From 04aeb862ec7b1ef6c2d94b3fed1ace348f32a8ac Mon Sep 17 00:00:00 2001 From: Steven Date: Sat, 17 Feb 2024 10:54:21 +0100 Subject: [PATCH 01/16] Replace cackey with opensc Better Firefox Snap detection --- README.md | 15 +++++---------- cac_setup.sh | 38 +++++++------------------------------- 2 files changed, 12 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 58d345a..f79c977 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Linux CAC Configuration -A project for consistently configuring DOD CACs on Linux. Currently, this +A project for consistently configuring DoD CACs on Linux. Currently, this process will not work with Firefox if it is installed via `snap`. Before using this project, please review the [Known Issues](#known-issues) section. @@ -51,14 +51,12 @@ browser, but I have not tested these configurations. ## Installation **WARNING:** Please make sure all browsers are closed before running the script. -This script requires root privileges since it installs the `cackey` package and +This script requires root privileges since it installs `opensc` package and its dependencies. Feel free to review the script [here](https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh) -if this makes you uncomfortable. For transparency, the `cackey` package is -downloaded from -[here](https://cackey.rkeene.org/download/0.7.5/cackey_0.7.5-1_amd64.deb) and +if this makes you uncomfortable. For transparency, the the DoD certificates are downloaded from -[here](https://militarycac.com/maccerts/AllCerts.zip), both of which are +[here](https://militarycac.com/maccerts/AllCerts.zip), which are recommended by [militarycac](https://militarycac.com). **Important Notes:** @@ -68,7 +66,6 @@ recommended by [militarycac](https://militarycac.com). remove `. - The scripted installation has only been tested on the configurations listed in the [Supported Distributions](#supported-distributions) -- This script uses the 64-bit version of the cackey package. #### Methods @@ -100,9 +97,7 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai Firefox from snap and reinstall it via `apt`. This current version of the script will attempt to do this reinstallation for you. -- If you upgraded from 20.04 to 22.04 on either PopOS or Ubuntu, this likely - also upgraded the cackey package from 7.5 to the latest version, which - currently breaks this process. You can simply remove cackey and rerun the +- Recent DoD certificates do not work with cackey. You can simply rerun the script to resolve this. - If you run into any issues with firefox after running the script, clear your diff --git a/cac_setup.sh b/cac_setup.sh index 3a5f78c..786d916 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -24,8 +24,6 @@ main () CERT_FILENAME="AllCerts" BUNDLE_FILENAME="AllCerts.zip" CERT_URL="http://militarycac.com/maccerts/$BUNDLE_FILENAME" - PKG_FILENAME="cackey_0.7.5-1_amd64.deb" - CACKEY_URL="http://cackey.rkeene.org/download/0.7.5/$PKG_FILENAME" root_check browser_check @@ -58,40 +56,14 @@ main () # Install middleware and necessary utilities print_info "Installing middleware..." apt update - DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget + DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip opensc-pkcs11 print_info "Done" # Pull all necessary files print_info "Downloading DoD certificates and Cackey package..." wget -qP "$DWNLD_DIR" "$CERT_URL" - wget -qP "$DWNLD_DIR" "$CACKEY_URL" print_info "Done." - # Install libcackey. - if [ -e "$DWNLD_DIR/$PKG_FILENAME" ] - then - print_info "Installing libcackey..." - if dpkg -i "$DWNLD_DIR/$PKG_FILENAME" - then - print_info "Done." - else - print_err "Installation failed. Exiting..." - - exit "$E_INSTALL" - fi - fi - - # Prevent cackey from upgrading. - # If cackey upgrades beyond 7.5, it moves libcackey.so to a different location, - # breaking Firefox. Returning libcackey.so to the original location does not - # seem to fix this issue. - if apt-mark hold cackey - then - print_info "Hold placed on cackey package" - else - print_err "Failed to place hold on cackey package" - fi - # Unzip cert bundle if [ -e "$DWNLD_DIR/$BUNDLE_FILENAME" ] then @@ -360,6 +332,10 @@ check_for_firefox () then snap_ff=true print_err "This version of Firefox was installed as a snap package" + elif command -v firefox | xargs grep -Fq "exec /snap/bin/firefox" + then + snap_ff=true + print_err "This version of Firefox was installed as a snap package with a launch script" else # Run Firefox to ensure .mozilla directory has been created echo -e "Running Firefox to generate profile directory..." @@ -440,9 +416,9 @@ revert_firefox () certutil -d sql:"$db_root" -A -t TC -n "$cert" -i "$cert" done - if ! grep -Pzo 'library=/usr/lib64/libcackey.so\nname=CAC Module\n' "$db_root/$PKCS_FILENAME" >/dev/null + if ! grep -Pzo 'library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so\nname=CAC Module\n' "$db_root/$PKCS_FILENAME" >/dev/null then - printf "library=/usr/lib64/libcackey.so\nname=CAC Module\n" >> "$db_root/$PKCS_FILENAME" + printf "library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so\nname=CAC Module\n" >> "$db_root/$PKCS_FILENAME" fi fi From 2a45a1ccf4feacd4d5f63bc55d40c2947cb8dd06 Mon Sep 17 00:00:00 2001 From: Steven Date: Sat, 17 Feb 2024 11:01:09 +0100 Subject: [PATCH 02/16] Purge cackey --- README.md | 5 +++-- cac_setup.sh | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f79c977..a523551 100644 --- a/README.md +++ b/README.md @@ -97,8 +97,9 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai Firefox from snap and reinstall it via `apt`. This current version of the script will attempt to do this reinstallation for you. -- Recent DoD certificates do not work with cackey. You can simply rerun the - script to resolve this. +- Recent DoD certificates do not work with cackey and will cause errors like + `ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS`. You can simply rerun the script + to resolve this. - If you run into any issues with firefox after running the script, clear your data and history in `Privacy & Security` and then restart firefox. If your diff --git a/cac_setup.sh b/cac_setup.sh index 786d916..b73568a 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -56,11 +56,12 @@ main () # Install middleware and necessary utilities print_info "Installing middleware..." apt update + DEBIAN_FRONTEND=noninteractive apt purge -y cackey DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip opensc-pkcs11 print_info "Done" # Pull all necessary files - print_info "Downloading DoD certificates and Cackey package..." + print_info "Downloading DoD certificates..." wget -qP "$DWNLD_DIR" "$CERT_URL" print_info "Done." From 264d2e1d07fa58a14b8818276353fc304f73ab14 Mon Sep 17 00:00:00 2001 From: Steven Date: Sat, 17 Feb 2024 11:02:11 +0100 Subject: [PATCH 03/16] Re-add wget --- cac_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cac_setup.sh b/cac_setup.sh index b73568a..f42537b 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -57,7 +57,7 @@ main () print_info "Installing middleware..." apt update DEBIAN_FRONTEND=noninteractive apt purge -y cackey - DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip opensc-pkcs11 + DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget opensc-pkcs11 print_info "Done" # Pull all necessary files From af1ece29b22bbcfacf55b8589c65a4cfb8bdfdef Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:01:41 -0500 Subject: [PATCH 04/16] Updated known issues and added Parrot OS to the supported distros. --- README.md | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a523551..30ef4d2 100644 --- a/README.md +++ b/README.md @@ -31,21 +31,20 @@ this project, please review the [Known Issues](#known-issues) section. Regardless of how similar two distributions may be, I will only list distributions and versions here that I know have been tested with this method. -Ubuntu 22.04, Firefox will only work if you allow the script to remove the `snap` -version and reinstall the browser with `apt`. +On Ubuntu 22.04, Firefox will only work if you allow the script to remove the +`snap` version and reinstall the browser with `apt`. -| Distribution | Versions | Browsers | +| Distribution | Versions | Browsers | | :-: | :-: | :-: | | Ubuntu | 20.04 LTS | Firefox, Chrome | | | 22.04 LTS | Firefox, Chrome | | PopOS! | 20.04 LTS | Firefox, Chrome | | | 22.04 LTS | Firefox, Chrome | | Mint | 21.2 | Firefox, Chrome | +| Parrot OS | 6.0.0-2 | Firefox, Brave | - - -There are reports of this script also working with both Linux Mint and the Brave -browser, but I have not tested these configurations. +**NOTE:** There are reports of this script working with other distributions and +browsers. I have not personally tested these configurations. ## Installation @@ -54,7 +53,7 @@ browser, but I have not tested these configurations. This script requires root privileges since it installs `opensc` package and its dependencies. Feel free to review the script [here](https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh) -if this makes you uncomfortable. For transparency, the +if this makes you uncomfortable. For transparency, the the DoD certificates are downloaded from [here](https://militarycac.com/maccerts/AllCerts.zip), which are recommended by [militarycac](https://militarycac.com). @@ -88,8 +87,6 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai - Firefox and Chrome both need to be started at least once to initialize their respective certificate databases/profiles. -- CAC needs to be inserted before starting Firefox. - - Ubuntu 21.10 and greater (to include the latest LTS 22.04) have Firefox installed via snap by default. There is an outstanding bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1734371) that prevents Firefox @@ -97,8 +94,8 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai Firefox from snap and reinstall it via `apt`. This current version of the script will attempt to do this reinstallation for you. -- Recent DoD certificates do not work with cackey and will cause errors like - `ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS`. You can simply rerun the script +- Recent DoD certificates do not work with cackey and will cause errors like + `ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS`. You can simply rerun the script to resolve this. - If you run into any issues with firefox after running the script, clear your From 584dd0811560f19819ed1dfdfa05366d7b32f4a2 Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:02:34 -0500 Subject: [PATCH 05/16] Correcting capitalization. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 30ef4d2..d5cbbe3 100644 --- a/README.md +++ b/README.md @@ -98,8 +98,8 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai `ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS`. You can simply rerun the script to resolve this. -- If you run into any issues with firefox after running the script, clear your - data and history in `Privacy & Security` and then restart firefox. If your +- If you run into any issues with Firefox after running the script, clear your + data and history in `Privacy & Security` and then restart Firefox. If your troubles are with MS Teams, see the section for [troubleshooting teams](#microsoft-teams). Chrome is recommended for MS Teams since Firefox does not currently support Teams meetings. You can see more about this From 4f55c7cb0d408d1654f91e4af4fcb63d61548d67 Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:08:47 -0500 Subject: [PATCH 06/16] Removed unneeded error code and other constants. Cleaned up code formatting some. Testing using the PKCS11 API to register the CAC module. --- cac_setup.sh | 94 ++++++++++++++++++++++++++++------------------------ 1 file changed, 50 insertions(+), 44 deletions(-) diff --git a/cac_setup.sh b/cac_setup.sh index f42537b..e9bbf96 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -6,12 +6,11 @@ main () { EXIT_SUCCESS=0 # Success exit code - E_INSTALL=85 # Installation failed