[NTG-context] Re: digital signing in ConTeXt

[Hans Hagen via ntg-context <ntg-context@ntg.nl>]

On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote:
> Dear list,
> 
> the latest version of LMTX can digitally sign PDF documents. It requires
> OpenSSL installed (since it does the crypto part).
> 
> I have two issues that I would like to be tested by others.
> 
> A sample certificate may be found at
> https://mailman.ntg.nl/archives/list/ntg-context@ntg.nl/message/ECSXLVMT3TMQBIHA2UZJPWJN7OVV5334/attachment/2/mycert.pfx
> (I sent it myself).
> 
> Here is a sample document (actually provided by Hans):
> 
>    \setupinteraction[state=start]
>    \definefield[signature][signed]
>    \defineoverlay[signature][my signature]
>    \starttext
>      \startTEXpage[offset=1ts,frame=on,framecolor=darkblue]
>        sign: \inframed[background=signature,framecolor=darkred]
>                {\fieldbody[signature][width=3cm,option=hidden]}
>      \stopTEXpage
>    \stoptext
> 
> After compiling the sample, you need to run:
> 
> mtxrun --script pdf --sign --certificate=c.pfx --password=ABCabc doc.pdf

i use a pem

> Password will be prompted again ("ABCabc"), since it is an encrypted
> certificate (also for the public part).
> 
> Could anyone confirm the following issues?
> 
> 1. The signature I get is wrong, unless I apply this patch
> (https://mailman.ntg.nl/archives/list/dev-context@ntg.nl/message/T3OCKVZWTUTIXCSOKIFRVJ4X76MROZHE/attachment/3/byterange.diff
> [sent by myself to the devel list]).
> 
> 2. I cannot get any signature display in Acrobat. Does any PDF viewer (I
> have tested this with pdfsig from poppler and MuPDF-GL) display the
> digital signature at all?
this whole digitial signing is a bit of a scam imo ...

- one has to buy a specific kind of certificate
- often one is supposed to use some token
- when the root cert expires one has to resign
- reader has root certs built in and checking is supposed to be online
- it doesn't come cheap and supporting / testing is not something one 
can expect for free (so i can't really test it)

... so just some business model and not really something one can do out 
of the box

... apart from ...

- just sign with some certificate and don't expect viewers to do something
- offer a service to upload the document for checking when a user is in 
doubt
- that can be done without root cert and basically works as long as the 
service works

concerning the suggested patches: this <....whatever....> boundary is a 
bit fuzzy and i found that different viewers / checkers expect either or 
not +/- 1 but i didn't check recently if things have improved

if we know the specs and  have way to test ... no big deal to fix a few 
offsets

Hans



-----------------------------------------------------------------
                                           Hans Hagen | PRAGMA ADE
               Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
        tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl
-----------------------------------------------------------------

___________________________________________________________________________________
If your question is of interest to others as well, please add an entry to the Wiki!

maillist : ntg-context@ntg.nl / https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl
webpage  : https://www.pragma-ade.nl / https://context.aanhet.net (mirror)
archive  : https://github.com/contextgarden/context
wiki     : https://wiki.contextgarden.net
___________________________________________________________________________________