The Web eID application performs cryptographic digital signing and authentication operations with electronic ID smart cards for the Web eID browser extension (it is the native messaging host for the extension). Also works standalone without the extension in command-line mode.
Command-line mode is useful both for testing and for using the application outside of the Web eID browser extension context.
web-eid [options] command arguments
-h, --help Displays help.
-c, --command-line-mode Command-line mode, read commands from command line
arguments instead of standard input.
command The command to execute in command-line mode, any of
'get-certificate', 'authenticate', 'sign'.
arguments Arguments to the given command as a JSON-encoded
Pass the certificate type (either auth
or sign
) and origin URL as
JSON-encoded command-line arguments to the get-certificate
command to retrieve the certificate:
web-eid -c get-certificate '{"type": "auth", "origin": ""}'
Passing "type": "auth"
will retrieve the authentication certificate and
"type": "sign"
the signing certificate.
The result will be written to standard output as a JSON-encoded message that either contains the requested Base64-encoded certificate or an error object with a symbolic error code. Successful output example:
Error example:
{"error": {"code": "ERR_WEBEID_NATIVE_FATAL", "message": "Invalid origin"}}
Authentication command requires the nonce, origin URL and Base64-encoded origin certificate as JSON-encoded command-line arguments:
web-eid -c authenticate '{"nonce": "12345678123456781234567812345678", "origin": "", "origin-cert": "MIIHQjCCBiqgAwIBAgIQDzBMjsxeynwIiZ83A6z+JTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xOTA5MTEwMDAwMDBaFw0yMDEwMDcxMjAwMDBaMFUxCzAJBgNVBAYTAkVFMRAwDgYDVQQHEwdUYWxsaW5uMSEwHwYDVQQKDBhSaWlnaSBJbmZvc8O8c3RlZW1pIEFtZXQxETAPBgNVBAMMCCoucmlhLmVlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsckbR484WWjD3MfWEPxLYQlr79YdvsxZ/AHZDZsiGO0GhMZPOkpuxcIqMZIHMFWFLK/7u/5P+otISVTBbBbmfSvyjzVjWy4CZFiSXhkMfyoZzWRb3pHnl/5AmAepJ8aCTESRX+H7Vag9Q1lgzbaqLGS8jCOiWaaTT6+TYUSj97adOp9vbLLuelocCKwMtlBkBU0cwR/jaLpBKzlzWiBeQR4pyJJ4uHoDIV1ftx6qGABqicKTn6ksORoGLI8e+JAfDl/yzWB4Me56MVb+8fYb3XU1sncCYZtJ8aYv3sVm8vaaHbCIjjxBWlLmLZVkv5YSPxjYxOLBHokA2nN9owbhGcWx7EpJd1ZjBhW1OrTBxpAj1NBvMSttRk1Oil3BdMAchgwfkirGSgmc3cTKcwZB4JLaUu3udrFihnRVdr6is5x0jya+1DvQdNVzKJiR9fZP/2AxxLO5785w1spYTZ+4pcu6RrHaABZ/T/lK5zEEM2BelAKgXVQSOe1MwrChg7pDWRKNjuBYkgc/2AJ/8slMtQgsM3C15KouqtzblLSzRxuDfjx7HYeKhe4YPdR/gL7M6KFP0vH38Jc/FLAlQSQDVEXYpSo22kJLJu35rcMfLQIScvy0gP2i/RD2V+/c/zaQcZzZblKsl8tR4LE1MMo7cxcnlR5nN6ogYHIKpA45mKECAwEAAaOCAvEwggLtMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBRg9ZbQFUAlIXPTxSOkzqf189Hk1jAbBgNVHREEFDASgggqLnJpYS5lZYIGcmlhLmVlMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc2LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAW0fPlWCAAAEAwBIMEYCIQDcMTeRN3aAyS04CHOVKJPGggrzvuoPzkgt3t9yv7ovbgIhAJ3K9wbP0le/HLTNNIcSwMAtS9UIrYARI6T6DATJI7u5AHUAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFtHz5V1wAABAMARjBEAiBM7HM08sJ/PmMqxk+hmEK8oVfFlLxsO0DMzSiATp618QIgA5o9fj/TsRITYhGhM3LB8Hg1rF7kM4WEjNpR5HzRb8swDQYJKoZIhvcNAQELBQADggEBABBWZf2mSKdE+IndCEzd9+NaGnMoa5rCTKNLsptdtrr9IuPxEJiuMZCVAAtlYqJzFRsuOFa3DoSZ+ToV8KQsf2pAZasHc4VnJ6ULk55SDoGHvyUf8LETFcXeDGnhunw1WFpajQOKIYkrYsp7Jzrd3XDbJ/h9FHCtKHQSGCqHu9f0TxnDtXk9jOvVSAAI7g9R6pC8DfI2kFYCk48rKCA31VZO3vH9dYzkuJv9UlFG7qxHEkyqpFKPLmoillsKWPeKjpFAD0jv5GB2C5SZ2sMTE90kMiV9PcqTi3TXLMvyYbrCa1nhNezj4So82o1Q+qBfLdCag7t+ZGKefl2UJYjDoU0="}'
The result will be written to standard output as a JSON-encoded message that either contains the OpenID X509 ID Token or an error code. Successful output example:
The OpenID X509 ID Token is a standard JSON Web Token that can be validated with e.g. the JWT.IO online validator.
