On 6/18/24 00:52, Hans Hagen via ntg-context wrote: > On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote: >> [...]>> 2. I cannot get any signature display in Acrobat. Does any PDF >> viewer (I >> have tested this with pdfsig from poppler and MuPDF-GL) display the >> digital signature at all? > this whole digitial signing is a bit of a scam imo ...
Digital signing may be a marketing gig also, but we may only consider the pure feature as such. I mean, I’m not interested here in the legally binding value of certain digital certificates, but just in having digital signatures right. > - one has to buy a specific kind of certificate Generating certificates with OpenSSL is basically free. > - often one is supposed to use some token > > - when the root cert expires one has to resign I think this may be avoided by adding a timestamp token (as unsigned attribute) in the PKCS#7 (as mentioned in the PDF spec). > - reader has root certs built in and checking is supposed to be online > > - it doesn't come cheap and supporting / testing is not something one > can expect for free (so i can't really test it) > > ... so just some business model and not really something one can do out > of the box This is all related to certificate (legal) validity. This is out of the scope. > ... apart from ... > > - just sign with some certificate and don't expect viewers to do something Acrobat may be wrong in not detecting the signature (I’m investigating it). > concerning the suggested patches: this <....whatever....> boundary is a > bit fuzzy and i found that different viewers / checkers expect either or > not +/- 1 but i didn't check recently if things have improved There are two different issues here: digest mismatch and total document signing. I’m afraid that the patch is needed since /ByteRange excludes a blank space before the value of /Contents that is in the temporary file (tmpfile). I mean, here are the contens of the temporary file from the sample (tweaked to fit a single line]): << /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents / Byte 6421 is the s (before the underscore): << /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents_ / The blank space (marked above with the underscore) is included in the hashed file (tmpfile), but it is not included in the /ByteRange. This is the reason why we can only have digest mismatch. As for total document signing, it is better only to exclude from /ByteRange the value for /Contents (from < to >). As far as I can remember, this is mandatory for PDF-2.0 (and highly recommended for previous versions [although not required]). > if we know the specs and have way to test ... no big deal to fix a few > offsets I’m happy to contribute as far as I can. Sorry for insisting, but please don’t require plaintext password in the command line (again, OpenSSL prompts for it). Many thanks for your help, Pablo ___________________________________________________________________________________ If your question is of interest to others as well, please add an entry to the Wiki! maillist : ntg-context@ntg.nl / https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl webpage : https://www.pragma-ade.nl / https://context.aanhet.net (mirror) archive : https://github.com/contextgarden/context wiki : https://wiki.contextgarden.net ___________________________________________________________________________________