![[TEST] Document Foundation Community](https://communitytest.documentfoundation.org/images/discourse-logo-sketch.png){kind=logo}
Hi! I recently learned LibreOffice 6 supports PGP signed documents. My question: why would anyone want to digitally sign a document?
Peace...
"The Other" Tom
Tom Williams writes:
why would anyone want to digitally sign a document?
The two most obvious answers are:
(*) confirm authorship
(*) verify integrity of contents
I'm sure there are plenty of other reasons as well.
--hymie! http://lactose.homelinux.net/~hymie hymie@lactose.homelinux.net
When you take out a loan, etc., don't you sign the document? There are
many times you sign things. This is just a digital way to verify you
did. Without this, you'd have to print out the document, sign it and
then get it to the recipient. With digital signing, you digitally sign
it and then can email it, right from LibreOffice.
Thanks for the reply. :) The reason I asked is, I've never considered the need to digitally sign a document I created or modified in LibreOffice. So, I was wondering why anyone would want to do so. Your examples make sense.
Peace...
"The Other" Tom
Now, this is interesting. So, the digital signing you describe would generate a digital version of my signature? I have experience with digitally signing a document, using a third party service, like DocuSign. In those cases, a "signature" font is used to represent my actual signature. I initially though the digital signing LibreOffice supported added a digital signature to the document, itself, providing some verification that I am who I claim to be. Does it also add the signature, in the manner you describe?
Thanks!
Peace...
"The Other" Tom
At least one bank I'm aware of allows digital signing of documents. So,
you might download a form to open an account, take out a loan, etc. fill
it out and digitally sign it.
Also, think about the current practice of many lawyers and other
professionals, who still fax documents. It would be far more secure
than any fax could be. In fact, given how easy it is to edit scanned
images, spoof phone numbers, etc., there's no way fax can be considered
secure these days. Yet, people still use them.
No, it doesn't generate a digital version of your signature. It uses a
process, related to encryption, to generate a signature of the entire
document, that verifies it could have only come from you. This is
commonly done with X.509 digital certificates, which are traceable back
to some top level certificate authority. As an example of a bank
perhaps, they'd issue you your own public/private keys, which could be
traced back to the bank and to the top level authority beyond. Since
that signature couldn't possibly have come from anyone else, it is your
signature.
You may want to read up on how public/private key encryption works and
X.509 certificates.
QWhat's interesting about this is you can use a a smartcard to sign your
documents. Libreoffice supports standard PIV smart cards (at least under
Linux). If you have everything configured right, you can use an x509 that
is resident on the smart card to sign the document. This can provide much
higher security, especially if the smart card is configured with a PIN.
Also keep in mind that the document is not "read only" with the signature.
It is completely possible to open a signed document, not realize it's
signed, accidentally insert a period somewhere, and resave it. As soon as
you modify a signed document the signature is dropped.
Document signing in LibreOffice revisited: What is absent from this
conversation is the fact that one needs a certificate that is anchored to a
well-known certificate authority in order for a random other person to
verify the signature. And such certificate does not come automatically with
a LibreOffice install. In fact, to my best knowledge, there are no free
certificate providers anymore that are generally trusted. E.g. when you want
to sign a PDF document (e.g. with LibreOffice Draw), the receiving end
typically will use Adobe Acrobat Reader to verify the signature. The only
libre work-around is to generate a self-signed certificate, then convince
your receiving party to get the certificate via an independent, secure way
of transmission and then have them install this self-signed certificate into
their computer. Good luck with that.
The only way I know of to get a (free as in beer) signature with a generally
accepted certificate is HelloSign (their free plan allows for signing of 3
documents per month). Besides that, it is technically possible to convert
e.g. a free Let's encrypt cert for document signing, but since Let's encrypt
is not designed for document signing, these certs are not part of e.g. the
cert list trusted by Adobe.
It is even more sad that even the method using self-signed certificates it
is broken in LibreOffice (at least in a frequently used scenario:
preinstalled LibreOffice under Ubuntu 18.04). Any GPG keys (or other certs)
that are available on the system are not accessible when invoking the
signing task from within LibreOffice. Under Ubuntu 18.04, LibreOffice
invokes the Seahorse key manager, which starts but never gets populated with
the available keys/certs (and also new key generation is dysfunctional in
this somehow isolated environment).
I am still trying to sign a single document with LibreOffice. Any help?
Where can I change how OpenOffice invokes Seahorse (or for that matter any
other certificate manager? The fact that this functionality is broken shows
how few people really do sign their documents. I guess in the corporate
setting, this is done more frequently, but NOT with LibreOffice. Sad, but
true.
I use cacert.org. It's still free.
I have signed this message. I also sent it to you direct, in case the
list blocks it.
I was intrigued by your remarks above because a couple of years' or so ago I had to sign a lot of documents and I used a CAcert certificate which I had imported into Thunderbird and Firefox. LO Writer had no difficulty using my certificate from the Firefox or Thunderbird certificate store. That must have been on UbuntuStudio 1404 or even 1604.
Now I'm on 1804 with LO 6.0.7.3 and I just checked. It offers to sign my doc but only with an old certificate which expired in June this year. My new cert is in both Firefox and Thunderbird but LO appears unable to find it. When I click on the Start Certificate Manager button in the LO dialogue box, it informs me that it couldn't find any certificate manager.
The LO Help files still instruct to use the Firefox and Thunderbird cert stores but some change has evidently been introduced. And yet again the help files seem out of date.
Philip