Open alejandro-anv opened 1 year ago
Thanks for the issue! Unfortunately, Let's Encrypt is not part of the EU Trusted List - so, the "The verification of the signature/seal value was successful." means that the technical apsects of the signature are correct, but "Unable to build a valid certificate chain up to a trusted root certificate." hints that the Let'sEncrypt is not a "trusted root certificate" in the EU list. In order to "fix" this, you'd need a certificate from a EU trusted provider.
Thanks for the issue! Unfortunately, Let's Encrypt is not part of the EU Trusted List - so, the "The verification of the signature/seal value was successful." means that the technical apsects of the signature are correct, but "Unable to build a valid certificate chain up to a trusted root certificate." hints that the Let'sEncrypt is not a "trusted root certificate" in the EU list. In order to "fix" this, you'd need a certificate from a EU trusted provider.
Ok so... could you guide me to make my own program that can verify at least my own signatures? May be open-pdf-sign have a feature for checking the sign?
At the moment, you can verify e.g. with Adobe Reader, if you trust the R3 anchor certificate.
I'm working at the moment at a verification mode for open-pdf-sign
, you can hopefully expect that in the coming weeks.
That's actually pretty bad, the https://www.openpdfsign.org/ front page shows explicitly an example with Let's Encrypt together with signaturpruefung.gv.at but in fact it doesn't work as expected.
I'm using command-line to sign a pdf file with open-pdf-sign.jar using my let's encrypt certificate (the same for the web site). But when I try to check the validity I receive the following answer. I think let's encrypt certificates are only for ssl/tls connections but the documentation shows it can be used and key information says it can be used for digital signature... Any help please?
Answer from signaturpruefung.gv.at
Time of signature/seal and verification resp. (UTC) | 2023-05-12T11:54:11Z
Signature/Seal | The verification of the signature/seal value was successful. Certificate | Unable to build a valid certificate chain up to a trusted root certificate.
Type of signature/seal | PAdES The Signature covers the following Byterange/s | 0,26006,44952,693 Type of signature algorithm | SHA256withRSA
Name | R3 Organization | Let's Encrypt Country | US
Serialnumber | dec.: 318911464682352482121374563456332509393721728, hex.: 3a:35:1a:ff:48:3c:bf:23:6d:8f:79:71:00:00:e3:c9:98:0 Quality | non qualified certificate Validity period | Valid from 2023-04-21T21:04:02Z to 2023-07-20T21:04:01Z.The given time of verification is within the validity period. Key Usage | Digital Signature, Key Encipherment, TLS Web Server Authentication, TLS Web Client Authentication Certification policy statement | http://cps.letsencrypt.org