Re: Digital signatures don't work in Fedora's OpenOffice

2008-10-02 Thread Patrick O'Callaghan 
On Thu, 2008-10-02 at 06:50 +0200, M. Fioretti wrote:
 On Tue, Sep 30, 2008 12:58:22 PM +0200, io wrote:
 
  I know how to create a self-signed certificate, for example, but
  **if** I understand correctly what you posted, the second suggestion
  is little more than:
  
  1) create a certificate by yourself, import it into Firefox
  2) apply the first suggestion
  
  But here the problem is not how to get or create a certificate: it's
  how to make OO.o, **as packaged by Fedora** see a certificate
  imported in Firefox, no matter where that came from. Why is there
  this problem only in Fedora, and how to fix it?
 
 Sorry to insist on this, but is it really possible that there isn't
 even a clue as to what the problem may be, why it only exists in
 Fedora, who should one talk to to at least understand what should be
 checked to diagnose the problem, etc...?
 
 I'm frankly frustrated because I'd have no problem to help fix this,
 running tests if nothing else, but if there's nobody or nowhere
 telling you which tests to do...
 
 I've also asked the same question to the OOo users list without
 result.

Probably an indicator of lack of interest in the general user
population, i.e. not many people are trying to do the same as you. You
might have better luck reporting it to Bugzilla (bugzilla.redhat.com)
where it will be seen by developers. I recently has a problem with the X
server which no-one responded to, but after going to BZ it got fixed
(because it was a genuine bug, not just a misconfiguration on my part).

poc

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Digital signatures don't work in Fedora's OpenOffice

2008-09-30 Thread M. Fioretti 
On Mon, Sep 29, 2008 22:41:25 PM +0200, Patrick wrote:

Patrick,

first of all, thanks a lot for the suggestions, they contain useful
advice regardless of this specific problem. However:

 There was some discussion about this in the past on (iirc) this list.  
 Here's a copy of 2 messages with suggestions. Hope this helps.

 First suggestion:

this doesn't help, as I mentioned in my original message I'd already
tried those steps and commands myself. Nothing appears in OOo.

With respect to the longest suggestion: sincere thanks, I will try it
tonight (can't do it immediately), but I must say I'm dubious. I know
how to create a self-signed certificate, for example, but **if** I
understand correctly what you posted, the second suggestion is little
more than:

1) create a certificate by yourself, import it into Firefox
2) apply the first suggestion

But here the problem is not how to get or create a certificate: it's
how to make OO.o, **as packaged by Fedora** see a certificate imported
in Firefox, no matter where that came from. Why is there this problem
only in Fedora, and how to fix it?

On the other hand, why are certificates needed to sign within
openoffice? Couldn't one make do with plain old gpg keys?

Marco

-- 
Your own civil rights and the quality of your life heavily depend on how
software is used *around* you:http://digifreedom.net/node/84

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Digital signatures don't work in Fedora's OpenOffice

2008-09-29 Thread M. Fioretti 
Greetings,

I'm trying to set up digital signatures in Openoffice 2.3 and FC 8.

I've followed the instructions at
http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
and http://www.linux.com/articles/57554

I've got a client certificate and it shows in Firefox but not in
OpenOffice. Even setting the MOZILLA_CERTIFICATE_FOLDER variable
doesn't help. Further googling only reveals two or three other people
who already had the same problem with other versions of Fedora, but no
way to make it work.

Is it really impossible to use digital signatures from OpenOffice in
Fedora? If yes, what's the reason? Thanks.

Marco

-- 
Your own civil rights and the quality of your life heavily depend on how
software is used *around* you:http://digifreedom.net/node/84

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Digital signatures don't work in Fedora's OpenOffice

2008-09-29 Thread Patrick 

M. Fioretti wrote:

Greetings,

I'm trying to set up digital signatures in Openoffice 2.3 and FC 8.

