Installation Lanit. Digital signature and e-procurement

April 18, 2017 at 11:30 pm

Login to your personal account at zakupki.gov.ru without Internet Explorer and other useful tips when working with CryptoPro

In this note, I will try to summarize the experience of using the cryptoprovider CryptoPro to access the closed part of the official website of the unified information system in the field of procurement (zakupki.gov.ru) and the website of government services (gosuslugi.ru). The cryptoprovider itself has already become a de facto standard for government agencies; in its format, digital signatures are issued, for example, by the certification center (CA) of the Federal Treasury or the CA of the Ministry of Health.

First of all, we will talk about the website zakupki.gov.ru. The personal account of this site is accessible only via HTTPS using GOST encryption algorithms. For a long time, HTTPS via GOST only worked in Internet Explorer, which relied entirely on the crypto provider. The end came not long ago, when the website zakupki.gov.ru stopped supporting older versions of IE, including IE8. The trouble is that IE8 is the latest version of this browser supported on Windows XP, and government agencies tend to be very conservative in terms of licensing. Thus, a fairly large part of users found themselves “overboard” overnight.

Fortunately, the CryptoPro company releases a special build of the Firefox browser called CryptoPro Fox (CryptoFox), which supports GOST algorithms and works, of course, only in conjunction with the appropriate crypto provider. There was a time when the development of the assembly almost completely stopped, but now new versions are released regularly. The latest build is based on Firefox 45. You can download the builds, versions are available for Windows, Linux and even Apple OS X.

The English version of the browser is available at this link. To localize it, you need to download a package with a translation of the interface. Please note that the version of the package must match the version of the browser itself.

After installing the package, you need to open a new tab, type about:config there, and in the list of parameters that opens, enter general.useragent.locale and change its value from en-US to ru-RU. After restarting the browser, the interface will be in Russian.

Now you can put the root certificate of the Federal Treasury CA in the “Trusted Root Certification Authorities” repository, the user’s personal certificate in the “Personal” repository, restart the browser and log into your personal account zakupki.gov.ru according to 44-FZ.

My workplace does not have valid certificates of authorized persons, so access to my personal account is prohibited. However, the connection is encrypted in any case using an algorithm from the GOST family.

In case of access to the closed part of the site under 223-FZ, authorization will take place through the ESIA (that is, through the site gosuslugi.ru). Here the situation is simplified, because this site’s plugin for Firefox has existed for a long time and is being developed by Rostelecom. When you first visit the site, we will be prompted to download the plugin. After installation, the plugin should be switched to the “Always on” mode in the CryptoFox settings, otherwise a window requesting a certificate will not appear on the government services website.

Unfortunately, signing documents on the website zakupki.gov.ru is implemented through a specific component sing.cab, which uses ActiveX technology. Naturally, this component will not work in CryptoPro, so we will wait for the transition to a more common technology. Fortunately, signing a document is only a small part of what an operator must do while working on zakupki.gov.ru, so CryptoFox can be used for everyday operations.

Sometimes it is necessary to store a copy of the private key on your local computer. This can be done if the key is marked as uploadable when created in the CA. Copying is done using the “Copy” button (what a surprise) in the CryptoPro applet interface

If there are two options for storing the key on the local machine - in the “Registry” reader and on a virtual removable disk. In principle, the security of storing the key in both cases is approximately the same, so the choice of means is up to the reader.

In the “Register” reader, keys are stored in the branch

HKLM\SOFTWARE\Crypto Pro\Settings\Users\\Keys
for user and branch

HKLM\SOFTWARE\Crypto Pro\Settings\Keys
for the computer as a whole.

In the case of a 64-bit OS, the paths will be slightly different:

HKLM\SOFTWARE\Wow6432Node\Crypto Pro\Settings\Users\\Keys
And

HKLM\SOFTWARE\Wow6432Node\Crypto Pro\Settings\Keys

When CryptoPro is running on a terminal server, the user may not have enough rights to write the key to these branches, since they are not in the user profile. This situation can be corrected by assigning appropriate rights to branches through the Regedit utility.

CryptoPro looks for key containers on disks that have the “removable” attribute, that is, a flash drive or, God forgive me, a floppy disk will be considered key containers, but a network drive or a disk forwarded via RDP will not. This allows you to store keys on floppy disk images on the principle of one key - one floppy disk and thereby increase security. To create a virtual drive, you can use the utility

This error message can be found on the state portal gov.ru; it occurs at the stage of signing documents when various organizations access the State Procurement domain. The error “Cannot sign data Error description” no method support may mean that you are using outdated software or an error or failure has occurred in one of the required components.

