[NTG-context] Re: digital signing in ConTeXt

[Pablo Rodriguez via ntg-context <ntg-context@ntg.nl>]

On 6/18/24 00:52, Hans Hagen via ntg-context wrote:
> On 6/17/2024 7:51 PM, Pablo Rodriguez via ntg-context wrote:
>> [...]>> 2. I cannot get any signature display in Acrobat. Does any PDF viewer (I
>> have tested this with pdfsig from poppler and MuPDF-GL) display the
>> digital signature at all?
> this whole digitial signing is a bit of a scam imo ...

Digital signing may be a marketing gig also, but we may only consider
the pure feature as such.

I mean, I’m not interested here in the legally binding value of certain
digital certificates,  but just in having digital signatures right.

> - one has to buy a specific kind of certificate

Generating certificates with OpenSSL is basically free.

> - often one is supposed to use some token
>
> - when the root cert expires one has to resign

I think this may be avoided by adding a timestamp token (as unsigned
attribute) in the PKCS#7 (as mentioned in the PDF spec).

> - reader has root certs built in and checking is supposed to be online
> > - it doesn't come cheap and supporting / testing is not something one
> can expect for free (so i can't really test it)
>
> ... so just some business model and not really something one can do out
> of the box

This is all related to certificate (legal) validity. This is out of the
scope.

> ... apart from ...
>
> - just sign with some certificate and don't expect viewers to do something

Acrobat may be wrong in not detecting the signature (I’m investigating it).

> concerning the suggested patches: this <....whatever....> boundary is a
> bit fuzzy and i found that different viewers / checkers expect either or
> not +/- 1 but i didn't check recently if things have improved

There are two different issues here: digest mismatch and total document
signing.

I’m afraid that the patch is needed since /ByteRange excludes a blank
space before the value of /Contents that is in the temporary file (tmpfile).

I mean, here are the contens of the temporary file from the sample
(tweaked to fit a single line]):

<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents  /

Byte 6421 is the s (before the underscore):

<< /ByteRange [ … 0000006421 0000010520 0000000384 ] /Contents_ /

The blank space (marked above with the underscore) is included in the
hashed file (tmpfile), but it is not included in the /ByteRange.

This is the reason why we can only have digest mismatch.

As for total document signing, it is better only to exclude from
/ByteRange the value for /Contents (from < to >).

As far as I can remember, this is mandatory for PDF-2.0 (and highly
recommended for previous versions [although not required]).

> if we know the specs and  have way to test ... no big deal to fix a few
> offsets

I’m happy to contribute as far as I can.

Sorry for insisting, but please don’t require plaintext password in the
command line (again, OpenSSL prompts for it).

Many thanks for your help,

Pablo
___________________________________________________________________________________
If your question is of interest to others as well, please add an entry to the Wiki!

maillist : ntg-context@ntg.nl / https://mailman.ntg.nl/mailman3/lists/ntg-context.ntg.nl
webpage  : https://www.pragma-ade.nl / https://context.aanhet.net (mirror)
archive  : https://github.com/contextgarden/context
wiki     : https://wiki.contextgarden.net
___________________________________________________________________________________