Bug 446298

Summary: PDF signature certificate chain validation
Product: [Applications] okular Reporter: gustavo
Component: PDF backendAssignee: Okular developers <okular-devel>
Status: ASSIGNED ---    
Severity: wishlist CC: nate
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: messages from Adobe Reader
another message panel from Adobe Reader

Description gustavo 2021-11-30 20:43:12 UTC 
Created attachment 144101 [details]
messages from Adobe Reader

I have recently checked that Poppler can provide both:

1. signed PDF content verification (i.e. content was not changed after signature)
2. identify verification, given trusted CA certificates (inserted into the Firefox NSS cert db)

Reference:

https://gitlab.freedesktop.org/poppler/poppler/-/issues/896#note_1172603

It seems to me that oKular when it says "the signature is cryptographically valid" it refers to 1), which might not be 100% clear to whoever sees that message. Ideally oKular would be able to perform 1 and 2, like Poppler does, and display different messages depending on whether both checks are performed or only the first so that the users understands the level of validation.

I am attaching the messages from Adobe Reader to illustrate the idea.
Comment 1 gustavo 2021-11-30 20:43:53 UTC 
Created attachment 144102 [details]
another message panel from Adobe Reader
Comment 2 Bug Janitor Service 2024-01-24 20:12:18 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/graphics/okular/-/merge_requests/917