From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: from cgl.ntg.nl (Cgl.ntg.nl [5.39.185.202]) by inbox.vuxu.org (Postfix) with ESMTP id C499F22FA7 for ; Tue, 18 Jun 2024 00:53:16 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by cgl.ntg.nl (Postfix) with ESMTP id 8A8A4484BC6 for ; Tue, 18 Jun 2024 00:53:12 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at cgl.ntg.nl Authentication-Results: cgl.ntg.nl (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=freedom.nl Received: from cgl.ntg.nl ([127.0.0.1]) by localhost (cgl.ntg.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVL91-WWPoAl for ; Tue, 18 Jun 2024 00:53:12 +0200 (CEST) Received: from cgl.ntg.nl (localhost [127.0.0.1]) by cgl.ntg.nl (Postfix) with ESMTP id 473F3484A34 for ; Tue, 18 Jun 2024 00:52:50 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by cgl.ntg.nl (Postfix) with ESMTP id 0C8654849B7 for ; Tue, 18 Jun 2024 00:52:42 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at cgl.ntg.nl Received: from cgl.ntg.nl ([127.0.0.1]) by localhost (cgl.ntg.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vb4XTkwSAY0u for ; Tue, 18 Jun 2024 00:52:40 +0200 (CEST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=185.233.34.18; helo=outbound.soverin.net; envelope-from=j.hagen@freedom.nl; receiver= Received: from outbound.soverin.net (outbound.soverin.net [185.233.34.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by cgl.ntg.nl (Postfix) with ESMTPS id ABAC44849B1 for ; Tue, 18 Jun 2024 00:52:40 +0200 (CEST) Received: from smtp.freedom.nl (c04cst-smtp-frd02.int.sover.in [10.10.4.108]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 4W34sN2GFnzFq for ; Mon, 17 Jun 2024 22:52:40 +0000 (UTC) Received: from smtp.freedom.nl (smtp.freedom.nl [10.10.4.108]) by freedom.nl (Postfix) with ESMTPSA id 4W34sN0GNTz2xPP for ; Mon, 17 Jun 2024 22:52:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freedom.nl; s=default; t=1718664760; bh=Zypr+1bKfotROXHnJEYDLRbVc4PSV/HyjyDFCGBdp00=; h=Date:Subject:To:References:From:In-Reply-To:From; b=BIKlFYkMkQQEZb1FXOA2nl0fC7JxORVV4uBSwLreUjwG59MPAUIalt3REtkBg2IL1 9fgEVT0aFRe2HYUCYmJ5dd011FAPbQV+exz7ts9Y2TBaTAvpscIJPJq6XLsXr0ju8/ LNuq7GWCWZKiMsRZDcN/tU16I4JqmootAhHuRsKA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freedom.nl; s=default; t=1718664760; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qoJrt/Z6mQwD1GDc4XvUmfP7DdhyiUIZxGNThT5OBE8=; b=N5jIZQMO1S0sGPd4e+UtMi30/axw2PcUcrb4QhY8NzN1Nz1F/vyC6dCP7n7SGYjrxnKjCq J+G8jBGDVdn6giTP5DC+wUx6031c0zlMjjV5AaxVS3gN6khWFZ9nJ4+scDP7AglZy6Qkw5 cHGC5l2f1YiDjxJ6KGajszBbkNS9c0s= ARC-Seal: i=1; s=default; d=freedom.nl; t=1718664760; a=rsa-sha256; cv=none; b=VacmwIqgDrPYx4io1iTOGrcd3XqSCnv9tA3L5yvoh3i9N5nEjPTSV7yilZWUtoNEeBiFW1 yVL/IolQN0WmKevnYMVPQ7rNb5TsN4HPZJwqqjNp8hYD/xDV2fCcDGJ1k2+zLINeGuCUfL +5PGoHYR4yWn5VkRkInDQ51WD9s443E= ARC-Authentication-Results: i=1; smtp.freedom.nl; auth=pass smtp.mailfrom=j.hagen@freedom.nl Message-ID: <78627a8c-9f9a-48d4-8244-fe78d9b9049c@freedom.nl> Date: Tue, 18 Jun 2024 00:52:38 +0200 MIME-Version: 1.0 Content-Language: en-US To: ntg-context@ntg.nl References: <56e22216-05a2-4f33-849f-c3aff7ab9946@gmx.es> X-Soverin-Authenticated: true In-Reply-To: <56e22216-05a2-4f33-849f-c3aff7ab9946@gmx.es> X-Spampanel-Class: ham Message-ID-Hash: H5GS4WAJNS45H3A7BMYOFJOD3JD5ETD4 X-Message-ID-Hash: H5GS4WAJNS45H3A7BMYOFJOD3JD5ETD4 X-MailFrom: j.hagen@freedom.nl X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list Reply-To: mailing list for ConTeXt users Subject: [NTG-context] Re: digital signing in ConTeXt List-Id: mailing list for ConTeXt users Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Hans Hagen via ntg-context Cc: Hans Hagen Content-Type: text/plain; charset="us-ascii"; format="flowed" Content-Transfer-Encoding: 7bit On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote: > Dear list, > > the latest version of LMTX can digitally sign PDF documents. It requires > OpenSSL installed (since it does the crypto part). > > I have two issues that I would like to be tested by others. > > A sample certificate may be found at > https://mailman.ntg.nl/archives/list/ntg-context@ntg.nl/message/ECSXLVMT3TMQBIHA2UZJPWJN7OVV5334/attachment/2/mycert.pfx > (I sent it myself). > > Here is a sample document (actually provided by Hans): > > \setupinteraction[state=start] > \definefield[signature][signed] > \defineoverlay[signature][my signature] > \starttext > \startTEXpage[offset=1ts,frame=on,framecolor=darkblue] > sign: \inframed[background=signature,framecolor=darkred] > {\fieldbody[signature][width=3cm,option=hidden]} > \stopTEXpage > \stoptext > > After compiling the sample, you need to run: > > mtxrun --script pdf --sign --certificate=c.pfx --password=ABCabc doc.pdf i use a pem > Password will be prompted again ("ABCabc"), since it is an encrypted > certificate (also for the public part). > > Could anyone confirm the following issues? > > 1. The signature I get is wrong, unless I apply this patch > (https://mailman.ntg.nl/archives/list/dev-context@ntg.nl/message/T3OCKVZWTUTIXCSOKIFRVJ4X76MROZHE/attachment/3/byterange.diff > [sent by myself to the devel list]). > > 2. I cannot get any signature display in Acrobat. Does any PDF viewer (I > have tested this with pdfsig from poppler and MuPDF-GL) display the > digital signature at all? this whole digitial signing is a bit of a scam imo ... - one has to buy a specific kind of certificate - often one is supposed to use some token - when the root cert expires one has to resign - reader has root certs built in and checking is supposed to be online - it doesn't come cheap and supporting / testing is not something one can expect for free (so i can't really test it) ... so just some business model and not really something one can do out of the box ... apart from ... - just sign with some certificate and don't expect viewers to do something - offer a service to upload the document for checking when a user is in doubt - that can be done without root cert and basically works as long as the service works concerning the suggested patches: this <....whatever....> boundary is a bit fuzzy and i found that different viewers / checkers expect either or not +/- 1 but i didn't check recently if things have improved if we know the specs and have way to test ... no big deal to fix a few offsets Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl ----------------------------------------------------------------- ___________________________________________________________________________________ If your question is of interest to others as well, please add an entry to the Wiki! maillist : ntg-context@ntg.nl / https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl webpage : https://www.pragma-ade.nl / https://context.aanhet.net (mirror) archive : https://github.com/contextgarden/context wiki : https://wiki.contextgarden.net ___________________________________________________________________________________