From: Pablo Rodriguez via ntg-context <ntg-context@ntg.nl>
To: Hans Hagen via ntg-context <ntg-context@ntg.nl>
Cc: Pablo Rodriguez <oinos@gmx.es>
Subject: [NTG-context] Re: digital signing in ConTeXt
Date: Tue, 18 Jun 2024 08:44:27 +0200 [thread overview]
Message-ID: <c3b365e7-97bb-4d12-acb3-14b1d2824f5f@gmx.es> (raw)
In-Reply-To: <78627a8c-9f9a-48d4-8244-fe78d9b9049c@freedom.nl>
On 6/18/24 00:52, Hans Hagen via ntg-context wrote:
> On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote:
>> [...]>> 2. I cannot get any signature display in Acrobat. Does any PDF viewer (I
>> have tested this with pdfsig from poppler and MuPDF-GL) display the
>> digital signature at all?
> this whole digitial signing is a bit of a scam imo ...
Digital signing may be a marketing gig also, but we may only consider
the pure feature as such.
I mean, I’m not interested here in the legally binding value of certain
digital certificates, but just in having digital signatures right.
> - one has to buy a specific kind of certificate
Generating certificates with OpenSSL is basically free.
> - often one is supposed to use some token
>
> - when the root cert expires one has to resign
I think this may be avoided by adding a timestamp token (as unsigned
attribute) in the PKCS#7 (as mentioned in the PDF spec).
> - reader has root certs built in and checking is supposed to be online
> > - it doesn't come cheap and supporting / testing is not something one
> can expect for free (so i can't really test it)
>
> ... so just some business model and not really something one can do out
> of the box
This is all related to certificate (legal) validity. This is out of the
scope.
> ... apart from ...
>
> - just sign with some certificate and don't expect viewers to do something
Acrobat may be wrong in not detecting the signature (I’m investigating it).
> concerning the suggested patches: this <....whatever....> boundary is a
> bit fuzzy and i found that different viewers / checkers expect either or
> not +/- 1 but i didn't check recently if things have improved
There are two different issues here: digest mismatch and total document
signing.
I’m afraid that the patch is needed since /ByteRange excludes a blank
space before the value of /Contents that is in the temporary file (tmpfile).
I mean, here are the contens of the temporary file from the sample
(tweaked to fit a single line]):
<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents /
Byte 6421 is the s (before the underscore):
<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents_ /
The blank space (marked above with the underscore) is included in the
hashed file (tmpfile), but it is not included in the /ByteRange.
This is the reason why we can only have digest mismatch.
As for total document signing, it is better only to exclude from
/ByteRange the value for /Contents (from < to >).
As far as I can remember, this is mandatory for PDF-2.0 (and highly
recommended for previous versions [although not required]).
> if we know the specs and have way to test ... no big deal to fix a few
> offsets
I’m happy to contribute as far as I can.
Sorry for insisting, but please don’t require plaintext password in the
command line (again, OpenSSL prompts for it).
Many thanks for your help,
Pablo
___________________________________________________________________________________
If your question is of interest to others as well, please add an entry to the Wiki!
maillist : ntg-context@ntg.nl / https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl
webpage : https://www.pragma-ade.nl / https://context.aanhet.net (mirror)
archive : https://github.com/contextgarden/context
wiki : https://wiki.contextgarden.net
___________________________________________________________________________________
next prev parent reply other threads:[~2024-06-18 6:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-17 17:51 [NTG-context] " Pablo Rodriguez via ntg-context
2024-06-17 18:21 ` [NTG-context] " Henning Hraban Ramm
2024-06-17 18:36 ` Pablo Rodriguez via ntg-context
2024-06-17 22:52 ` Hans Hagen via ntg-context
2024-06-18 6:44 ` Pablo Rodriguez via ntg-context [this message]
2024-06-18 8:27 ` Hans Hagen via ntg-context
2024-06-18 16:26 ` Pablo Rodriguez via ntg-context
2024-06-18 16:42 ` Hans Hagen via ntg-context
2024-06-18 17:28 ` Pablo Rodriguez via ntg-context
2024-06-18 17:42 ` Pablo Rodriguez via ntg-context
2024-06-19 7:28 ` Hans Hagen via ntg-context
2024-06-19 16:59 ` Pablo Rodriguez via ntg-context
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c3b365e7-97bb-4d12-acb3-14b1d2824f5f@gmx.es \
--to=ntg-context@ntg.nl \
--cc=oinos@gmx.es \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).