On 6/18/2024 8:44 AM, Pablo Rodriguez via ntg-context wrote:
On 6/18/24 00:52, Hans Hagen via ntg-context wrote:
On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote:
[...]>> 2. I cannot get any signature display in Acrobat. Does any PDF viewer (I
have tested this with pdfsig from poppler and MuPDF-GL) display the
digital signature at all?
this whole digitial signing is a bit of a scam imo ...
Digital signing may be a marketing gig also, but we may only consider
the pure feature as such.
I mean, I’m not interested here in the legally binding value of certain
digital certificates, but just in having digital signatures right.
- one has to buy a specific kind of certificate
Generating certificates with OpenSSL is basically free.
you cannot use a 'web certificate'
- often one is supposed to use some token
- when the root cert expires one has to resign
I think this may be avoided by adding a timestamp token (as unsigned
attribute) in the PKCS#7 (as mentioned in the PDF spec).
dunno, can test it
- reader has root certs built in and checking is supposed to be online
- it doesn't come cheap and supporting / testing is not something one
can expect for free (so i can't really test it)
... so just some business model and not really something one can do out
of the box
This is all related to certificate (legal) validity. This is out of the
scope.
whatever ...
... apart from ...
- just sign with some certificate and don't expect viewers to do something
Acrobat may be wrong in not detecting the signature (I’m investigating it).
i think it only looks for 'official' onex
concerning the suggested patches: this <....whatever....> boundary is a
bit fuzzy and i found that different viewers / checkers expect either or
not +/- 1 but i didn't check recently if things have improved
There are two different issues here: digest mismatch and total document
signing.
I’m afraid that the patch is needed since /ByteRange excludes a blank
space before the value of /Contents that is in the temporary file (tmpfile).
i need to test more
I mean, here are the contens of the temporary file from the sample
(tweaked to fit a single line]):
<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents /
Byte 6421 is the s (before the underscore):
<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents_ /
The blank space (marked above with the underscore) is included in the
hashed file (tmpfile), but it is not included in the /ByteRange.
This is the reason why we can only have digest mismatch.
yes but that what i noticed when testing: mupdf, qpdf, acrobat, etc ..
trial and error is not to add that one
As for total document signing, it is better only to exclude from
/ByteRange the value for /Contents (from < to >).
As far as I can remember, this is mandatory for PDF-2.0 (and highly
recommended for previous versions [although not required]).
not sure what you mean, 2.0 demanding signing?
if we know the specs and have way to test ... no big deal to fix a few
offsets
I’m happy to contribute as far as I can.
Sorry for insisting, but please don’t require plaintext password in the
command line (again, OpenSSL prompts for it).
not if we use the library
Hans
-----------------------------------------------------------------
Hans Hagen | PRAGMA ADE
Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl
-----------------------------------------------------------------
___________________________________________________________________________________
If your question is of interest to others as well, please add an entry to the
Wiki!
maillist : ntg-context@ntg.nl /
https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl
webpage : https://www.pragma-ade.nl / https://context.aanhet.net (mirror)
archive : https://github.com/contextgarden/context
wiki : https://wiki.contextgarden.net
___________________________________________________________________________________
