Get your Belfius DIGIPASS 870 working on Mac OS X Yosemite

May 22, 2015

tl;dr You can get your new Belfius DIGIPASS working by following these instructions

Recently, my bank, Belfius, issued a DIGIPASS 870 smartcard reader (Dutch link) that also can process a Belgian eID card. I liked it:

I only have one device to use Belfius Direct Net and access eID protected sites. I can enter my eID PIN code on the DIGIPASS, making the process more secure.

It worked great on Mavericks. Belfius made efforts to get it working on Mac OS X Yosemite, but sadly, it never worked properly on my main machine.

I decided to perform a complete reinstall, and it still didn’t work properly. The DIGIPASS worked very well on other macs in my family, so I decided to figure some stuff out. This is what I found.

What went wrong?

OS X ships with smartcard reader support out of the box:

It uses the open source CCID driver. This driver supports many smartcard readers. It’s located at /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/. The DIGIPASS 870 works out of the box with this CCID driver.

To make the DIGIPASS actually work on OS X Yosemite, a small text entry has to be added to the configuration of this CCID driver, the Info.plist file inside the ifd-ccid.bundle. This is one of the things the Vasco DIGIPASS installer does.

However, this file is also being manipulated by the eID installer issued by FedICT.

Tampering with system files is dangerous, and this is exactly what went wrong:

When you install the DIGIPASS 870 driver, it updates the CCID plist. When you install the beID middleware, it overwrites the CCID plist with a custom one. It does contain an entry for the DIGIPASS 870, so it should still work from here on. However, if you would run the DIGIPASS 870 installer after the beID installer it corrupts the plist file, rendering both Belfius Direct Net and all eID applications useless.

To make matters more complicated, Vasco lists a knowledge base article that fixes DIGIPASS 870 issues on Mac OS X Mavericks. I had it installed, and it worked well at the time. It actually makes things worse on Yosemite.

So, how to fix it?

Luckily, you can fix all these errors by restoring the CCID config file to a working state. Of course, since you will be tampering with system files, use these instructions at your own risk.

Install the Belfius DIGIPASS 870 browser plugin. You get this file when you load Belfius Direct Net. Install beID middleware. Open Finder, open the Go, Go to folder... menu and enter /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/. Rename the existing Info.plist file to Info.plist.backup (or something similar), in case you should need it later on. I created a gist from the stock Yosemite Info.plist file, with the entry that the Vasco DIGIPASS 870 driver created. Download it, and place the Info.plist file inside the folder you just opened. If you installed the package from the Vasco KB article, revert those changes. Open, and enter these commands:

sudo rm -rf /Library/LaunchDaemons/org.opensc.pcscd.autostart.plist
sudo /Library/OpenSC/bin/ active

And reboot.

Test it:

Go to [](). Open Keychain, and check if the BELPIC keychain appears when you insert your eID.

That’s it!

comments powered by Disqus