On 2014/04/16 23:58, Rob Weir said: > On Wed, Apr 16, 2014 at 11:31 AM, imacat <ima...@mail.imacat.idv.tw> wrote: >> On 2014/04/16 21:28, Jürgen Schmidt said: >>> On 4/15/14 4:14 PM, imacat wrote: >>>> On 2014/04/14 16:21, Jürgen Schmidt said: >>>>> the RC3 build (rev. 1586584) is uploading and most of the files >>>>> are already available. Only 32 bit language packs for Linux are >>>>> currently missing. >>>>> >>>>> I plan to start a vote later today but would like to invite >>>>> everybody to test the new build already ... >>>>> >>>>> https://cwiki.apache.org/confluence/display/OOOUSERS/Development+Snapshot+Builds >>>> I found that I cannot digitally sign my documents with 4.1 as 4.0 >>>> anymore. Is it a planned change, or a bug? >>> >>> can you provide more information how exactly you did it in 4.0? I am >>> not very familiar with document signing and haven't signed a document >>> before. The information I found is not clear to me and the behaviour >>> is always the same in 4.0, 4.0.1 and 4.1 at least on Mac. I have a >>> self signed cert created ... >> >> On Linux, OpenOffice document signature is done via the Mozilla >> firefox certificate store. On Windows, it is done via the Windows >> certificate store. >> >> I suppose the procedure is as follows: >> >> 1. Get/create a personal X.509 key/certificate with e-mail as the common >> name. Self-signed personal key/certificates should be OK. >> >> 2. Import it into the Mozilla firefox certificate store or Windows >> certificate store. >> >> 3. Close OpenOffice, including the quick run icon, if it is currently >> running. Restart it. >> >> 4. Save some document with something. >> >> 5. Sign the document from [File]=>[Digital Signature]. >> >> Before 4.0, the personal key/certificate in the Mozilla certificate >> store will be shown in [File]=>[Digital Signature]. On 4.1, this is >> missing. >> >> Digital signature is an important part to OpenOffice macro security >> and document integrity. If this is unintended, we will have to do >> something to fix it. >> > > So what happens to a document that was signed with AOO 4.0.1? Can you > read it in AOO 4.1? Can you verify the signature? Same for a signed > macro?
I understand Juergen's point on the removal of Mozilla library. But
I'm not sure if we can take this lightly.
Documents that were digitally signed can still be opened and edited,
but their signatures cannot be verified, and they cannot be signed again
once they are modified.
Document macros that were digitally signed can still work if their
signers were confirmed before. But these macros will not work for the
first time on newer installations unless their users change their
security method. Newer document macros cannot be signed anymore, and
the users have to change their security method. I do not know if this
is serious or not.
Sorry I found this problem too late.
>
> I think it is important to know whether AOO 4.1 "fails safe" with
> signed macros if it is unable to verify the signature. If a user has
> set security to allow only execution of signed macros and AOO 4.1
> permits them to be executed without being able to verify the
> signature, then we have a much more serious problem. I'm not saying
> that this problem exists, but we should check carefully to make sure
> it is not a problem.
>
> -Rob
>
>
>>>
>>> Does anybody know more about document signing and how it is intended
>>> to work?
>>>
>>> Juergen
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
>>> For additional commands, e-mail: dev-h...@openoffice.apache.org
>>>
>>
>>
>> --
>> Best regards,
>> imacat ^_*' <ima...@mail.imacat.idv.tw>
>> PGP Key http://www.imacat.idv.tw/me/pgpkey.asc
>>
>> <<Woman's Voice>> News: http://www.wov.idv.tw/
>> Tavern IMACAT's http://www.imacat.idv.tw/
>> Woman in FOSS in Taiwan http://wofoss.blogspot.com/
>> OpenOffice http://www.openoffice.org/
>> EducOO/OOo4Kids Taiwan http://www.educoo.tw/
>> Greenfoot Taiwan http://greenfoot.westart.tw/
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
--
Best regards,
imacat ^_*' <ima...@mail.imacat.idv.tw>
PGP Key http://www.imacat.idv.tw/me/pgpkey.asc
<<Woman's Voice>> News: http://www.wov.idv.tw/
Tavern IMACAT's http://www.imacat.idv.tw/
Woman in FOSS in Taiwan http://wofoss.blogspot.com/
OpenOffice http://www.openoffice.org/
EducOO/OOo4Kids Taiwan http://www.educoo.tw/
Greenfoot Taiwan http://greenfoot.westart.tw/
signature.asc
Description: OpenPGP digital signature
