[Touch-packages] [Bug 740506]
Thanks Albert for merging it. Yes it's not finished and I'm intending to pick up last summer's work on the glib frontend part. I agree that we should close this bug and open specific ones to track the frontend development or any other issue we find with the core code. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Fix Released Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 120992 Load NSS root certs module This change is needed to actually do certificate validation, because as it is NSS is trying to load the module which contains all the builtin root certs from the Firefox profile directory where it is usually missing. This way it will load the module from a system library directory. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
I'm in favour of Adrian's patch. It's an improvement with additional sanity checks on the ByteRange values. Indeed I tried to see if you could check if a given ByteRange covers the whole document and also found no easy way to do it with existing poppler functions/APIs. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 120434 Improve robustness of SignatureHandler::validateCertificate This patch adds additional NULL-checking in SignatureHandler::validateCertificate() which avoids segfault for some signatures like the one contained here: http://www.gpo.gov/fdsys/pkg/BUDGET-2015-BUD/pdf/BUDGET-2015-BUD.pdf It also removes a useless branch in validateCertificate() -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 119283 Manpage improvement Here's an improvement to the manpage. Corrected a typo and added some missing context -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
(In reply to Adrian Johnson from comment #79) > + r_values[0] = r2.isInt64() ? r2.getInt64() : r2.getInt(); > + r_values[1] = r3.isInt64() ? r3.getInt64() : r3.getInt(); > + r_values[2] = r4.isInt64() ? r4.getInt64() : r4.getInt(); > > According the PDF Reference, the ByteRange array contains pairs of > (offset,length). > > Why do we ignore the first offset and later assume it is 0? Why do we assume > there are exactly two pairs. > > I only skimmed over the digital signatures section so maybe I missed > something. Actually the PDF spec allows for more than 2 pairs of values in /ByteRange but it would mean that there is more than one gap in the signed data apart from the signature itself. Quoting from ISO 32000-1 section 12.8.1: "This range should be the entire file, including the signature dictionary but excluding the signature value itself (the Contents entry). Other ranges may be used but since they do not check for all changes to the document, their use is not recommended." Obviously in a file with multiple signatures each signature should cover the latest revision present in the file when the signature was appended. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118745 Incremental hashing + large file support With this patch I've implemented the incremental hashing plus the large file support. This is still untested with files larger than 2GB but is correct for all the regular test cases I gathered before. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118398 Fix for Buffer overflow Regarding the illegal ByteRange values which would cause overflow this patch should fix it -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118449 Support for adbe.pkcs7.sha1 signatures This patch, to be applied over the previous one, adds support for adbe.pkcs7.sha1 signatures so now we should have a more complete coverage of actual signed PDFs. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118446 NSS conditional build This patch makes the NSS dependency optional in the CMake and Autotools build systems. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
@Adrian Thanks for the tips on support for large files, progressive hashing and the NSS includes. We'll be posting our attempts to improve these issues as individual patches. I also thought of adding the feature to pdfinfo but it seems wrong to mix up something which performs various computations and relies on external state (NSS cert DB) to pdfinfo which just reads metadata from the file itself. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
@Albert Thanks for the improvements. Regarding your 3 questions: 1- I've no objection to make the feature optional. I understand there are people building more minimal versions of poppler that dislike additional dependencies. 2- Yes we should. Our defaults are meant to take advantage of the already configured and implicitly trusted NSS cert DBs in Firefox but we shouldn't limit the user's options. 3- We're already looking into supporting adbe.pkcs7.sha1 signatures which we found are very widespread. In Portugal we found that several big companies are still using this kind of signatures in signed PDF invoices as of now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118193 poppler nss signature support - v5 - refactor Here's a new patch following Albert's recommendations. We've expanded the FormFieldSignature and FormFieldWidget classes to expose the signature method. We also added checking for non-supported signature types as we only support pkcs7.detached signatures at the moment. This patch only includes the changes to poppler core and the pdfsigverify utility, glib still needs changes to move the validation from poppler_document to poppler_form_field. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118195 poppler nss signature support - v6 Sorry, there were still some missing NULL checks and a useless new(), here's a new one. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Sorry for the succession of patches. This one fixes some remaining leaks in the new PDFDoc methods and improves the indentation -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 118036 poppler nss signature support - v3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by Date: Reason: Location: but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Sorry for the long absence and here's another attempt at solving this issue. I just attached a patch developed by me and André Esser which adds signature verification support to poppler core and the glib frontend. It uses the NSS CMS API for the crypto operations (signature and certificate Validations). 4 new functions were added at the glib wrapper level: poppler_document_is_signed poppler_document_signature_validate poppler_document_signature_get_time poppler_document_signature_get_signername We added a new test utility for this feature in utils/pdfsigverify and exposed the number of signatures in poppler-glib-demo. The trusted certificate issue for Linux systems is tackled in the following way: we try to load the NSS certificate DB in the default Firefox profile and if that fails we try to load certificates from the standard directory /etc/pki/nssdb which may or may not be populated depending on the distro setup. We're obviously open to suggestions in this area. Current limitation: - The CMake changes we're not done yet so Autotools build is required for now (we couldn't find an easy/clean way to find the NSS dependency using CMake) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by signer Date: time stamp Reason: reason Location: location but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 740506]
Created attachment 117885 PDF signature verification using NSS -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures Status in Evince: Confirmed Status in Poppler: Confirmed Status in poppler package in Ubuntu: Triaged Bug description: Binary package hint: evince This is a feature request to verify digital signatures. I'm receiving more and more digitally signed PDF's and evince already acknowledges them with: Signature Not Verified Digitally signed by signer Date: time stamp Reason: reason Location: location but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures. To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
