utils/pdfsig.1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
New commits: commit da39bd930fee9369071a97b93ffe3ea0987acedc Author: Tobias Deiminger <tobias.deimin...@posteo.de> Date: Tue Jan 3 00:25:57 2023 +0100 Point out pdfsig supports PKCS#11 URIs as nickname NSS "just works" with PKCS#11 URIs since 3.39. See https://bugzilla.mozilla.org/show_bug.cgi?id=1475274 for details. IMO we should expose that as feature. It's a standardized NSS-agnostic way to identify certificate objects, and allows to disambiguate certificates in any case. diff --git a/utils/pdfsig.1 b/utils/pdfsig.1 index 872c6e8d..2d84b0c6 100644 --- a/utils/pdfsig.1 +++ b/utils/pdfsig.1 @@ -62,7 +62,7 @@ Specifies the field name to be used when adding a new signature. A random ID wil Sign the document in the specified signature field present in the document (must be unsigned). Field can be specified by field name (string) or the n-th signature field in the document (integer). .TP .B \-nick " nickname" -Use the certificate with the given nickname for signing. +Use the certificate with the given nickname for signing. If nickname starts with pkcs11:, it's treated as PKCS#11 URI. .TP .B \-kpw " password" Use the given password for the signing key @@ -97,6 +97,9 @@ Displays signature info for signed_file.pdf. pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick my-cert -reason 'for fun!' Creates a new pdf named output.pdf with the contents of input.pdf signed by the 'my-cert' certificate. .TP +pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick 'pkcs11:token=smartcard0;object=Second%20certificate;type=cert' +Same, but uses a PKCS#11 URI as defined in IETF RFC 7512 to select the certificate to be used for signing. +.TP pdfsig input.pdf output.pdf -sign 0 -nss-pwd password -nick my-cert -reason 'for fun!' Creates a new pdf named output.pdf with the contents of input.pdf signed by the 'my-cert' certificate. input.pdf must have an already existing un-signed signature field. .SH AUTHOR