Subject: Okular in connection with DRM. In connection with the provision of non-public documents, which are provided in a a secure data room okular does not work. A data management system that is apparently created by Brainloop AG. Opening of *.pdf files only works with Adobe Reader, because the Adobe rights management is activated in the Secure Data Space and a user can therefore the user will always see a Brainmark file as a PDF file. A Brainmark file is the copy of the original file as an image or PDF, which is watermarked. This works apparently only in IOS and Win environments. After logging into this online "Secure Data Space" , it is not possible to open the documents with Okular. There follows a pop-up window that asks for a password that the user not has. If this file has been saved locally and the connection to the "Secure Data Room" is offline, the document cannot be opened. In my opinion, this does not exactly promote digital sovereignty away from mainstream software components such as Adobe Reader with all its security problems. Is there a DRM module EXISTING or PLANNED for Okular? --------------------------- SOFTWARE/OS VERSIONS okular Version: 20.04.2 System: Kernel: 5.3.18-lp152.78-default x86_64 bits: 64 Desktop: KDE Plasma 5.18.6 Distro: openSUSE Leap 15.2 Qt: 4.8.7 KDE Development Platform: 4.14.38 KDE Daemon: 4.14.38 kded5 5.71.0 plasmashell 5.18.6 Qt: 5.12.7 KDE Frameworks: 5.71.0 kf5-config: 1.0
I don’t really understand the situation. Can you make screenshots of it? (Of the error messages etc., not the sensitive documents.) Can you specify what kind of “secure data room” this is? A cloud storage? VPN? You say that you get a password dialog when you are online, and when you are offline you still can not open the document. This doesn’t sound like the file has been saved locally. Maybe you saved only a link to an URL of some cloud storage? Can you look at the Properties dialog of your file manager? Can you open other types of documents from this “secure data room”, e. g. .txt files? It would also be interesting which applications are able to do so. Maybe we can move this feature request to KIO then. > Is there a DRM module EXISTING or PLANNED for Okular? I don’t think so. There is an “Obey DRM limitations” checkbox in the config dialog. When you check it, you sometimes can’t print anymore. That is probably not what you are looking for. ;)
(In reply to David Hurka from comment #1) I thought that I've clearly described the situ. I think that the docs are provided in a cloud environment. See here: https://www.brainloop.com/en-gb/solutions/brainloop-boardroom/ 1) In the provided data environment (browser-based), you double-click a selected file to open. A message windows opens: Conversion in progress... changes to Document will be prepared for annotations.... Name_of_document.pdf Then an additional browser window pops up with the options to select how to open the file. Selection options are: browser okular (standard) Okular will be selected, because .pdf files are connected to okular viewer at the computer. A window pops up: KDE service for password storage The program "okular" has requested the opening of the password store "kdewallet". Please enter the password for it below. Then an additional window pops-up (in the started okular window): Please enter the password to read the document: The process ends here, because the user DOES NOT HAVE THIS PWD. 2) If you try to open a downloaded and locally saved file on the computer with okular, it cannot be openend with okular viewer. A window pops up: KDE service for password storage The program "okular" has requested the opening of the password store "kdewallet". Please enter the password for it below. Then an additional window pops-up (in the started okular window): Please enter the password to read the document: The process ends also here, because the user DOES NOT HAVE THIS PWD. Additionally if you try opening the file in a terminal, you get the following text message: $ okular Test_02.pdf qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 3272, resource id: 33674582, major code: 40 (TranslateCoords), minor code: 0 $
Thanks! I understand that your browser offered to open this remote document with Okular, or with the browser’s embedded PDF viewer. When Okular opens the file, it realizes that it is password protected, and wants to look for a password in kdewallet, or get it from you. kdewallet is password protected, that is why you get two password dialogs. > 1) In the provided data environment (browser-based), you double-click > a selected file to open. A message windows opens: > > Conversion in progress... > > changes to > > Document will be prepared for annotations.... > Name_of_document.pdf > > Then an additional browser window pops up with the options > to select how to open the file. > Selection options are: > browser > okular (standard) This procedure lets me think that the cloud service wants you to use a certain browser plugin (maybe the embedded PDF reader). And then they will tell the password only to this browser plugin. There is no way to tell such a password to Okular, or at least Brainloop does not use such a way. The reason for protecting the document with an unknown password is that you are not supposed to create copies of the document. If you save the document to disk, you will not receive the password, because you don’t use that plugin. > Opening of *.pdf files only works with Adobe Reader, because the > Adobe rights management is activated in the Secure Data Space and > a user can therefore the user will always see a Brainmark file as > a PDF file. > A Brainmark file is the copy of the original file as an image > or PDF, which is watermarked. Okay, you mention that it works with Adobe Reader. Then Adobe Reader probably has some interface for receiving a password from a browser, and then it doesn’t allow to save on disk anymore. I don’t think Okular can’t provide such an interface, because it is not proprietary. If it had such an interface, you could simply change the source code so that Okular allows saving to disk. Brainloop wouldn’t want to use it. But Adobe Reader may seem proprietary enough that Brainloop thinks using it is secure. (I really doubt that it is secure - what prevents you from making screenshots?) > [Contents of https://www.brainloop.com/en-gb/solutions/brainloop-boardroom/] Sometimes companies only want to look secure. Maybe we can provide this interface, and make Brainloop think the user will not uncheck the “Obey DRM limitations” checkbox, so they can use this interface while still looking secure?
Requested information provided. Please correct me if my conclusions in the above command are wrong.
Hi Dave, the interaction of components involved suggests the way you described and the way it works could be concluded that way. I'm convinced that adobe is no witchcraft and okular could be capable to open files in the necessary way. How to get the evidence that okular can handle the same opening that adobe apparently does?
I think first we need to know what communication happens from the Browser to Adobe Reader. I don’t have instance to a Brainloop room, and are not really interested in making my own, so I can not analyze what it is doing with Adobe Reader. I also don’t have the knowledge how to analyze such a communication. Maybe use this as a start: https://softwareengineering.stackexchange.com/questions/272019/communicating-between-browser-and-a-native-application-securely We could also ask Brainloop AG for support. Which features do you get in Adobe Reader? Can you save to disk? If it has an equivalent to File -> Properties, what does it show?