Error "Cannot sign data"

This portal only works with the official Microsoft browser – Internet Explorer. To work correctly and eliminate the error “Cannot sign data Error description: The object does not support the Sign method,” you must have the following components and programs installed:

A special plugin for the Internet Explorer navigator. This component is needed for electronic confirmation of documents and signatures. When the user clicks on the “Signature” button, this plugin opens a special program that focuses on the token. To download it, follow this link http://zakupki.gov.ru/epz/main/public/document/view.html?sectionId=445.
In order to ensure the correct operation of a token from a flash drive, it requires special software.
A special document PKIClient, which is a confirmation of the certification authority, in order to download it - click.
Open this link to download the certificate from the server.
Vcredits are special libraries that are needed for proper operation, for x86 and for the 64-bit Windows operating system.
For Windows XP Microsoft .NET Framework requires version 2. Sometimes a problem arises if users have a higher version of the framework. For stable operation of the signature, the second version is required, not higher. To do this, when downloading a new package, you need to check the box - “Install Framework 3.5, including 2, etc.” In this case, you will be able to install the desired version.
To sign, you need another type of electronic software - Lkomponent. it can be downloaded.

When all of the above components are installed and updated on your computer, go to your personal account on the state procurement portal, log in and try to sign the electronic document again, the Cannot sign data Error description error should not appear this time.

Actions in case of error “Cannot sign data Error description”

First of all, familiarize yourself with all the necessary components for proper operation on the state portal, and if possible, reinstall all the programs that are on the list. Update your Internet Explorer browser, and also make sure that the 2 main components are installed correctly and are working correctly - Sign and Lkomponent, because they control the testing of electronic signatures of documents for authenticity.

The Microsoft Internet Explorer browser must be launched with local computer administrator rights. Otherwise, errors may occur when working with documents. This usually happens with versions 7 and higher. If you have a Windows 64-bit system architecture, try running the 32-bit version of the navigator, sometimes this can really help get rid of the error.

Add zakupki.gov.ru to the list of trusted browser sites

Sometimes the browser may not allow you to access the site for various reasons. This can happen to absolutely any node on the network. Especially with such an unstable browser as Internet Explorer. In order for the Microsoft navigator to trust a specific portal, it must be added to the list of trusted ones, for this:

Tips and tricks for resolving the “Object does not support Sign method” error

To resolve “Cannot sign data Error description: The object does not support the Sign method,” try reinstalling Lanit.Component in another distribution. When specifying the path, create a folder in the main directory of drive C (for example, C:\Lanit), or any other directory, in accordance with where your system drive is located. And also reinstall the individual KriptoPro certificate, update the program to the latest current version. The Microsoft .NET Framework must be installed using Windows Programs and Features.

To do this:

In this window, you need to check the box with .NET Framework 2.0, if it is missing. This should help resolve the issue with the error “Cannot sign data error description: no support for the Sign method.

It just so happened that last year, by the will of fate, I joined the government structure. And he immediately received the task of installing electronic digital signatures in the municipal procurement department to participate in electronic auctions. Before this, I had never encountered digital signatures in practical use. And just recently, on January 1, the zakupki.gov.ru portal went live, through which all government procurement must take place.

In this article I will describe what problems I encountered during the setup stages and how I overcame them. I will try to write simply about complex things - digital signature, cryptography, public and private keys. To some extent, this applies to work on all authorized electronic platforms.

Using a real situation as an example, we will consider all the stages of installing an electronic digital signature and setting up a workplace. I hope my material will help those who are just starting to work with digital signatures, and in particular with electronic procurement.

Quote: “Article 16 of Law No. 94-FZ from 01/01/2011 provides for the commissioning of a single information resource on state and municipal procurement - the official website of the Russian Federation (www.zakupki.gov.ru) on the Internet for posting information on placing orders for supply of goods, performance of work, provision of services for federal needs, the needs of constituent entities of the Russian Federation and municipal needs.”

In words, as usual, everything is fine. But in reality the opposite is true. Users are afraid of new technologies, so for them the transition to digital signature should be as painless as possible. All work with the digital signature should look like this from the user's side - insert the electronic key and start working with the portal.