E_NOTROOT=86 # Non-root exit error E_BROWSER=87 # Compatible browser not found E_DATABASE=88 # No database located - DWNLD_DIR="/tmp" # Reliable location to place artifacts - FF_PROFILE_NAME="old_ff_profile" # Reliable location to place artifacts + DWNLD_DIR="/tmp" # Location to place artifacts + FF_PROFILE_NAME="old_ff_profile" # Location to save old Firefox profile chrome_exists=false # Google Chrome is installed ff_exists=false # Firefox is installed @@ -19,7 +18,7 @@ main () ORIG_HOME="$(getent passwd "$SUDO_USER" | cut -d: -f6)" CERT_EXTENSION="cer" - PKCS_FILENAME="pkcs11.txt" + # PKCS_FILENAME="pkcs11.txt" DB_FILENAME="cert9.db" CERT_FILENAME="AllCerts" BUNDLE_FILENAME="AllCerts.zip" @@ -27,7 +26,6 @@ main () root_check browser_check - mapfile -t databases < <(find "$ORIG_HOME" -name "$DB_FILENAME" 2>/dev/null | grep "firefox\|pki" | grep -v "Trash\|snap") # Check if databases were found properly if [ "${#databases[@]}" -eq 0 ] @@ -54,7 +52,7 @@ main () fi # Install middleware and necessary utilities - print_info "Installing middleware..." + print_info "Installing middleware and essential utilities..." apt update DEBIAN_FRONTEND=noninteractive apt purge -y cackey DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget opensc-pkcs11 @@ -81,44 +79,57 @@ main () fi done + print_info "Registering CAC module with PKSC11..." + pkcs11-register + print_info "Done" + + # NOTE: Keeping this temporarily to test `pkcs11-register`. + # if ! grep -Pzo 'library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so\nname=CAC Module\n' "$db_root/$PKCS_FILENAME" >/dev/null + # then + # printf "library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so\nname=CAC Module\n" >> "$db_root/$PKCS_FILENAME" + # fi + print_info "Enabling pcscd service to start on boot..." systemctl enable pcscd.socket + print_info "Done" # Remove artifacts print_info "Removing artifacts..." - rm -rf "${DWNLD_DIR:?}"/{"$BUNDLE_FILENAME","$CERT_FILENAME","$PKG_FILENAME","$FF_PROFILE_NAME"} 2>/dev/null + rm -rf "${DWNLD_DIR:?}"/{"$BUNDLE_FILENAME","$CERT_FILENAME","$FF_PROFILE_NAME"} 2>/dev/null if [ "$?" -ne "$EXIT_SUCCESS" ] then - print_err "Failed to remove artifacts" + print_err "Failed to remove artifacts. Artifacts were stored in ${DWNLD_DIR}." else - print_info "Done." + print_info "Done. A reboot may be required." fi exit "$EXIT_SUCCESS" } # main + # Prints message with red [ERROR] tag before the message print_err () { ERR_COLOR='\033[0;31m' # Red for error messages NO_COLOR='\033[0m' # Revert terminal back to no color - echo -e "${ERR_COLOR}[ERROR]${NO_COLOR} $1" } # print_err + # Prints message with yellow [INFO] tag before the message print_info () { INFO_COLOR='\033[0;33m' # Yellow for notes NO_COLOR='\033[0m' # Revert terminal back to no color - echo -e "${INFO_COLOR}[INFO]${NO_COLOR} $1" } # print_info + # Check to ensure the script is executed as root root_check () { - local ROOT_UID=0 # Only users with $UID 0 have root privileges + # Only users with $UID 0 have root privileges + local ROOT_UID=0 # Ensure the script is ran as root if [ "${EUID:-$(id -u)}" -ne "$ROOT_UID" ] @@ -128,31 +139,25 @@ root_check () fi } # root_check + # Replace the current snap version of Firefox with the compatible apt version of Firefox reconfigure_firefox () { # Replace snap Firefox with version from PPA maintained via Mozilla - check_for_ff_pin - #Profile migration backup_ff_profile - print_info "Removing Snap version of Firefox" snap remove --purge firefox - print_info "Adding PPA for Mozilla maintained Firefox" add-apt-repository -y ppa:mozillateam/ppa - print_info "Setting priority to prefer Mozilla PPA over snap package" echo -e "Package: *\nPin: release o=LP-PPA-mozillateam\nPin-Priority: 1001" > /etc/apt/preferences.d/mozilla-firefox - print_info "Enabling updates for future Firefox releases" # shellcheck disable=SC2016 echo -e 'Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";' > /etc/apt/apt.conf.d/51unattended-upgrades-firefox - print_info "Installing Firefox via apt" - apt install firefox -y + DEBIAN_FRONTEND=noninteractive apt install firefox -y print_info "Completed re-installation of Firefox" # Forget the previous location of firefox executable @@ -162,7 +167,6 @@ reconfigure_firefox () fi run_firefox - print_info "Finished, closing Firefox." if [ "$backup_exists" == true ] @@ -172,17 +176,18 @@ reconfigure_firefox () fi repin_firefox - } # reconfigure_firefox + run_firefox () { print_info "Starting Firefox silently to complete post-install actions..." - sudo -H -u "$SUDO_USER" firefox --headless --first-startup >/dev/null 2>&1 & - sleep 3 - pkill -9 firefox - sleep 1 -} + sudo -H -u "$SUDO_USER" firefox --headless --first-startup >/dev/null 2>&1 & + sleep 3 + pkill -9 firefox + sleep 1 +} # run_firefox + # Discovery of browsers installed on the user's system # Sets appropriate flags to control the flow of the installation, depending on @@ -198,9 +203,7 @@ browser_check () then print_err "No version of Mozilla Firefox OR Google Chrome has been detected." print_info "Please install either or both to proceed." - exit "$E_BROWSER" - elif [ "$ff_exists" == true ] # Firefox was found then if [ "$snap_ff" == true ] # Snap version of Firefox @@ -241,13 +244,13 @@ browser_check () then print_info "You have elected to keep the snap version of Firefox.\n" print_err "You have no compatible browsers. Exiting..." - exit $E_BROWSER fi fi fi fi -} +} # browser_check + # Locate and backup the profile for the user's snap version of Firefox # Backup is placed in /tmp/ff_old_profile/ and can be restored after the @@ -278,6 +281,7 @@ backup_ff_profile () fi } # backup_ff_profile + # Moves the user's backed up Firefox profile from the temp location to the newly # installed apt version of Firefox in the ~/.mozilla directory # TODO: Take arguments for source and destination so profile can be restored to @@ -319,7 +323,8 @@ migrate_ff_profile () fi fi -} +} # migrate_ff_profile + # Attempt to find an installed version of Firefox on the user's system # Determines whether the version is installed via snap or apt @@ -349,7 +354,9 @@ check_for_firefox () else print_info "Firefox not found." fi -} +} # check_for_firefox + + # Attempt to find a version of Google Chrome installed on the user's system check_for_chrome () { @@ -369,7 +376,8 @@ check_for_chrome () else print_info "Chrome not found." fi -} +} # check_for_chrome + # Re-install the user's previous version of Firefox if the snap version was # removed in the process of this script. @@ -377,21 +385,21 @@ revert_firefox () { # Firefox was replaced, lets put it back where it was. print_err "No valid databases located. Reinstalling previous version of Firefox..." - apt purge firefox -y + DEBIAN_FRONTEND=noninteractive apt purge firefox -y snap install firefox run_firefox print_info "Completed. Exiting..." - - # "Restore" old profile back to the snap version of Firefox +# "Restore" old profile back to the snap version of Firefox migrate_ff_profile "restore" exit "$E_DATABASE" -} +} # revert_firefox + # Integrate all certificates into the databases for existing browsers - import_certs () +import_certs () { db=$1 db_root="$(dirname "$db")" @@ -416,17 +424,13 @@ revert_firefox () echo "Importing $cert" certutil -d sql:"$db_root" -A -t TC -n "$cert" -i "$cert" done - - if ! grep -Pzo 'library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so\nname=CAC Module\n' "$db_root/$PKCS_FILENAME" >/dev/null - then - printf "library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so\nname=CAC Module\n" >> "$db_root/$PKCS_FILENAME" - fi fi echo "Done." echo } # import_certs + # Check to see if the user has Firefox pinned to their favorites bar in GNOME check_for_ff_pin () { @@ -448,6 +452,7 @@ check_for_ff_pin () fi } # check_for_ff_pin + repin_firefox () { print_info "Attempting to repin Firefox to favorites bar..." @@ -464,4 +469,5 @@ repin_firefox () fi } # repin_firefox + main From 4f47c39a78e1cbe270b87ea913b538893d9bfbaa Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:10:34 -0500 Subject: [PATCH 07/16] Installing top-level OpenSC package to allow apt to handle dependencies. --- cac_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cac_setup.sh b/cac_setup.sh index e9bbf96..60df260 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -55,7 +55,7 @@ main () print_info "Installing middleware and essential utilities..." apt update DEBIAN_FRONTEND=noninteractive apt purge -y cackey - DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget opensc-pkcs11 + DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget opensc print_info "Done" # Pull all necessary files From 735af96162c73c707668168ca626aa4bf0f928fc Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:33:01 -0500 Subject: [PATCH 08/16] Testing noninteractive Firefox install with apt. --- cac_setup.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/cac_setup.sh b/cac_setup.sh index 60df260..00edccf 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -157,7 +157,7 @@ reconfigure_firefox () # shellcheck disable=SC2016 echo -e 'Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";' > /etc/apt/apt.conf.d/51unattended-upgrades-firefox print_info "Installing Firefox via apt" - DEBIAN_FRONTEND=noninteractive apt install firefox -y + DEBIAN_FRONTEND=noninteractive apt install firefox print_info "Completed re-installation of Firefox" # Forget the previous location of firefox executable @@ -387,11 +387,9 @@ revert_firefox () print_err "No valid databases located. Reinstalling previous version of Firefox..." DEBIAN_FRONTEND=noninteractive apt purge firefox -y snap install firefox - run_firefox - print_info "Completed. Exiting..." -# "Restore" old profile back to the snap version of Firefox + # "Restore" old profile back to the snap version of Firefox migrate_ff_profile "restore" exit "$E_DATABASE" @@ -462,9 +460,7 @@ repin_firefox () curr_favorites=$(gsettings get org.gnome.shell favorite-apps) print_info "Repinning Firefox to favorites bar" - gsettings set org.gnome.shell favorite-apps "$(gsettings get org.gnome.shell favorite-apps | sed s/.$//), 'firefox.desktop']" - print_info "Done." fi } # repin_firefox From 4e713bffbbaaf5cf5b06e3a695b1a811a09f3e56 Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:15:40 -0500 Subject: [PATCH 09/16] Refactored logic to run Chrome. --- cac_setup.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/cac_setup.sh b/cac_setup.sh index 00edccf..9747fb1 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -189,6 +189,22 @@ run_firefox () } # run_firefox +run_chrome () +{ + # NOTE: this is the original + # sudo -H -u "$SUDO_USER" bash -c 'google-chrome --headless --disable-gpu >/dev/null 2>&1 &' + + # Run Chrome to ensure .pki directory has been created + # TODO: finish troubleshooting this + print_info "Running Chrome to ensure it has completed post-install actions..." + sudo -H -u "$SUDO_USER" google-chrome --headless --disable-gpu >/dev/null 2>&1 & + sleep 3 + pkill -9 google-chrome + sleep 1 + print_info "Done." +} # run_chrome + + # Discovery of browsers installed on the user's system # Sets appropriate flags to control the flow of the installation, depending on # what is needed for the individual user @@ -366,13 +382,7 @@ check_for_chrome () chrome_exists=true print_info "Found Google Chrome." # Run Chrome to ensure .pki directory has been created -# echo -e "\tRunning Chrome to ensure it has completed post-install actions..." -# # TODO: finish troubleshooting this -# sudo -H -u "$SUDO_USER" bash -c 'google-chrome --headless --disable-gpu >/dev/null 2>&1 &' -# sleep 3 -# pkill -9 google-chrome -# sleep 1 -# echo -e "\tDone." + run_chrome else print_info "Chrome not found." fi From 1868adc5a857f8c4351f54d83990216f3ed6d9f3 Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Thu, 22 Feb 2024 14:53:28 -0500 Subject: [PATCH 10/16] Refactored logic to run Chrome into a separate function. Added documentation for run_firefox and run_chrome functions. --- cac_setup.