Here are all my certificates ~> find ~ -name "cert9.db" ~/.mozilla/firefox/sv1r6rd3.default-esr78/cert9.db ~/.mozilla/firefox/9y66b0sk.default-release/cert9.db ~/.pki/nssdb/cert9.db Kleopatra finds my certificates. I can digital sign my mails with kmail. I tried all the paths I get a message saying there is no digital certificate. SOFTWARE/OS VERSIONS Operating System: openSUSE Tumbleweed 20230511 KDE Plasma Version: 5.27.5 KDE Frameworks Version: 5.105.0 Qt Version: 5.15.9
kleopatra, kmail, LibreOffice finds the same list of certificates, not okular !
launching okular in konsole then no error message about certificate db. I made the following experiment with “~/pki/nssdb/“. I uninstall okular then I install snap version of okular from “app.kde.store”. Furthermore, I launch this snap version in konsole. I get a message saying “bad database” in ./pki/nssdb/ there are : cert9.db key4.db pkcs11.txt also I found that the certificates I can see in kleopatra, kmail, LibreOffice are in ~/gnupg/ and the format is not the same as in "nssdb" folders.
It's strange because in an issue in gitlab about poppler I read that the code for digital signing in poppler is a copy of the code in LibreOffice. see https://gitlab.freedesktop.org/poppler/poppler/-/issues/465
(In reply to Philippe ROUBACH from comment #3) > It's strange because in an issue in gitlab about poppler I read that the > code for digital signing in poppler is a copy of the code in LibreOffice. > > see https://gitlab.freedesktop.org/poppler/poppler/-/issues/465 The LibreOffice code can interact with both nss and the gpg keystore. Poppler currently can only interact with the nss keystore (There are patches under review also letting poppler (and then also okular) interact with the gpg keystore) KMail and Kleopatra only uses the gpg keystore. You can ask poppler about it's available keys with the pdfsig utility, like `pdfsig -nssdir ~/.pki/nssdb/ -list-nicks` and see what's available
pdfsig -nssdir ~/.pki/nssdb/ -list-nicks There are no certificates available.
It seems that kde policy is to use gpg store. Why not okular ?
(In reply to Philippe ROUBACH from comment #6) > It seems that kde policy is to use gpg store. Why not okular ? It's coming.
I had this issue as well. My solution for this was to go in the Okular PDF platforms settings and ensure that the Firefox profile that Okular looks in is the same one that Firefox is using. In my case Okular was looking in a non-existing directory by default. As soon as I changed it to the proper path the certificate appeared and was usable.
(In reply to Philippe ROUBACH from comment #6) > It seems that kde policy is to use gpg store. Why not okular ? This was released as part of okular 23.08 (requires a similar new-ish poppler library, at least 23.07)
okular 23.08.1 poppler 23.09 Issue still there : okular by default does not point to ~/.gnupg/ and when we customize the path to ~/.gnupg/ then okular does not find any key. Certainly because it knows only NSS format.
(In reply to Philippe ROUBACH from comment #10) > okular 23.08.1 > poppler 23.09 > > Issue still there : > okular by default does not point to ~/.gnupg/ and when we customize the path > to ~/.gnupg/ then okular does not find any key. Certainly because it knows > only NSS format. Did you select gnupg in the backend dropdown ? /Sune
Created attachment 162025 [details] backend settings See the settings
> It seems that kde policy is to use gpg store There is no such policy.
(In reply to Philippe ROUBACH from comment #12) > Created attachment 162025 [details] > backend settings > > See the settings Please file a bug report to whomever provides your poppler binaries.
(In reply to Sune Vuorela from comment #14) > (In reply to Philippe ROUBACH from comment #12) > > Created attachment 162025 [details] > > backend settings > > > > See the settings > > Please file a bug report to whomever provides your poppler binaries. Do you say the issue is solved or what ?
(In reply to Philippe ROUBACH from comment #15) > (In reply to Sune Vuorela from comment #14) > > (In reply to Philippe ROUBACH from comment #12) > > > Created attachment 162025 [details] > > > backend settings > > > > > > See the settings > > > > Please file a bug report to whomever provides your poppler binaries. > > Do you say the issue is solved or what ? There is unfortunately 2-3 issues in this bug-thread. But one of them is that your certificates seen with kleopatra cannot be used with okular. If your recent poppler is built with gpgme support (and gnupg2.4.1 or later is available), okular can use the same certificate store as kleopatra. You have the new okular that has the dropdown where it should be possible to select gpg, but the underlying poppler is not built with gpg support, so it isn't there. That you need to take up with whomever delivers your binaries.
