SUMMARY *** I have a USB smartcard with my credentials, which I'd like to use to sign pdf files. However, okular keeps asking for the password in an infinite loop, without actually applying a signature. *** STEPS TO REPRODUCE 1. Open document, select 'digitally sign' and draw a rectangle for the signature. 2. Select the certificate (1 of 2) on the smartcard. 3. Enter password -> enter password -> enter password -> ... OBSERVED RESULT okular needs to be killed to get out of the infinite password prompts. EXPECTED RESULT The signature is applied in the drawn rectangle after the password has been entered. SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: Kubuntu 22.04 (available in About System) KDE Plasma Version: 5.25.5 KDE Frameworks Version: 5.98.0 Qt Version: 5.13.3 ADDITIONAL INFORMATION Digital signing works OK with a soft certificate (p12 or pfx) imported into the Mozilla certificate store. However, it does not work with the (Gemalto) smartcard, which is also imported into the Mozilla certificate store. The smartcard is using the module /usr/lib/libeTPkcs11.so. Firefox can use the certificate for identification purposes.
Hello, I seem to be facing a similar issue if not the same. Everything works in the same way the OP described, until after the signature rectangle has been drawn. There, instead of being asked for the signature PIN, the okular window enters a "not responding" state and no popup seems to be produced. I'm also using NSS from firefox, with Thales (Gemalto) Safenet 5110 CC with Safenet Authentication Client 10.8 R1 (10.8.1050.0). Similarly, it seems to work OK with firefox. This behaviour is observed under Wayland, I'll try with X11 later and report the result on X11 as well. Thanks!
I can confirm this also happens under X11. Versions: * KDE Frameworks Version 5.108.0 * plasma-desktop-5.27.6 * okular-23.04.3 * Qt Version 5.15.10 (built against 5.15.10) * wayland-1.22.0 * xorg-server-21.1.8 * poppler-23.07.0
I am on Okular Version 23.04.3 (opensuse Tumbleweed with wayland). For me, signing with my Belgium ID card in the smart card reader works. 1) I select digitally sign and draw a box 2) I choose the signing cert (in a dropbox with also a authorisation cert) 3) I enter the PIN 4) I get asked for a document password and click ok without providing a password 5) I get a file save dialogue and pick a filename 6) I enter the PIN a second time 7) the new signed document is open in Okular with a signature stamp and electronic signature attached to the original PDF. In my firefox default profile pkcs11.txt, I have at the end: library=libbeidpkcs11.so.0 name=Belgium eID PKCS#11 module NSS=slotParams={0x00000000=[slotFlags=PublicCerts ] } So with this shared library, it seems to work, even though the PIN has to be entered twice and a document password as well for no obvious reason.
(In reply to Robert Riemann from comment #3) > So with this shared library, it seems to work, even though the PIN has to be > entered twice and a document password as well for no obvious reason. What version of poppler (The underlying pdf library) are you using ? The double-pin should be fixed I think, by poppler 23.04, maybe 23.05.
> What version of poppler (The underlying pdf library) are you using ? > > The double-pin should be fixed I think, by poppler 23.04, maybe 23.05. I am using Poppler 23.06.0 with PDF Backend 0.6.5. Do you have a link on the poppler bug report? If it is already merged in 23.06.0 I may reopen it.
(In reply to Robert Riemann from comment #5) > > What version of poppler (The underlying pdf library) are you using ? > > > > The double-pin should be fixed I think, by poppler 23.04, maybe 23.05. > > I am using Poppler 23.06.0 with PDF Backend 0.6.5. Do you have a link on the > poppler bug report? If it is already merged in 23.06.0 I may reopen it. There is no bug report on it. I noticed it while doing other stuff. https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1339 is the merge request.
Still the case with - okular 23.08.5 - KDE framework 5.115.0 - Qt 5.15.12 - libpoppler-qt5-1 24.02.0 Could this be caused by the fact that the smart card holds *two* certificates? One is for "Digital Signature, Key Encipherment", the other one for "Non-Repudiation". They are both listed as options to choose from for signature, but then okular goes into the infinite loop of asking for the password again and again. Thunderbird also has an issue with the certificates on the smart card. It recognises only one for "Non-Repudiation" as useable for signing e-mails, claiming that there is none suitable for encryption.
It seems to be caused by the fact that there are two certificates on the card. Signing documents with okular suddenly worked as advertised, after I accidentally had deleted the one for "Non-repudiation". It's now been restored by the issuer of the card and signing is not possible anymore with okular; it goes into the endless loop of password requests.