I've followed the instructions at
http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
and http://www.linux.com/articles/57554

I've got a client certificate and it shows in Firefox but not in
OpenOffice. Even setting the MOZILLA_CERTIFICATE_FOLDER variable
doesn't help. Further googling only reveals two or three other people
who already had the same problem with other versions of Fedora, but no
way to make it work.

Is it really impossible to use digital signatures from OpenOffice in
Fedora? If yes, what's the reason? Thanks.


There was some discussion about this in the past on (iirc) this list. 
Here's a copy of 2 messages with suggestions. Hope this helps.


First suggestion:

To use a digital certificate in Open Office 2.0, you must import it into
firefox.

Then add to ~/.bash_profile:

export 
MOZILLA_CERTIFICATE_FOLDER=3D/home/myname/.mozilla/firefox/blah234blah234bl=

ah.default


Now, when you run open office, you can choose the certificate with which to
sign a document.

Second very long suggestion:

As I had promised last night, here are the instructions on how to sign a
document.

Firstly, you must create a pkcs12 certificate. There appear to be 2 ways to
do this:

1) run 'genkey'. This is very convenient. See man genkey for more
information. The key will end up somewhere in the /etc/pki/tls tree, under
certs, or was it private. I don't remember exactly why I opted not to use
this method, although I did try it about 1 or 2 weeks ago when I was still
learning how this works.

2) use openssl. Once again, there are 2 possibilities under openssl: either
you have your system set up as a CA (certificate authourity), or you don't.
I don't, so I can only make self-signed certificates. Nota Bene: Setting up
your system as a CA may or may not be complicated. I haven't tried.

Note also that if you only issue self-signed certificates, as I have, they
don't really have a lot of validity. Anyone can create a certificate with
your name and your email address and sign documents with it. There is no
trusted authority or web of trust, just the creator's word that the
certificate is valid. However, for signing a letter you have written or an
assignment for a course, this should not pose a lot of problems. Just be
aware that a certificate through cacert.org http://cacert.org would be
better, but they would, of course, require a lot of personal information
from you, which you might not wish to divulge.

So, having opted for the self-signed openssl method, you would make the
certificate like this (if you don't specify the days argument, the default
certificate validity will be exactly 30 days, which might be ok for signing
a document, but should you use the certificate to encrypt a document, then
this might be very time-restrictive):

openssl req -new -newkey rsa:1024 -nodes -x509 -days 1000 -keyout key -out
cert

This creates 2 ascii files, the key and the certificate. In order to turn
them into a pkcs12 bundle, you have to combine them into one file and appen=
d
a line feed to each, thusly:

echo  key
cat cert  key
echo  key
mv key mycertificate.pem
rm cert

You will now have combined the 2 files into one and deleted the extra one,
and then renamed the combined file. What you now have is an RSA key and an
X.509 self-signed certificate, valid for 1000 days, called mycertificate.pe=
m
.

However, the Netscape Certificate format requires that this .pem key bundle
be converted into a pkcs12 format. This is done thusly:

openssl pkcs12 -export -in mycertificate.pem -out mycertificate.p12 -name
My Certificate

This creates a further file, mycertificate.p12.

So, you now have the required certificate. What you can do with the .pem
file, I do not know, but you had better keep it safe, just like the .p12 ke=
y
bundle.

You now want to import the .p12 key into various programs:

1) You might as well import it into Konqueror, since it supports it, but
this is not required for signing Open Office documents. Make sure you have
gpgsm enabled in kmail under settings/security/crypto backends, otherwise
Kleopatra will crash. Once this is done, I believe you can choose the
signing certificate under kmail settings/identities/crypptography, but I
prefer openpgp for email, so I didn't do that, having already previously
entered my openpgp key.

2) Boot firefox, go into edit/preferences/advanced/certificates/manage
certificates/your certificates and import mycertificate.p12 that you have
just created. It will ask you for a passphrase.

If you have mozilla (fedora does by default) and thunderbird, you would
likely want to have all programs seeing the same certificates. You have 2
options, either import the certificate into each program, but then you will
have to do this for every certificate you either add or delete in each
program. To have only one certificate store and avoid the problem of having
unsynchronised