Closed replabrobin closed 5 years ago
use other software than poppler' pdfsig, eg: apache pdfbox
mak@tw520:~$ ShowSignature "" pdf-signed-cms.pdf Signature found Signature covers whole document Modified: 31.07.2018 08:26:42 certFromSignedData: [ [ Version: V3 Subject: CN=USER 1 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits params: null modulus: 27593122970324828393148015662278483774178105885814514844872684578988370088170479611958191510162184012390817116996325869898626358278712467164802857608115330565330893474792824888590259045617061627216882797904454911650100989334883667758478188887957920320977693420484927932172404569017526513366248181679899552529660575550111500440054761590965411407636396796187660396606840941741056171214365637751507847303881094715508099343923342027619993439561071528091268890104746243027170278289960701092409021019566943924526662416427694669652005929843457848612681520537764561853338758978739261541046213541261873915542899585530545803261 public exponent: 65537 Validity: [From: Fri Apr 26 19:38:18 CEST 2019, To: Sat Apr 25 19:38:18 CEST 2020] Issuer: CN=CA SerialNumber: [ d999e0a3 955e4735 aaa8ff51 b8a2f4ab]
Certificate Extensions: 3 [1]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 9E F5 CA 35 80 C6 65 3B 63 8A C2 12 35 51 1E C9 ...5..e;c...5Q.. 0010: D9 C8 4E F0 ..N. ] ]
[2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ]
[3]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment ]
] Algorithm: [SHA256withRSA] Signature: 0000: 7A C5 87 F7 E9 63 8D 3B E7 CA DB 47 07 61 E7 3D z....c.;...G.a.= 0010: 0E 99 88 40 40 F7 49 3E FF 93 4C 49 FE F1 D1 75 ...@@.I>..LI...u 0020: 26 37 12 A4 CD 1C 2B 8B 6A 9C AE 43 BA 12 E2 61 &7....+.j..C...a 0030: BE EF F3 65 E6 C9 77 3C 91 4F 48 C6 C2 25 0A 29 ...e..w<.OH..%.) 0040: CB C7 61 11 E7 2C 4E 6D 6D AB F6 15 CC 4E CA A5 ..a..,Nmm....N.. 0050: E2 2D 26 A3 B1 34 01 9A 43 CA E4 0C 66 0B B6 9B .-&..4..C...f... 0060: 26 40 64 83 C7 0E 5F DD 83 DE F7 1A 1C BF D5 D1 &@d..._......... 0070: 1B 2A A8 8B 55 DE 9A 75 4B A6 8D 71 84 A9 78 5A ...U..uK..q..xZ 0080: 7F 24 3A 01 ED AF 37 09 9A 50 0C 19 2A 0F 48 CE .$:...7..P...H. 0090: 10 8C 83 5A DC 5F 56 C6 95 87 9B 35 15 F0 37 2D ...Z.V....5..7- 00A0: B5 9D AA BF 87 A5 A4 D3 8A 25 88 E2 FD 56 03 A2 .........%...V.. 00B0: 9B 0F EE BE 40 BD 9B 02 B6 71 F1 91 4C 76 24 56 ....@....q..Lv$V 00C0: 28 F9 5A 57 62 CF 01 36 41 A9 6E 12 82 2B 4F 5F (.ZWb..6A.n..+O 00D0: 76 2B 4E 5C 24 5E 96 54 A8 A0 25 D2 77 27 F9 9D v+N\$^.T..%.w'.. 00E0: 83 50 8B C4 7A DB D4 69 FD B5 9B 3E 6C C8 E5 DA .P..z..i...>l... 00F0: 7D 58 92 6B 9B D8 74 4B AF 18 77 3C 76 19 A2 24 .X.k..tK..w<v..$
] Certificate not yet valid at signing time Certificate valid at signing time: Sat May 18 23:46:07 CEST 2019 Signature verified Certificate is not self-signed Exception in thread "main" org.apache.pdfbox.examples.signature.cert.CertificateVerificationException: No root certificate in the chain at org.apache.pdfbox.examples.signature.cert.CertificateVerifier.verifyCertificate(CertificateVerifier.java:142) at org.apache.pdfbox.examples.signature.ShowSignature.verifyCertificateChain(ShowSignature.java:493) at org.apache.pdfbox.examples.signature.ShowSignature.verifyPKCS7(ShowSignature.java:445) at org.apache.pdfbox.examples.signature.ShowSignature.showSignature(ShowSignature.java:185) at org.apache.pdfbox.examples.signature.ShowSignature.main(ShowSignature.java:110)
because my test certificate isn't known to java apps
Let's Encrypt does not currently offer S/MIME certificates. See https://community.letsencrypt.org/t/s-mime-certificates/153 for a thread explaining why you can't use their SSL/TLS certificates for S/MIME.
in this case S/MIME means signing PDF's too
https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx Their certificates are also useful for signing other documents.
Hi Grzegorz, thanks for all the information. Really useful. Sorry for wrong headed issue.
On Sat, 18 May 2019 at 22:45, Grzegorz Makarewicz notifications@github.com wrote:
https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx Their certificates are also useful for signing other documents.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/m32/endesive/issues/16?email_source=notifications&email_token=AATKGHXOMCDARM5TGQPQUPTPWB2IJA5CNFSM4HNWJJPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWWRGY#issuecomment-493709467, or mute the thread https://github.com/notifications/unsubscribe-auth/AATKGHSIRRPRSBIZ4F4LAK3PWB2IJANCNFSM4HNWJJPA .
-- Robin Becker
This library has helped me in signing files made by reportlab. I found that the signed bytes should not include the < > markers in the /Content part of the file. Acrobat reader says the signature is corrupted if those bytes are made part of the signature so thanks for all the work.
However, I find that the pdfsig utility from poppler doesn't like the files produced by endesive I see this `$ pdfsig pdf-signed-fpdf.pdf Digital Signature Info of: pdf-signed-fpdf.pdf Signature #1:
If I modify pdf-sign-fpdf.py to use my test p12 file which is based on letsencrypt's chain (I have my cert + the letsencrypt intermediate).
`$ pdfsig pdf-signed-fpdf.pdf Digital Signature Info of: pdf-signed-fpdf.pdf Signature #1: