Bug 435379

Summary: Does not show TSA timestamp signature
Product: [Applications] okular Reporter: Antonis Tsolomitis <antonis.tsolomitis>
Component: PDF backendAssignee: Okular developers <okular-devel>
Status: CONFIRMED ---    
Severity: wishlist CC: aacid, swyterzone
Priority: NOR    
Version First Reported In: 20.12.3   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: The file is signed with freetsa.org timestamp
This file is signed without TSA timestamp (uploaded for comparison)
screenshot showing the two other files on okular. They appear identical although they are not.

Description Antonis Tsolomitis 2021-04-05 10:56:56 UTC 
SUMMARY
Does not show TSA timestamp signature

STEPS TO REPRODUCE
1. Sign a pdf document with jsignpdf have enabled timestamping (TSA). Say from the freetsa.org. Click TSA timestamp on the first jsignpdf screen
2. In the resulting window enable TSA timestamping with server https://freetsa.org/tsr   and hash method SHA-512
3. Sign the document

OBSERVED RESULT
The signed pdf opens in Okular and shows the user signature but there is no indication that there is a TSA timestamp


EXPECTED RESULT
PDF signature must show that the time is not the time of the user's computer but that of the TSA server.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION

I am not sure if there is ANY linux tool, even commandline, that can check a TSA timestamp. I have tried pdfsig on the commandline. No help.
Comment 1 Albert Astals Cid 2021-04-05 11:04:19 UTC 
Please attach such a PDF file.
Comment 2 Antonis Tsolomitis 2021-04-05 14:43:23 UTC 
Created attachment 137346 [details]
The file is signed with freetsa.org timestamp
Comment 3 Antonis Tsolomitis 2021-04-05 14:44:13 UTC 
Created attachment 137347 [details]
This file is signed without TSA timestamp (uploaded for comparison)
Comment 4 Antonis Tsolomitis 2021-04-05 14:47:15 UTC 
Created attachment 137348 [details]
screenshot showing the two other files on okular. They appear identical although they are not.

This is a screenshot showing the two other files opened on okular. They appear to be identical. However the file with the freetsa.org timestamp should somehow show that the creation time is verified by the freetsa.org timestamp authority and not by the user's computer clock. Acrobat separates these two files on this.
Comment 5 Swyter 2022-02-18 22:03:59 UTC 
This is important because without attaching a timestamp countersignature the document's signature will expire when the original certificate does, and it will still uphold the validity of the document if the certificate gets revoked down the line/after the fact.

It is also required for some official documents in the European Union. The fact that on Linux there is no Acrobat Reader and there is only two programs able to actually cryptographically-sign PDFs (Okular and jsignpdf). Only jsignpdf supports setting TSA default servers while signing, and once signed there is no visibility. So we still depend on Windows software to see if it actually worked.

So yeah, I'd add two needed improvements here (1) being able to choose and use TSA servers in Okular, and (2) being able to view countersignatures and show the validity of the combination of both (in green) like Adobe Reader does via top bar.