Thanks If I understand well, we need: - okular default certificate folder is ~.gnupg - gpg 2.4.1 or later - we need poppler built with gpgme support. right ?
I sent a report to openSUSE https://bugzilla.opensuse.org/show_bug.cgi?id=1215890
(In reply to Philippe ROUBACH from comment #17) > Thanks > > If I understand well, we need: > - okular default certificate folder is ~.gnupg > - gpg 2.4.1 or later > - we need poppler built with gpgme support. > > right ? point 1 is slighly wrong. Okular still uses NSS by default with whatever certificate paths. You now have a configuration option in the dialog to select gnupg or nss, if poppler supports it, in the dialog you showed earlier.
see the answer from openSUSE https://bugzilla.suse.com/show_bug.cgi?id=1215890#c1
Why Okular does not use the same technology as kleopatra, kmail or LibreOffcie ?
(In reply to Philippe ROUBACH from comment #21) > Why Okular does not use the same technology as kleopatra, kmail or > LibreOffcie ? The work I did in poppler uses the exact same technology as kleopatra and kmail. Unfortunately there was a few bugs in the way. They were fixed in gnupg2.4.1. Why opensuse has buggy QA scripts; that's a good question. But I have submitted a patch for that to them.
(In reply to Sune Vuorela from comment #22) > (In reply to Philippe ROUBACH from comment #21) > > Why Okular does not use the same technology as kleopatra, kmail or > > LibreOffcie ? > > The work I did in poppler uses the exact same technology as kleopatra and > kmail. Unfortunately there was a few bugs in the way. They were fixed in > gnupg2.4.1. > > Why opensuse has buggy QA scripts; that's a good question. But I have > submitted a patch for that to them. Thanks
Created attachment 162271 [details] no gpg certificate Hello OpenSUSE tumbleweed supplies : - gpg2 2.4.3 - poppler built with gpgme support. Okular still does not find any gpg certificate. See the capture.
(In reply to Philippe ROUBACH from comment #24) > Created attachment 162271 [details] > no gpg certificate > > Hello > > OpenSUSE tumbleweed supplies : > - gpg2 2.4.3 > - poppler built with gpgme support. > > Okular still does not find any gpg certificate. > > See the capture. And you have your x509 certificates in your gpg store ? What does `gpgsm --list-secret-keys` output ?
:~> gpgsm --list-secret-keys /home/roubach/.gnupg/pubring.kbx --------------------------------
>> And you have your x509 certificates in your gpg store ? why you speak about x509 certificate ? I speak about gpg certificates. Those found and used by kmail, LibreOffice, kleopatra for digital signing.
(In reply to Philippe ROUBACH from comment #27) > >> And you have your x509 certificates in your gpg store ? > > why you speak about x509 certificate ? > > I speak about gpg certificates. Those found and used by kmail, LibreOffice, > kleopatra for digital signing. openpgp certificates are not specified to be used for pdf files. For that we need CMS - https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax - and CAdES - https://en.wikipedia.org/wiki/CAdES_(computing) - according to the pdf specification section 12.8. I have not seen anyone specifying CMS with openpgp keys, only with x509 certificates.
(In reply to Philippe ROUBACH from comment #26) > :~> gpgsm --list-secret-keys > /home/roubach/.gnupg/pubring.kbx > -------------------------------- So okular's dialog matches what you have in the keyring. That's expected.
>> openpgp certificates are not specified to be used for pdf files. >> For that we need CMS - https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax - and CAdES - https://en.wikipedia.org >> /wiki/CAdES_(computing) - according to the pdf specification section 12.8. >> I have not seen anyone specifying CMS with openpgp keys, only with x509 certificates. It is too techie for me. What I understand is : - the pdf standard for digital signing is only using a x509 certificate. - in the standard, there is no way for digital signing with an OpenPGP certificate. Right ?
> It is too techie for me. What I understand is : > - the pdf standard for digital signing is only using a x509 certificate. > - in the standard, there is no way for digital signing with an OpenPGP > certificate. > > Right ? Correct. And for added knowledge: - LibreOffice can do some operations using OpenPGP. And other operations using x509 - Kleopatra works with both OpenPGP keys and x509 certificates for different and similar things - KMail cans sign and verify both with OpenPGP and with x509 (S/Mime) - GnuPG has tools to work with OpenPGP keys (gpg) and with x509 certificates (gpgsm)