Digital signatures

user253 · October 7, 2015, 2:00am

Hello.

Can someone help me with digital signatures?

I tried LO 5.0.2, 4.4.5.2 and even AOO 4.1.1 on windows server 2008 r2.

I have imported root CA certificate. I have copied private and public keys to registry from token.
My certificate is valid.

When i use "File - Digital signatures" and try to add one to document - nothing happens.
I can see my certificate details from LO dialog, but when i select it and press OK - none added to document.

Document - ODT file.

No errors or other messages appeared.

user253 · October 12, 2015, 2:14am

No one here used signatures?
No one can help or give some advices to resolve problem?

Alan_B · October 12, 2015, 12:09pm

Sorry Евгений, I have only used self signed and only a few times.

Philip_Jackson · October 12, 2015, 1:49pm

Hi, I have been using signatures occasionally over the past couple of years
without any problem. I initially used Firefox to load my signature together
with the root. LO swriter then had no problem finding the certificate and
signing with it.

Now, my old certificate has expired and I have the replacement certificate
installed in FireFox..

Your email prompted me to try and sign a document with my new certificate. LO
cannot see my new certificate (only the old expired one).

As usual (see recent threads) the LO Help doesn't actually help very much. It
talks about an ADD button in the Digital Signing dialog but I don't get an ADD
button. I can sign with the old certificate even though it is expired and then
the document shows that the signature is broken.

I used FireFox to remove my expired certificate and even after rebooting LO only
sees the expired one and not the new one. Still no ADD button so does LO limit
users to a single certificate ? Where does LO store the certificates ?

I found the answer to this by looking in the LO writer
Tools/Options/LibreOffice/Security tab

There the bottom item was Certificate Path and it gave me two choices : FireFox
profile or Thunderbird profile

My LO was on Thunderbird's profile and I had forgotten to update that one with
my new certificate details. So I switched to FireFox which was up to date.

After re-starting LO, my document could be signed by the new certificate.

I updated my Thunderbird profile with the new certificate and set LO to
Thunderbird. After restarting LO, I tried to resign the document. But from the
Thunderbird profile, LO only sees the outdated certificate.

So I conclude several points :

1. LO Writer can only see 1 certificate in either FireFox or Thunderbird
profiles and that is the oldest of however many certs are present.

2. If the oldest is out of date - tough

3. LO Help button on the digital signing dialog box lands the user on a webpage
which correctly announces that it has no information.

4. searching on the LO Help website finds some help which talks of using the
ADD button to add a certificate. But at least with LO 4.2.8.2 (Ubuntu 1404 LTS
with their latest updates), I cannot find any such button.

5. My solution was to delete the expired certificate from FireFox profile. And
LO correctly used the new one which had remained invisible up to that point.

I am not sure that time expired certs should be deleted. They are probably
needed to verify old signatures or to decrypt old files.

Philip

Tom_Davies1 · October 12, 2015, 2:56pm

Hi
Do the "Published Guides" help at all? They are both here;
https://wiki.documentfoundation.org/Documentation/Publications
and here;
http://www.libreoffice.org/get-help/documentation/
and a few other places but those two links have them for free.

The Published Guides are usually the best documentation in English. There
is the Faq and the 'in-built' help but the Published Guides tend to be a
LOT better. The other help tends to be MUCH easier to translate, and
people work hard at that, so the translations tend to be excellent but for
English please try the Published Guides. Having said that i'm not sure if
they cover this issue! Please let us know.
Regards from
Tom xxxx

user253 · October 15, 2015, 10:07am

Hello.

"Writer 4.2 Guide" from second link.

Tom_Davies1 · October 15, 2015, 10:46am

Hi
I think post it as a bug-report.

I'm sure you are probably experienced at this but jic, and mostly for other
people to take note of ...
When you post a bug-report it's a lot like writing an email. The subject
line needs to be a very short indication of what the problem is. People
have a tendency to write something like "problem with LibreOffice" but
since all bug-reports are problems and the whole bug-reporting system is
dedicated to just LibreOffice such a line doesn't help. For this
bug-report something like "certificates, attaching self-signed or personal
ones in LO 5.0.2 in Windows", something nice and succinct. Being succinct
is NOT something i'm good at!! So, you'll probably have a better idea.

Note that you can always add extra 'emails', including attachments, to it
later. So you can post with fairly little information if you need to dig
around to find all the bits&bobs a good bug-report would need. It's better
if you can get it all together fairly quickly but doesn't all HAVE to be in
the first post = it's just better if you can.

There are several drop-down menus to set "urgency" and stuff. Mostly QA
and the devs handle that but one of them has "feature request" as one of
the options. It might be worth posting this as a feature request.

It sounds like LibreOffice can use either a "self-signed" one or a
"personal" one. I read those instructions as just advice that it's better
to use "a personal certificate".

It sounds like whichever you use is used in the same way but that if you
can use a "personal" one it is likely to be even more trusted than a
self-signed one. I think just go for a self-signed one for now unless you
already have a "personal" one = or unless you are doing this as part of the
verification process or something like that.

There is online help in the wiki and an Faq in there. If you can read
something other than English then the online help or the help built into
LibreOffice might give slightly different instructions that help you figure
out how to attach the certificates. If you only read English it still
might but the translated versions of all other documentation tends to be
better in non-English. The English version is designed to be easier to
translate. In English the best help is the published guides that you've
already read.

Regards from
Tom

Villeroy · October 15, 2015, 10:55am

Hello.

"Writer 4.2 Guide" from second link.

=====

I prefer the AOO documentation

Joel_Madero · October 15, 2015, 5:33pm

FWIW - I've always had problems with digital signatures (going back to
OpenOffice I believe). I wouldn't be surprised if there is already a report
in bugzilla about it.

Best,
Joel