There was a very interesting moment in my practice when one of my mega-user acquaintances claimed that an electronic signature is simply a scanned personal signature that must be attached to a document as an attachment through any email client when sending a letter.

Also, users should not have the impression that the medium, be it a Token, a floppy disk or a flash drive, is a full-fledged digital signature. Without a private key inside and a keychain setup, these are just useless flash drive-like things.

So, now there will be some terminology.

2. Download and install Capicom object version 2.1.0.2. It is necessary for correct work with sites. It is located on the Microsoft website - .

3. If necessary, install drivers for the correct operation of media (Tokens, smart cards). They can be found on official websites. We use RuTokens.

4. Installing root certificates. We place them in the root certification authorities repository.

5. Creating a keychain via crypto-pro. This is done quite simply. Launch crypto-pro, select “Service -> install personal certificate”. We indicate the public key, indicate the medium of the private key, enter the PIN code, and place the certificate in the personal storage.

That's all, the digital signature is configured. Congratulations! But... there are still some manipulations left to do with the browser. The browser, by the way, is for working with trading platforms - only Internet Explorer.

First, we enter the electronic platform into safe nodes, exactly as in the screenshot.

Secondly, for secure nodes we allow the use of all ActiveX components. Yes, and don’t add dangerous ones to safe nodes!

Thirdly, allow all crashed add-ons on sites, otherwise various problems will arise.

How to check the operation of the digital signature? There is a test page on the MICEX electronic platform where you can check the functionality of the digital signature and understand what is missing for full operation.

Now I will describe one nuance that relates to the portal zakupki.gov.ru. There is a Lanit signature generation component, without which it is not possible to sign anything on the portal. It pops up as an unknown add-on on the website, and when downloaded it is called sign.cab. Installation is simple, unpack the cab file and run the installer. Just! However, this nuance is very easy to miss. Download from here.

I would also like to note that the work of the portal still leaves much to be desired, various system errors pop up, and it is very difficult to contact technical support. However, it is possible and necessary to work with it, and I hope that all problems will be eliminated soon.

That's all for today. I hope this article will help you understand some aspects of working with electronic platforms and digital signatures. Thanks to everyone who completed it.

In words, as usual, everything is fine. But in reality the opposite is true. Users are afraid of new technologies, so for them the transition to digital signature should be as painless as possible. All work with the digital signature from the user’s side should look like this: insert the electronic key and start working with the portal.

Also, users should not have the impression that the medium, be it a Token, floppy disk or flash drive, is a full-fledged digital signature. Without a private key inside and a keychain setup, these are just useless flash drive-like things.

So, now there will be some terminology.

2. Download and install Capicom object version 2.1.0.2. It is necessary for correct work with sites. It is located on the Microsoft website - .

3. If necessary, install drivers for the correct operation of media (Tokens, smart cards). They can be found on official websites. We use RuTokens.

4. Installing root certificates. We place them in the root certification authorities repository.

First, we enter the electronic platform into safe nodes, exactly as in the screenshot.

Secondly, for secure nodes we allow the use of all ActiveX components. Yes, and don’t add dangerous ones to safe nodes!

Thirdly, allow all crashed add-ons on sites, otherwise various problems will arise.

That's all for today. I hope this article will help you understand some aspects of working with electronic platforms and digital signatures. Thanks to everyone who completed it.

Tags: Add tags

March 18, 2011 at 01:32 pm

Digital signature and e-procurement

Information security

In words, as usual, everything is fine. But in reality the opposite is true. Users are afraid of new technologies, so for them the transition to digital signature should be as painless as possible. All work with the digital signature from the user’s side should look like this: insert the electronic key and start working with the portal.

So, now there will be some terminology.

2. Download and install Capicom object version 2.1.0.2. It is necessary for correct work with sites. It is located on the Microsoft website - .

3. If necessary, install drivers for the correct operation of media (Tokens, smart cards). They can be found on official websites. We use RuTokens.

4. Installing root certificates. We place them in the root certification authorities repository.

First, we enter the electronic platform into safe nodes, exactly as in the screenshot.

Secondly, for secure nodes we allow the use of all ActiveX components. Yes, and don’t add dangerous ones to safe nodes!

Thirdly, allow all crashed add-ons on sites, otherwise various problems will arise.

That's all for today. I hope this article will help you understand some aspects of working with electronic platforms and digital signatures. Thanks to everyone who completed it.

Tags:

digital signature
electronic digital signature
electronic procurement

Add tags