On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote:
Dear list,
the latest version of LMTX can digitally sign PDF documents. It requires
OpenSSL installed (since it does the crypto part).
I have two issues that I would like to be tested by others.
A sample certificate may be found at
https://mailman.ntg.nl/archives/list/ntg-context@ntg.nl/message/ECSXLVMT3TMQBIHA2UZJPWJN7OVV5334/attachment/2/mycert.pfx
(I sent it myself).
Here is a sample document (actually provided by Hans):
\setupinteraction[state=start]
\definefield[signature][signed]
\defineoverlay[signature][my signature]
\starttext
\startTEXpage[offset=1ts,frame=on,framecolor=darkblue]
sign: \inframed[background=signature,framecolor=darkred]
{\fieldbody[signature][width=3cm,option=hidden]}
\stopTEXpage
\stoptext
After compiling the sample, you need to run:
mtxrun --script pdf --sign --certificate=c.pfx --password=ABCabc doc.pdf
i use a pem
Password will be prompted again ("ABCabc"), since it is an encrypted
certificate (also for the public part).
Could anyone confirm the following issues?
1. The signature I get is wrong, unless I apply this patch
(https://mailman.ntg.nl/archives/list/dev-cont...@ntg.nl/message/T3OCKVZWTUTIXCSOKIFRVJ4X76MROZHE/attachment/3/byterange.diff
[sent by myself to the devel list]).
2. I cannot get any signature display in Acrobat. Does any PDF viewer (I
have tested this with pdfsig from poppler and MuPDF-GL) display the
digital signature at all?
this whole digitial signing is a bit of a scam imo ...
- one has to buy a specific kind of certificate
- often one is supposed to use some token
- when the root cert expires one has to resign
- reader has root certs built in and checking is supposed to be online
- it doesn't come cheap and supporting / testing is not something one
can expect for free (so i can't really test it)
... so just some business model and not really something one can do out
of the box
... apart from ...
- just sign with some certificate and don't expect viewers to do something
- offer a service to upload the document for checking when a user is in
doubt
- that can be done without root cert and basically works as long as the
service works
concerning the suggested patches: this <....whatever....> boundary is a
bit fuzzy and i found that different viewers / checkers expect either or
not +/- 1 but i didn't check recently if things have improved
if we know the specs and have way to test ... no big deal to fix a few
offsets
Hans
-----------------------------------------------------------------
Hans Hagen | PRAGMA ADE
Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl
-----------------------------------------------------------------
___________________________________________________________________________________
If your question is of interest to others as well, please add an entry to the
Wiki!
maillist : ntg-context@ntg.nl /
https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl
webpage : https://www.pragma-ade.nl / https://context.aanhet.net (mirror)
archive : https://github.com/contextgarden/context
wiki : https://wiki.contextgarden.net
___________________________________________________________________________________