkcs11.so /usr/lib/ssl/engines/

Will I need to rebuild the engine once I use opensc-0.20? Or is this engine independant from the opensc version?

Have you considered commands from the opensc-build project’s main script?
This would build you the package with flags default to your distribution.
I unfortunately do not know well the build process for the OpenSC.

About libp11, I do not think so, but might be wrong.

No need to have openpace in the loop. That is only needed if you want to use secure messaging, but we never test that.

OK it was just the case that the plain vanilla ./configure asked for its support and as I didn’t know you might have explicitly disabled this I added it :wink:

I build new versions.

2 Likes