Re: Signature process in LibreOffice 6.3
On 07.02.20 20:13, Steve Martin wrote: Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 3.5 of the OpenDocument specification part 3. Document signatures shall contain a element for each file within the package, with the exception that elements for the META-INF/documentsignatures.xml file containing the signature, and any files contained in the package whose relative path starts with "external-data/" should be omitted. interesting, i hadn't noticed that... apparently it was added with https://issues.oasis-open.org/browse/OFFICE-3028 I understand it in that way: If I create a directory with the name "external-data" and put files into that directory, these files remain unaffected by the signature check (unlike my file "Thumbnails/meta.xml"). Is this correct? Or are these files just not a part of the signature while generating the signature value?* I repeated my test scenario and adjusted the manifest.xml file accordingly: manifest:media-type="text/xml"/> If I now copy the meta.xml file into the "external-data" folder after creating the signature, I still get the message that the signature is invalid. None of the URI attributes of the elements contain the value "external-data/meta.xml". git grep "external-data" indicates that this feature remains unimplemented in LO. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Signature process in LibreOffice 6.3
Hi Oliver, Oliver Brinzing wrote > you added a new file into the zip package *after* signing the document. Yeah, thats correct. Oliver Brinzing wrote > [...] LO checks all files inside the zip package during opening > and if it finds a changed file or a file which is not listed in > "documentsignatures.xml" it will > invalidate the signature. Perhaps. As a result, LibreOffice does not only use the XML signatures but also checks additional things. Is that correct? Regards Steve -- Sent from: http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786.html ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Signature process in LibreOffice 6.3
Hi Mike, thanks for your fast reply. Note that "Document signatures shall contain a element *for each file within the package*", and the contents of Thumbnails is not listed aming the exceptions. I've understood. The file documentsignatures.xml needs a element for my "Thumbnails/meta.xml" file. Therefore the signature fails because the corresponding entry in the documentsignatures.xml file is missing. Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 3.5 of the OpenDocument specification part 3. Document signatures shall contain a element for each file within the package, with the exception that elements for the META-INF/documentsignatures.xml file containing the signature, and any files contained in the package whose relative path starts with "external-data/" should be omitted. I understand it in that way: If I create a directory with the name "external-data" and put files into that directory, these files remain unaffected by the signature check (unlike my file "Thumbnails/meta.xml"). Is this correct? Or are these files just not a part of the signature while generating the signature value?* I repeated my test scenario and adjusted the manifest.xml file accordingly: manifest:media-type="text/xml"/> If I now copy the meta.xml file into the "external-data" folder after creating the signature, I still get the message that the signature is invalid. None of the URI attributes of the elements contain the value "external-data/meta.xml". *(By the way: If I create the folder "external-data" and create an empty file "test.xml" in this directory with the corresponding adjustment of the manifest.xml file: manifest:media-type="text/xml"/> After the compression I don't have the option to sign my ODT document (no action when I click on the "Sign document" button, the window in which I can select the certificates with which I can sign my document simply closes.)) Thanks in advance for your help Steve ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Signature process in LibreOffice 6.3
Hi Steve, you added a new file into the zip package *after* signing the document. I *guess* (did not check the source code) LO checks all files inside the zip package during opening and if it finds a changed file or a file which is not listed in "documentsignatures.xml" it will invalidate the signature. Regards Oliver ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Signature process in LibreOffice 6.3
Hello, my name is Steve Martin and I am an enrolled student at the Ruhr University Bochum. I have a question regarding the implementation of the signature process in LibreOffice. I use a self-created X.509 certificate for signing my ODT documents. As soon as I sign my ODT document, the file "documentsignatures.xml" is created in the META-INF folder in the OpenDocument package. Before I signed my ODT document, I had decompressed the ODT document and added an additional file entry in META-INF/manifest.xml: manifest:media-type="text/xml"/> Then I saved the manifest.xml file and compressed all the files back into a ZIP package. I can now open this file with LibreOffice and sign it with my X.509 certificate. After I signed the document, I decompressed it again and copied the meta.xml file into the Thumbnails directory. Thanks to the previously added file entry in the manifest.xml file, I can now compress all the partial files back into a ZIP archive and open the document with LibreOffice as normal, without being shown the message that the file is corrupted. However, I don't understand why do I get now the message that the signature is not valid? I decompressed the ODT document with the invalid signature and compared the documentsignatures.xml file contained in the META-INF folder with the documentsignatures.xml file that was created immediately after the signature was created. Both files are exactly the same and neither contain the value "Thumbnails/meta.xml" in the URI attribute in the elements. Since none of the files that are listed in the documentsignatures.xml were manipulated, the signature should be valid? Or is there another signature somewhere besides the XML signature about the file structure of the ODT document? Thanks many for your help Steve ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Signature process in LibreOffice 6.3
Hi, On 2020-02-07 18:46, Steve Martin wrote: After I signed the document, I decompressed it again and copied the meta.xml file into the Thumbnails directory. Thanks to the previously added file entry in the manifest.xml file, I can now compress all the partial files back into a ZIP archive and open the document with LibreOffice as normal, without being shown the message that the file is corrupted. However, I don't understand why do I get now the message that the signature is not valid? I decompressed the ODT document with the invalid signature and compared the documentsignatures.xml file contained in the META-INF folder with the documentsignatures.xml file that was created immediately after the signature was created. Both files are exactly the same and neither contain the value "Thumbnails/meta.xml" in the URI attribute in the elements. Since none of the files that are listed in the documentsignatures.xml were manipulated, the signature should be valid? Or is there another signature somewhere besides the XML signature about the file structure of the ODT document? OASIS OpenDocument version 1.2 sect. 3.16 Document Signatures [1] : Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 3.5 of the OpenDocument specification part 3. Document signatures shall contain a element for each file within the package, with the exception that elements for the META-INF/documentsignatures.xml file containing the signature, and any files contained in the package whose relative path starts with "external-data/" should be omitted. Note that "Document signatures shall contain a element *for each file within the package*", and the contents of Thumbnails is not listed aming the exceptions. [1] http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1415062_253892949 -- Best regards, Mike Kaganski ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice