Bug 446298 - PDF signature certificate chain validation
Summary: PDF signature certificate chain validation
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR wishlist
Target Milestone: ---
Assignee: Okular developers
Depends on:
Reported: 2021-11-30 20:43 UTC by gustavo
Modified: 2024-06-26 12:48 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

messages from Adobe Reader (53.01 KB, image/png)
2021-11-30 20:43 UTC, gustavo
another message panel from Adobe Reader (209.55 KB, image/png)
2021-11-30 20:43 UTC, gustavo

Note You need to log in before you can comment on or make changes to this bug.
Description gustavo 2021-11-30 20:43:12 UTC
Created attachment 144101 [details]
messages from Adobe Reader

I have recently checked that Poppler can provide both:

1. signed PDF content verification (i.e. content was not changed after signature)
2. identify verification, given trusted CA certificates (inserted into the Firefox NSS cert db)



It seems to me that oKular when it says "the signature is cryptographically valid" it refers to 1), which might not be 100% clear to whoever sees that message. Ideally oKular would be able to perform 1 and 2, like Poppler does, and display different messages depending on whether both checks are performed or only the first so that the users understands the level of validation.

I am attaching the messages from Adobe Reader to illustrate the idea.
Comment 1 gustavo 2021-11-30 20:43:53 UTC
Created attachment 144102 [details]
another message panel from Adobe Reader
Comment 2 Bug Janitor Service 2024-01-24 20:12:18 UTC
A possibly relevant merge request was started @ https://invent.kde.org/graphics/okular/-/merge_requests/917
Comment 3 Sune Vuorela 2024-06-26 12:48:28 UTC
Git commit 0bd2c9cfa0304734572a2a36a7fbce8e74dcb8ff by Sune Vuorela.
Committed on 26/06/2024 at 12:02.
Pushed by sune into branch 'master'.

Use async signature validation

Also, show information about the validity of the certificate used for
the signature

M  +26   -0    core/form.h
M  +9    -8    core/signatureutils.h
M  +27   -0    generators/poppler/formfields.cpp
M  +10   -0    generators/poppler/formfields.h
M  +4    -0    generators/poppler/pdfsignatureutils.cpp
M  +1    -0    generators/poppler/pdfsignatureutils.h
M  +2    -0    gui/signatureguiutils.cpp
M  +10   -1    gui/signaturemodel.cpp