On 6/18/2024 8:44 AM, Pablo Rodriguez via ntg-context wrote:
On 6/18/24 00:52, Hans Hagen via ntg-context wrote:
[...]>> 2. I cannot get any signature display in Acrobat. Does any PDF viewer (I have tested this with pdfsig from poppler and MuPDF-GL) display the digital signature at all?
On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote: this whole digitial signing is a bit of a scam imo ...
Digital signing may be a marketing gig also, but we may only consider the pure feature as such.
I mean, I’m not interested here in the legally binding value of certain digital certificates, but just in having digital signatures right.
- one has to buy a specific kind of certificate
Generating certificates with OpenSSL is basically free.
you cannot use a 'web certificate'
- often one is supposed to use some token
- when the root cert expires one has to resign
I think this may be avoided by adding a timestamp token (as unsigned attribute) in the PKCS#7 (as mentioned in the PDF spec).
dunno, can test it
- reader has root certs built in and checking is supposed to be online
- it doesn't come cheap and supporting / testing is not something one can expect for free (so i can't really test it)
... so just some business model and not really something one can do out of the box
This is all related to certificate (legal) validity. This is out of the scope.
whatever ...
... apart from ...
- just sign with some certificate and don't expect viewers to do something
Acrobat may be wrong in not detecting the signature (I’m investigating it).
i think it only looks for 'official' onex
concerning the suggested patches: this <....whatever....> boundary is a bit fuzzy and i found that different viewers / checkers expect either or not +/- 1 but i didn't check recently if things have improved
There are two different issues here: digest mismatch and total document signing.
I’m afraid that the patch is needed since /ByteRange excludes a blank space before the value of /Contents that is in the temporary file (tmpfile).
i need to test more
I mean, here are the contens of the temporary file from the sample (tweaked to fit a single line]):
<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents /
Byte 6421 is the s (before the underscore):
<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents_ /
The blank space (marked above with the underscore) is included in the hashed file (tmpfile), but it is not included in the /ByteRange.
This is the reason why we can only have digest mismatch.
yes but that what i noticed when testing: mupdf, qpdf, acrobat, etc .. trial and error is not to add that one
As for total document signing, it is better only to exclude from /ByteRange the value for /Contents (from < to >).
As far as I can remember, this is mandatory for PDF-2.0 (and highly recommended for previous versions [although not required]).
not sure what you mean, 2.0 demanding signing?
if we know the specs and have way to test ... no big deal to fix a few offsets
I’m happy to contribute as far as I can.
Sorry for insisting, but please don’t require plaintext password in the command line (again, OpenSSL prompts for it). not if we use the library
Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl -----------------------------------------------------------------