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/cac_setup.sh b/cac_setup.sh index 9747fb1..b585d88 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -157,7 +157,7 @@ reconfigure_firefox () # shellcheck disable=SC2016 echo -e 'Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";' > /etc/apt/apt.conf.d/51unattended-upgrades-firefox print_info "Installing Firefox via apt" - DEBIAN_FRONTEND=noninteractive apt install firefox + DEBIAN_FRONTEND=noninteractive apt install -y --allow-downgrades firefox print_info "Completed re-installation of Firefox" # Forget the previous location of firefox executable @@ -179,6 +179,7 @@ reconfigure_firefox () } # reconfigure_firefox +# Run Firefox to ensure the profile directory has been created run_firefox () { print_info "Starting Firefox silently to complete post-install actions..." @@ -189,12 +190,12 @@ run_firefox () } # run_firefox +# Run Chrome to ensure .pki directory has been created run_chrome () { # NOTE: this is the original # sudo -H -u "$SUDO_USER" bash -c 'google-chrome --headless --disable-gpu >/dev/null 2>&1 &' - # Run Chrome to ensure .pki directory has been created # TODO: finish troubleshooting this print_info "Running Chrome to ensure it has completed post-install actions..." sudo -H -u "$SUDO_USER" google-chrome --headless --disable-gpu >/dev/null 2>&1 & @@ -361,10 +362,7 @@ check_for_firefox () else # Run Firefox to ensure .mozilla directory has been created echo -e "Running Firefox to generate profile directory..." - sudo -H -u "$SUDO_USER" bash -c 'firefox --headless --first-startup >/dev/null 2>&1 &' - sleep 3 - pkill -9 firefox - sleep 1 + run_firefox echo -e "\tDone." fi else @@ -443,7 +441,6 @@ import_certs () check_for_ff_pin () { # firefox is a favorite and if gnome is the desktop environment. - if sudo -u "$SUDO_USER" bash -c "$(echo "$XDG_CURRENT_DESKTOP" | grep "GNOME" >/dev/null 2>&1)" then print_info "Detected Gnome desktop environment" @@ -467,7 +464,6 @@ repin_firefox () if [ "$ff_was_pinned" == true ] then # TODO: finish this - curr_favorites=$(gsettings get org.gnome.shell favorite-apps) print_info "Repinning Firefox to favorites bar" gsettings set org.gnome.shell favorite-apps "$(gsettings get org.gnome.shell favorite-apps | sed s/.$//), 'firefox.desktop']" From 8e6ae775c845fd2e8d7eae6b5a06ebd57d2daeeb Mon Sep 17 00:00:00 2001 From: Darrin Schmitz Date: Thu, 18 Apr 2024 16:58:35 -0400 Subject: [PATCH 11/16] Fixes prints --- cac_setup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cac_setup.sh b/cac_setup.sh index b585d88..31eecce 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -361,9 +361,9 @@ check_for_firefox () print_err "This version of Firefox was installed as a snap package with a launch script" else # Run Firefox to ensure .mozilla directory has been created - echo -e "Running Firefox to generate profile directory..." + print_info "Running Firefox to generate profile directory..." run_firefox - echo -e "\tDone." + print_info "Done." fi else print_info "Firefox not found." @@ -432,7 +432,7 @@ import_certs () done fi - echo "Done." + print_info "Done." echo } # import_certs From 69ee2bc50f4ac2c3e64b0f317bde8814f3c4675a Mon Sep 17 00:00:00 2001 From: Darrin Schmitz Date: Thu, 18 Apr 2024 17:19:30 -0400 Subject: [PATCH 12/16] Update README with Debian --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d5cbbe3..0c1c5f7 100644 --- a/README.md +++ b/README.md @@ -34,14 +34,15 @@ distributions and versions here that I know have been tested with this method. On Ubuntu 22.04, Firefox will only work if you allow the script to remove the `snap` version and reinstall the browser with `apt`. -| Distribution | Versions | Browsers | -| :-: | :-: | :-: | -| Ubuntu | 20.04 LTS | Firefox, Chrome | -| | 22.04 LTS | Firefox, Chrome | -| PopOS! | 20.04 LTS | Firefox, Chrome | -| | 22.04 LTS | Firefox, Chrome | -| Mint | 21.2 | Firefox, Chrome | -| Parrot OS | 6.0.0-2 | Firefox, Brave | +| Distribution | Versions | Browsers | +| :-: | :-: | :-: | +| Debian | 12.5 | Firefox ESR, Chrome, Edge | +| Mint | 21.2 | Firefox, Chrome | +| PopOS! | 20.04 LTS | Firefox, Chrome | +| | 22.04 LTS | Firefox, Chrome | +| Parrot OS | 6.0.0-2 | Firefox, Brave | +| Ubuntu | 20.04 LTS | Firefox, Chrome | +| | 22.04 LTS | Firefox, Chrome | **NOTE:** There are reports of this script working with other distributions and browsers. I have not personally tested these configurations. From ed27404e669c33ba0c4c5b871e22057efc722638 Mon Sep 17 00:00:00 2001 From: Darrin Schmitz Date: Sun, 21 Apr 2024 16:10:12 -0400 Subject: [PATCH 13/16] Fixed alphabetical ordering --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c1c5f7..4618f6c 100644 --- a/README.md +++ b/README.md @@ -38,9 +38,9 @@ On Ubuntu 22.04, Firefox will only work if you allow the script to remove the | :-: | :-: | :-: | | Debian | 12.5 | Firefox ESR, Chrome, Edge | | Mint | 21.2 | Firefox, Chrome | +| Parrot OS | 6.0.0-2 | Firefox, Brave | | PopOS! | 20.04 LTS | Firefox, Chrome | | | 22.04 LTS | Firefox, Chrome | -| Parrot OS | 6.0.0-2 | Firefox, Brave | | Ubuntu | 20.04 LTS | Firefox, Chrome | | | 22.04 LTS | Firefox, Chrome | From 4f91c65f38bcbe27334a9d72b84e3c5cadc85b0f Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 26 Nov 2024 09:48:22 -0500 Subject: [PATCH 14/16] I don't want to arbitrarily remove packages from the user's system, so I will leave the purge of Cackey up to the user. --- cac_setup.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/cac_setup.sh b/cac_setup.sh index 31eecce..ab7819e 100755 --- a/cac_setup.sh +++ b/cac_setup.sh @@ -54,7 +54,6 @@ main () # Install middleware and necessary utilities print_info "Installing middleware and essential utilities..." apt update - DEBIAN_FRONTEND=noninteractive apt purge -y cackey DEBIAN_FRONTEND=noninteractive apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget opensc print_info "Done" From 57b469d3bb1de1607312d38e902a1248f169a4ef Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 26 Nov 2024 09:54:35 -0500 Subject: [PATCH 15/16] Added note about migrating away from Cackey. --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4618f6c..cc04321 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,12 @@ A project for consistently configuring DoD CACs on Linux. Currently, this process will not work with Firefox if it is installed via `snap`. Before using this project, please review the [Known Issues](#known-issues) section. +**NOTE:** This project has been moved away from Cackey to instead use OpenSC, which seems to be +more stable than Cackey. If you don't use Cackey as a dependency of anything else, +I recommend running the following: +``` +sudo apt purge cackey +``` ## Table of Contents
@@ -95,7 +101,7 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai Firefox from snap and reinstall it via `apt`. This current version of the script will attempt to do this reinstallation for you. -- Recent DoD certificates do not work with cackey and will cause errors like +- Recent DoD certificates do not work with Cackey and will cause errors like `ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS`. You can simply rerun the script to resolve this. From 998cc40ad37044613243a46dd547e036d2a3ee1b Mon Sep 17 00:00:00 2001 From: Jeremy Jackson <87815518+jdjaxon@users.noreply.github.com> Date: Tue, 26 Nov 2024 10:04:46 -0500 Subject: [PATCH 16/16] Added issue with the pkcs11-register command to the Known Issues section. --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index cc04321..9121b02 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,10 @@ sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/mai ``` ## Known Issues +- The `pkcs11-register` command sometimes does not behave as expected when run + in a script. Users may need to reboot or run `pkcs11-register` upon the + completion of this setup script. + - Firefox and Chrome both need to be started at least once to initialize their respective certificate databases/profiles.