Digital ID now also in Germany GNU Linux howto install BundID on Debian 13 (Trixie) how to protect all “wireless” enabled (RFID NFC) Bank Credit ID Cards

10.Jul.2025

Cyber, Debian, General / Allgemein, GNU Linux, howto

convenience vs security: it’s always a tradeoff

credit card scammers and scimmers: when the shop owner HIMSELF is the thief

if not already put all cards with “wireless” functionality (bank ec credit id healthcare cards maybe even drivers licence) into “shielding”!

since corona: touchless payment is even cooler?

well guess what check out this “news” from 2017:

https://www.youtube.com/watch?v=PmoE1mDz_cM

now that ID cards also have RFID NFC chips in them… this could also be used for Identity theft with catastrophic consequences for the user and society.

So spend those 9 bucks!!!

https://amzn.to/4nFCxmP

the BundID

DE: Mit der BundID, auch als Nutzerkonto Bund (NKB), künftig DeutschlandID^[1] bezeichnet, können sich Bürger für Online-Verwaltungsleistungen öffentlicher Stellen identifizieren und authentifizieren (src)

EN: With the BundID, also known as the Bund User Account (NKB), in future referred to as DeutschlandID[1], citizens can identify and authenticate themselves for online administrative services provided by public bodies (auto translate from src)

it is actually open src c++

hardware required

it is (theoretically) possible to use smart phone as ID card reader (enable NFC)

if a GNU Linux shall be used a USB Chipcard + NFC reader is required (yes it’s pretty expensive on Amazon it’s -50% the price on eBay if the user trusts “refurbished”)

https://amzn.to/3Im4OPi

how to install BundID on Debian13:

as of 2025-07: unfortunately the debian.inf.tu-dresden.de could not be bothered to keep their Let’s Encrypt SSL certificate updated, which results into

Err:1 https://ftp.de.debian.org/debian trixie InRelease                                                                                                                                      
  SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 141.76.2.4 443]

lame, very lame.

hostnamectl; # tested on
 Static hostname: debian13-desktop
  Virtualization: kvm
Operating System: Debian GNU/Linux 13 (trixie)        
          Kernel: Linux 6.12.33+deb13-amd64
    Architecture: x86-64
 Hardware Vendor: QEMU

# so either trust the user's system to the packages of uni aachen encrypted or dresden unencrypted
# the choice is up to the user X-D
vim /etc/apt/sources.list

deb https://ftp.halifax.rwth-aachen.de/debian/ trixie main non-free-firmware
deb-src https://ftp.halifax.rwth-aachen.de/debian/ trixie main non-free-firmware

deb https://security.debian.org/debian-security trixie-security main non-free-firmware
deb-src https://security.debian.org/debian-security trixie-security main non-free-firmware

# trixie-updates, to get updates before a point release is made;
# see httpss://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb https://ftp.halifax.rwth-aachen.de/debian/ trixie-updates main non-free-firmware
deb-src https://ftp.halifax.rwth-aachen.de/debian/ trixie-updates main non-free-firmware

# This system was installed using small removable media
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.

deb https://ftp.de.debian.org/debian trixie main 

# of course run update script to have the system as up to date as possible

vim /scripts/update.sh 
#!/bin/bash

echo "=== attempting automatic daily update on $(date '+%Y-%m-%d-%H:%M:%S') ===" | tee -a /scripts/update.sh.log

apt update 2>&1 | tee -a /scripts/update.sh.log
apt -y upgrade 2>&1 | tee -a /scripts/update.sh.log

echo "=== automatically removing un-needed packages (and old kernels) ==="
# keeping too many old kernel versions might fill up boot partition
apt -y autoremove | tee -a /scripts/update.sh.log

echo "=== fine ===" | tee -a /scripts/update.sh.log
echo "" | tee -a /scripts/update.sh.log

connect the usb chip and nfc card reader from CSL to the a USB port of kvm enabled host computer:

in virt-manager select the USB device to pass through:

lsusb; # this is what it should show inside the vm
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
Bus 001 Device 003: ID 2ce3:9567 Generic EMV Smartcard Reader
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

# search for the package
apt search ausweisapp

ausweisapp/testing,testing 2.3.1-1 amd64
Official authentication app for German ID cards and residence permits

ausweisapp2/testing,testing 2.3.1-1 all
Transitional ausweisapp2 dummy package

apt install ausweisapp2; # install the app

# after a while there should be a new program installed

cat /home/user/Desktop/com.governikus.ausweisapp2.desktop
#!/usr/bin/env xdg-open
[Desktop Entry]
Version=1.0
Type=Application
Exec=AusweisApp
Icon=AusweisApp
StartupNotify=true
Terminal=false
Categories=System;Security;
GenericName=Authentication App
Keywords=nPA,eID,eAT,Personalausweis,Aufenthaltstitel,Identity,Card
Name=AusweisApp
StartupWMClass=AusweisApp

which AusweisApp
/usr/bin/AusweisApp

ls -lah /usr/bin/AusweisApp
-rwxr-xr-x 1 root root 4.2M Mar 18 15:26 /usr/bin/AusweisApp

/usr/bin/AusweisApp; # in a non-root terminal start it

init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Application: AusweisApp
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Application Version: 2.3.1
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Organization: 
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Organization Domain: 
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### System: Debian GNU/Linux 13 (trixie)
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Kernel: 6.12.33+deb13-amd64
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Architecture: x86_64
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Device: debian13-desktop
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### Qt Version: 6.8.2
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:65) : ### OpenSSL Version: OpenSSL 3.5.0 8 Apr 2025
init 2025.07.10 11:53:02.726 1725 I printInfo(init/Bootstrap.cpp:67) : ###############################################

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin