| View previous topic :: View next topic |
| Author |
Message |
DeIM
Guru
Joined: 11 Apr 2006
Posts: 429
|
 Posted: Tue Sep 07, 2021 8:00 pm Post subject: What software to verify PDF digital signature? |
 |
|
Hi, I need to verify some PDF singatures and under Gentoo I tried:
pdfsig from poppler - it seem doesn't verify correctly - it says signatures are correct but Acrobat Reader (under Windows) says some has bad certificate or it's self-signed certificate.
I'd like to somehow install Acrobat Reader to Gentoo but only way of recent version is trough Wine.
Latest version installs fine with mspatcha and atmlib installed over winetricks and winecfg set to Win 7.
I can run it but It hangs on loading PDF file.
Does anybody has working Acorbat Reader under Gentoo? What version is working?
I've tried AcroRdrDC2100520060_en_US.exe with wine-vanilla 6.16
Is there any other working solution how to digitally sign/verify PDF under Gentoo?
Thanks in advance  |
|
| Back to top |
|
 |
psycho
Guru
Joined: 22 Jun 2007
Posts: 534
Location: New Zealand
|
| Posted: Thu Sep 09, 2021 3:37 am Post subject: |
|
|
Hi DeIM.
LibreOffice Draw can sign and verify PDF signatures, but I haven't done this myself so don't know if it's any good at it, or how it does it (maybe it's just calling pdfsig, I don't know). Anyway if you've already got it installed it might be worth a try. |
|
| Back to top |
|
|
DeIM
Guru
Joined: 11 Apr 2006
Posts: 429
|
| Posted: Thu Sep 09, 2021 1:03 pm Post subject: |
|
|
Thanks for reply psycho,
LibreOffice Draw can import PDF but it doesn't display any digital signature in it. Maybe I'm just doing something wrong. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Thu Sep 09, 2021 1:19 pm Post subject: |
|
|
Have you tried pdfsig? See: https://www.systutorials.com/docs/linux/man/1-pdfsig/.
It should be installed after emerge app-text/poppler[utils], but it isn't... 
EDIT: in order to get pdfsig, poppler must be emerged with USE Flags "utils" AND "nss".  |
|
| Back to top |
|
|
DeIM
Guru
Joined: 11 Apr 2006
Posts: 429
|
| Posted: Thu Sep 09, 2021 8:56 pm Post subject: |
|
|
Hi mike155, thanks for reply.
Yes, I've tried pdfsig but it prints digital sign is correct (valid) when it's not. (Or I didn't get how it works) |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Thu Sep 09, 2021 10:01 pm Post subject: |
|
|
| Quote: | | Yes, I've tried pdfsig but it prints digital sign is correct (valid) when it's not. (Or I didn't get how it works) |
Ah, I see... You wrote it in your first post. I didn't read carefully. Sorry!
Anyway, pdfsig works for me - but it's crucial to read its output carefully.
For example, I have a document that I signed with my key and a self-signed certificate. I haven't added my certificate to the my computer's list of trusted certificates:
| Code: | $ pdfsig example1.pdf
Digital Signature Info of: example1.pdf
Signature #1:
- Signer Certificate Common Name: XXX
- Signer full Distinguished Name: CN=XXX,L=XXX,C=XXX,XXX
- Signing Time: Aug 17 2021 19:12:06
- Signing Hash Algorithm: SHA1
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 77169], [79795 - 104492]
- Not total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer is unknown. |
Pdfsig says that the Signature is valid, but that the Certificate issuer is unknown. That's exactly what I expected.
I sent my document to a colleague and he signed it with his key. His certificate was issued by his company. PDFsig now prints:
| Code: | $ pdfsig example2.pdf
Digital Signature Info of: example2.pdf
Signature #1:
- Signer Certificate Common Name: XXX
- Signer full Distinguished Name: CN=XXX,L=XXX,C=XXX,XXX
- Signing Time: Aug 17 2021 19:12:06
- Signing Hash Algorithm: SHA1
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 77169], [79795 - 104492]
- Not total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer is unknown.
Signature #2:
- Signer Certificate Common Name: XXX
- Signer full Distinguished Name: E=XXX,CN=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
- Signing Time: Aug 18 2021 11:15:54
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 111548], [125352 - 185204]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted. |
Again exactly what I expected: the signature (#2) of my colleague is valid, but pdfsig can't trust the Certificate issuer, because I haven't added the company's CA certificate to my computer's list of trusted certificates.
So what does pdfsig print for your document? And why do you think it's wrong?
If you really don't trust pdfsig or if it doesn't work for you, you could try Quoppa's PDF Studio Free Viewer, see: https://www.qoppa.com/pdfstudioviewer. |
|
| Back to top |
|
|
DeIM
Guru
Joined: 11 Apr 2006
Posts: 429
|
| Posted: Mon Sep 13, 2021 6:54 pm Post subject: |
|
|
Never mind, thanks for reply
| Code: | $ pdfsig wrong.pdf
Digital Signature Info of: wrong.pdf
Syntax Error (0): Invalid or missing Signature string
Signature #1:
- Signer Certificate Common Name: (null)
- Signer full Distinguished Name: (null)
- Signing Time: Jan 01 1970 01:00:00
- Signing Hash Algorithm: unknown
- Signature Type: unknown
- Signature Validation: Signature has not yet been verified.
Signature #2:
- Signer Certificate Common Name: XXX
- Signer full Distinguished Name: serialNumber=XXX,SN=XXX,givenName=XXX,initials=XX,E=XXX,L="XXX",ST=XXX,CN=XXX,C=XXX
- Signing Time: Aug 30 2021 09:41:32
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 234743], [249503 - 261565]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted. |
Adobe Acrobat Reader says about Signature #2 not valid - wrong certificate.
pdfsig says it's signed and signature is valid. (I see the error above but still )
It's the source of my doubt.
For the record (didn't tested so far):
Okular should verify and sign PDF in recent versions.
JSignPDF should sign PDF well and the new version is out now (program not in portage). It's available as addon to Libre/OpenOffice also. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Mon Sep 13, 2021 7:18 pm Post subject: |
|
|
| DeIM wrote: | | pdfsig says it's signed and signature is valid. |
No! It doesn't say that.
Actually, both Acrobat
| Code: | | Adobe Acrobat Reader says about Signature #2 not valid - wrong certificate. |
and pdfsig
| Code: | - Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted. |
tell you exactly the same thing: something is wrong!
Signature validation is a two-step process:
- The first step is verification of the cryptographic checksum / hash. Acrobat doesn't tell you anything about this step. Pdfsig tells you that this step was successful.
- The second step is certificate verification. Acrobat tells you "Signature #2 not valid - wrong certificate". But it doesn's tell you why! Pdfsig also tells you that something is wrong and that it cannot verify the certificate. But pdfsig even tells you the reason: "Certificate issuer isn't Trusted", which probably means that you haven't added the signers CA certificate to your list of trusted certificates.
So pdfsig does not only work correctly - it even gives you much more information. So it's actually better than Acrobat! |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21715
|
| Posted: Mon Sep 13, 2021 9:22 pm Post subject: |
|
|
To elaborate on mike155's description:
Step 1 is to check whether the data in the PDF matches what the signer intended it to be. If this is wrong, then either the signer implemented the signature improperly (rare) or the file was changed after signing.
Step 2 is to check whether the signature is from someone who you trust to sign this. This is needed, because otherwise a malicious party could modify the document, then install his own signature, computed to include his modifications. Step 1 would be happy with that, but step 2 will catch that J Random Criminal is not the entity that was supposed to sign this document. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Unsupported Software
