Bug 435379 - Does not show TSA timestamp signature
Summary: Does not show TSA timestamp signature
Status: CONFIRMED
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: 20.12.3
Platform: Other Linux
: NOR wishlist
Target Milestone: ---
Assignee: Okular developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-05 10:56 UTC by Antonis Tsolomitis
Modified: 2022-02-18 22:03 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments
The file is signed with freetsa.org timestamp (171.83 KB, application/pdf)
2021-04-05 14:43 UTC, Antonis Tsolomitis
Details
This file is signed without TSA timestamp (uploaded for comparison) (167.32 KB, application/pdf)
2021-04-05 14:44 UTC, Antonis Tsolomitis
Details
screenshot showing the two other files on okular. They appear identical although they are not. (278.61 KB, image/jpeg)
2021-04-05 14:47 UTC, Antonis Tsolomitis
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Antonis Tsolomitis 2021-04-05 10:56:56 UTC
SUMMARY
Does not show TSA timestamp signature

STEPS TO REPRODUCE
1. Sign a pdf document with jsignpdf have enabled timestamping (TSA). Say from the freetsa.org. Click TSA timestamp on the first jsignpdf screen
2. In the resulting window enable TSA timestamping with server https://freetsa.org/tsr   and hash method SHA-512
3. Sign the document

OBSERVED RESULT
The signed pdf opens in Okular and shows the user signature but there is no indication that there is a TSA timestamp


EXPECTED RESULT
PDF signature must show that the time is not the time of the user's computer but that of the TSA server.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION

I am not sure if there is ANY linux tool, even commandline, that can check a TSA timestamp. I have tried pdfsig on the commandline. No help.
Comment 1 Albert Astals Cid 2021-04-05 11:04:19 UTC
Please attach such a PDF file.
Comment 2 Antonis Tsolomitis 2021-04-05 14:43:23 UTC
Created attachment 137346 [details]
The file is signed with freetsa.org timestamp
Comment 3 Antonis Tsolomitis 2021-04-05 14:44:13 UTC
Created attachment 137347 [details]
This file is signed without TSA timestamp (uploaded for comparison)
Comment 4 Antonis Tsolomitis 2021-04-05 14:47:15 UTC
Created attachment 137348 [details]
screenshot showing the two other files on okular. They appear identical although they are not.

This is a screenshot showing the two other files opened on okular. They appear to be identical. However the file with the freetsa.org timestamp should somehow show that the creation time is verified by the freetsa.org timestamp authority and not by the user's computer clock. Acrobat separates these two files on this.
Comment 5 Swyter 2022-02-18 22:03:59 UTC
This is important because without attaching a timestamp countersignature the document's signature will expire when the original certificate does, and it will still uphold the validity of the document if the certificate gets revoked down the line/after the fact.

It is also required for some official documents in the European Union. The fact that on Linux there is no Acrobat Reader and there is only two programs able to actually cryptographically-sign PDFs (Okular and jsignpdf). Only jsignpdf supports setting TSA default servers while signing, and once signed there is no visibility. So we still depend on Windows software to see if it actually worked.

So yeah, I'd add two needed improvements here (1) being able to choose and use TSA servers in Okular, and (2) being able to view countersignatures and show the validity of the combination of both (in green) like Adobe Reader does via top bar.