Here's a simple guide for how I managed to bill one of my customers as is now mandated by law in Italy.

Create a new virtualbox machine

I would never do any of this to any system I would ever want to use for anything else, so it's virtual machine time.

• I started virtualbox, created a new machine for *buntu 32bit, 8Gb disk, 4Gb RAM, and placed the .vdi image in an encrypted partition. The web services of Infocert's fattura-pa requires "Java (JRE) a 32bit di versione 1.6 o superiore".
• I installed *buntu 12.04 on it: that is what dike declares to support.
• I booted the VM, installed virtualbox-guest-utils, and de sure I also had virtualbox-guest-x11
• I restarted the VM so that I could resize the virtualbox window and have *buntu resize itself as well. Now I could actually read popup error messages in full.
• I changed the desktop background to something that gave me the idea that this is an untrusted machine where I need to be very careful of what I type. I went for bright red.

Install smart card software into it

• apt-get install pcscd pcsc-tools opensc
• In virtualbox, I went to Devices/USB devices and enabled the smart card reader in the virtual machine.
• I ran pcsc_scan to see if it could see my smart card.
• I ran Firefox, went to preferences, advanced, security devices, load. Module name is "CRS PKCS#11", module path is /usr/lib/opensc-pkcs11.so
• I went to https://fattura-pa.infocamere.it/fpmi/service and I was able to log in. To log in, I had to type the PIN 4 times into popups that offered little explanations about what was going on, enjoying cold shivers because the smart card would lock itself at the 3rd failed attempt.
• Congratulations to myself! I thought that all was set, but unfortunately, at this stage, I was not able to do anything else except log into the website.

Descent into darkness

Set up things for fattura-pa

• I got the PDF with the setup instructions from here. Get it too, for a reference, a laugh, and in case you do not believe the instructions below.
• I went to https://www.firma.infocert.it/installazione/certificato.php, and saved the two certificates.
• Firefox, preferences, advanced, show certificates, I imported both CA certificates, trusted for everything, all my base are belong to them.
• apt-get install icedtea-plugin
• I went to https://fattura-pa.infocamere.it/fpmi/service and tried to sign. I could not: I got an error about invalid UTF8 for something or other in Firefox's stdandard error. Firefox froze and had to be killed.

Set up things for signing locally with dike

• I removed icedtea so that I could use the site without firefox crashing.
• I installed DiKe For *buntu 12.04 32bit
• I ran dikeutil to see if it could talk to my smart card
• When signing with the website, I chose the manual signing options and downloaded the zip file with the xml to be signed.
• I got a zip file, unzipped it.
• I loaded the xml into dike.
• I signed it with dike.
• I got this error message: "nessun certificato di firma presente sul dispositivo di firma" and then this error message: "Impossibile recuperare il certificato dal dispositivo di firma". No luck.

Set up things for signing locally with ArubaSign

• I went to https://www.pec.it/Download.aspx
• I downloaded ArubaSign for Linux 32 bit.
• Oh! People say that it only works with Oracle's version of Java.
• sudo add-apt-repository ppa:webupd8team/java
• apt-get update
• apt-get install oracle-java7-installer
• During the installation process I had to agree to also sell my soul to Oracle.
• tar axf ArubaSign*.tar*
• cd ArubaSing-*/apps/dist
• java -jar ArubaSign.jar
• I let it download its own updates. Another time I did not. It does not seem to matter: I get asked that question every time I start it anyway.
• I enjoyed the fancy brushed metal theme, and had an interesting time navigating an interface where every label on every icon or input field was truncated.
• I downloaded https://www.pec.it/documenti/Manuale_ArubaSign2_firma%20Remota_V03_02_07_2012.pdf to get screenshots of that interface with all the labels intact
• I signed the xml that I got from the website. I got told that I needed to really view carefully what I was signing, because the signature would be legally binding
• I enjoyed carefully reading a legally binding, raw XML file.
• I told it to go ahead, and there was now a .p7m file ready for me. I rejoiced, as now I might, just might actually get paid for my work.

Try fattura-pa again

Maybe fattura-pa would work with Oracle's Java plugin?

• I went to https://fattura-pa.infocamere.it/fpmi/service
• I got asked to verify java at www.java.com. I did it.
• I told FireFox to enable java.
• Suddenly, and while I was still in java.com's tab, I got prompted about allowing Infocert's applet to run: I allowed it to run.
• I also got prompted several times, still while the current tab was not even Infocert's tab, about running components that could compromise the security of my system. I allowed and unblocked all of them.
• I entered my PIN.
• Congratulations! Now I have two ways of generating legally binding signatures with government issued smart cards!

Aftermath

I shut down that virtual machine and I'm making sure I never run anything important on it. Except, of course, generating legally binding signatures as required by the Italian government.

What could possibly go wrong?