desktop-packages team mailing list archive

Thread
Date

[Bug 740506]

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Markus Kilås <digital@xxxxxxxxxxxxxx>
Date: Sat, 24 Oct 2015 14:32:14 -0000
Reply-to: Bug 740506 <740506@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Created attachment 119174
Handle SEC_ERROR_UNTRUSTED_ISSUER

When verifying a PDF signed by a certificate issued by a CA not in the
trust store I would expect to get an error "Certificate isn't Trusted"
however currently the error message actually is the more generic
"Unknown issue with Certificate or corrupted data".

I tested with http://wwwpriv.primekey.se/~markus/pdfsigner/test-pdfs
/signserver-res-test-pdf/sample-signed.pdf:

[user@dev-21 utils]$ ./pdfsigverify ~/Downloads/signserver-res-test-pdf/sample-signed.pdf 
Digital Signature Info of: /home/user/Downloads/signserver-res-test-pdf/sample-signed.pdf
Signature #1:
  - Signer Certificate Common Name: Signer 2
  - Signing Time: Nov 23 2011 17:09:42
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Unknown issue with Certificate or corrupted data.

Then after adding http://wwwpriv.primekey.se/~markus/pdfsigner/test-pki
/signserver-res-test-dss10/DSSRootCA10.cacert.pem as trusted in Firefox:

[user@dev-21 utils]$ ./pdfsigverify ~/Downloads/signserver-res-test-pdf/sample-signed.pdf 
Digital Signature Info of: /home/user/Downloads/signserver-res-test-pdf/sample-signed.pdf
Signature #1:
  - Signer Certificate Common Name: Signer 2
  - Signing Time: Nov 23 2011 17:09:42
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Certificate is Trusted.

The attached patch adds the NSS error code for untrusted issuer so the
error will be "Certificate isn't trusted".

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to poppler in Ubuntu.
https://bugs.launchpad.net/bugs/740506

Title:
  verify digital signatures

Status in Evince:
  Confirmed
Status in Poppler:
  Confirmed
Status in poppler package in Ubuntu:
  Triaged

Bug description:
  Binary package hint: evince

  This is a feature request to verify digital signatures.  I'm receiving more and more digitally signed PDF's and evince already acknowledges them with:
  Signature Not Verified
  Digitally signed by <signer>
  Date:  <time stamp>
  Reason: <reason>
  Location: <location>
  but it would be great if Evince would be integrated into the distro's ca-certificate infrastructure to verify these signatures.

To manage notifications about this bug go to:
https://bugs.launchpad.net/evince/+bug/740506/+subscriptions