Bug 496604

Summary: signing PDF documents in Okular using EiDAS certificat generates signature of type adbe.pkcs7.detached instead of type ETSI.CAdES.detached
Product: [Applications] okular Reporter: Richard PALO <richard.palo>
Component: PDF backendAssignee: Okular developers <okular-devel>
Status: CONFIRMED ---    
Severity: normal CC: aacid
Priority: NOR    
Version First Reported In: 24.08.3   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Richard PALO 2024-11-23 08:36:42 UTC 
SUMMARY
Signing PDF with recent Okular creates signature non-compatible with the ETSI formats (CAdES/PAdES)
Chorus-pro (in France) now rejects documents signed with my EiDAS certificat as the verification tool 
with (in French, naturally):
Signature 1/1
Cette signature est mal formatée : champ manquant, valeur invalide, incohérence
Signature 1/1
Statut de la signature
 Au moins une erreur a été trouvée
Identifiant de la signature : {db739815-6935-4f56-8f3d-d1d3b955b63b}

STEPS TO REPRODUCE
1.  Open pdf document to sign
2.  sign the document, with the image being a facsimile of my handwritten signature+company stamp
3.  pdfsig -nocert on the new __signed file 

OBSERVED RESULT
Digital Signature Info of: AELOT9_signé.pdf
Signature #1:
  - Signature Field Name: {db739815-6935-4f56-8f3d-d1d3b955b63b}
  - Signer Certificate Common Name: Richard PALO
  - Signer full Distinguished Name: OID.2.5.4.97=NTRFR-441322385,serialNumber=cdef60dc95be86f4926592c28baeae6365968311,givenName=Richard,SN=PALO,CN=Richard PALO,OU=0002 441322385,O=BAOU,C=FR
  - Signing Time: Nov 20 2024 10:10:44
  - Signing Hash Algorithm: SHA-256
  - Signature Type: adbe.pkcs7.detached
  - Signed Ranges: [0 - 312764], [332766 - 333269]
  - Total document signed
  - Signature Validation: Signature is Valid.

EXPECTED RESULT
Digital Signature Info of: AELOT9_signé.pdf
Signature #1:
  - Signature Field Name: Signature1
  - Signer Certificate Common Name: Richard PALO
  - Signer full Distinguished Name: OID.2.5.4.97=NTRFR-441322385,serialNumber=cdef60dc95be86f4926592c28baeae6365968311,givenName=Richard,SN=PALO,CN=Richard PALO,OU=0002 441322385,O=BAOU,C=FR
  - Signing Time: Nov 21 2024 16:44:08
  - Signing Hash Algorithm: SHA-256
  - Signature Type: ETSI.CAdES.detached
  - Signed Ranges: [0 - 239409], [289411 - 290760]
  - Total document signed
  - Signature Validation: Signature is Valid.

(this was signed with LibreOffice)

By the way, cannot sign using pdfsig -add-signature -etsi either,
where I get the message '-etsi is not supported yet with -add-signature'


SOFTWARE/OS VERSIONS
Operating System: EndeavourOS 
KDE Plasma Version: 6.2.3
KDE Frameworks Version: 6.8.0
Qt Version: 6.8.0
Kernel Version: 6.6.62-1-lts (64-bit)
Graphics Platform: Wayland
Processors: 12 × AMD Ryzen 5 5500U with Radeon Graphics
Memory: 30.7 Gio of RAM
Graphics Processor: AMD Radeon Graphics
Manufacturer: ASUSTeK COMPUTER INC.
Product Name: MINIPC PN51-E1
System Version: 0509

ADDITIONAL INFORMATION
can be provided upon demand
Comment 1 Richard PALO 2024-11-23 08:52:34 UTC 
Adobe references:
https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html
Comment 2 Albert Astals Cid 2024-11-28 15:16:04 UTC 
Yeah we support  EiDAS certificates at the moment
Comment 3 Albert Astals Cid 2024-11-28 15:28:36 UTC 
I meant we don´t support it, sorry for the typo