Signing command requires the Base64-encoded document hash, hash algorithm, origin URL and previously retrieved Base64-encoded user signing certificate as JSON-encoded command-line arguments:
Allowed hash algorithm values are SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512. The document hash length has to match the hash algorithm output length and the hash algorithm has to be supported by the electronic ID signing implementation.
The user signing certificate for the user-eid-cert
field can be retrieved
with the get-certificate
command as described above, by passing sign
in the
web-eid -c get-certificate '{"type": "sign", ...other arguments as above...}'
The result will be written to standard output as a JSON-encoded message that either contains the Base64-encoded signature or an error code. Successful output example:
{"signature": "O0vhA3XSflWsE/v0xcdLGPG0mbWHySSPXWJkRni8vklWKhlzWvGuHD98rWZzf31VsuldBlhJo9eflZvmKK/tUuTjiwXw2BLq3E+qv6Vs6nLHJNJs/ki6Lm/s+bwffyrH"}
All commands support an optional lang
parameter that, if provided, must
contain a two-letter ISO 639-1 language code. If translations exist for the given
language, then the user interface will be displayed in this language.
The following example will display the user interface in Estonian:
web-eid -c get-certificate '{"lang": "et", "type": "auth", "origin": ""}'
Input-output mode is intended for communicating with the Web eID browser extension. Start the application without options and arguments to activate input-output mode:
Input-output mode supports the same commands, arguments and output as command-line mode. The command and arguments should be written as a JSON-encoded message to the application standard input:
"command": "authenticate",
"arguments": { "nonce": "...", "origin": "...", "origin-cert": "..." }
The message should start with message length prefix in native-endian byte order in accordance with the WebExtensions native messaging specification.
The application exits after writing the result to the standard output.
To notify the browser extension that it is ready to receive commands, the application initiates communication by sending its version to standard output in input-output mode with the following message (actual version number varies):
{ "version": "1.0.0" }
There is a Python script in tests/input-output-mode/
that demonstrates
how to use input-output mode, it can be run with:
python tests/input-output-mode/
To enable logging in the extension companion native app,
- in Linux, run the following command in the console:
echo 'logging=true' > ~/.config/RIA/web-eid.conf
- in macOS, run the following command in the console:
defaults write eu.web-eid.web-eid logging true defaults write eu.web-eid.web-eid-safari logging true
- in Windows, add the following registry key:
[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid] "logging"="true"
The native app logs are stored:
in Linux~/Library/Application Support/RIA/web-eid/web-eid.log
in macOSC:/Users/<USER>/AppData/Local/RIA/web-eid/web-eid.log
in Windows
Run all commands starting from RUN apt-get update
from the following
Download Visual Studio 2019 community installer from and install Desktop C++ Development
Download WIX toolset from and install version 3.11.2
Download and install Git for Windows from
Install vcpkg by running the following commands in Powershell:
git clone C:\vcpkg cd C:\vcpkg .\bootstrap-vcpkg.bat .\vcpkg integrate install
Install Google Test and OpenSSL with vcpkg:
.\vcpkg install --recurse --triplet x64-windows --clean-after-build gtest openssl
Install Qt with the official Qt Online Installer, choose Custom installation > Qt 5.15.2 > MSVC 2019 64-bit.
Install Homebrew if not already installed:
/usr/bin/ruby -e "$(curl -fsSL"
Install CMake, Google Test, OpenSSL and Qt with Homebrew:
brew install cmake web-eid/gtest/gtest openssl qt@5
Create symlink to OpenSSL location and setup environment variables required by CMake:
export OPENSSL_ROOT_DIR=/usr/local/opt/openssl@1.1 export Qt5_DIR=/usr/local/opt/qt5
git clone --recurse-submodules
cd web-eid-app
./build/src/app/web-eid -c get-certificate '{"type":"auth", "origin":""}'
Use Powershell to run the following commands to build the project.
Set the Qt installation directory variable:
$QT_ROOT = "C:\Qt\5.15.2\msvc2019_64"
Set the Qt CMake directory environment variable:
$env:Qt5_DIR = "${QT_ROOT}\lib\cmake\Qt5"
Set the vcpkg installation directory variable:
$VCPKG_ROOT = "C:\vcpkg"
Set the build type variable:
$BUILD_TYPE = "RelWithDebInfo"
Make the build directory and run CMake:
mkdir build cd build cmake -A x64 ` "-DCMAKE_TOOLCHAIN_FILE=${VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake" ` "-DCMAKE_BUILD_TYPE=${BUILD_TYPE}" ..
Run the build and installer build:
cmake --build . --config ${BUILD_TYPE} cmake --build . --config ${BUILD_TYPE} --target installer
Add Qt binary directory to path:
$env:PATH += "${QT_ROOT}\bin"
Run tests:
ctest -V -C ${BUILD_TYPE}
Run the following command to update Qt Linguist TS files:
lupdate src/ -ts ./src/ui/translations/*.ts