Okular digital signatures and TU-Dresden

The Technical University of Dresden seems that has sponsored Okular to acquire the capability to digitally sign documents from version 21.04. Since information seems a little difficult to get this link gives the relevant information and supplies a building script that worked flawlessly on L13 with PureOs Byzantium:

It is very easy to use for the average person to digitally sign a pdf. I would like to learn only how to customize the appearance of the visible signature because it is not obvious. Other than that it is just great.

3 Likes

Can you post here an image of what it looks like by default?

Maybe go looking for it in /usr/share/okular/pics ? and if you find it, put a customised version in ~/.local/share/okular/pics ?

It looks like my distro is behind the times and does not have the needed version of okular - so I can’t test this myself.

I am not sure it works like this. It is not a matter of a picture but of the organization of the signature. For example it gives:


I do not like the all capitals for my name. Moreover the spacing is wasteful.

The script above compiles the latest okular and places executables in ~/local/bin/
I do not see any other installation files anywhere…

It may be getting this from the certificate (subject common name and/or nick name etc.) i.e. there is nothing that Okular or poppler can do, in a sense. You would have to fix this on the certificate and, I would assume, do so by getting a new certificate. In any case, I would take a look at your certificate - to see what name fields exist and what case they are in.

Yes, I know it gets this from the certificate. But it is instructed to do so when it creates the design of the visible part of the signature. This is just a parameter. It does not have to do with the validation. The validation is not performed on the visible part of the signature. So this must be completely customizable. In any case I will try to re-issue a certificate for me, but currently the signature in Okular does not allow ANY modification in some obvious/easy way. JSignPdf allows modifications but the interface is cumbersome and not well documented (I think).

I may be nitpicking, but isn’t inserting text just an analog signature, digitized? When I read “digital”, I understand “not possible in analog”, so I though it would be a cryptographic signature.

No, the PDF is being digitally (cryptographically) signed but it also overstamps the PDF document with the annotation shown above as a visible hint that the document has been digitally signed. @antonis just wants to have the functionality to customise the appearance of the visible hint, which functionality does not exist.

The visible hint is a bit misleading because I could easily sign a document as Irvine Wade but make the visible hint say Antonios … and the document would pass cryptographic validation. So the user really needs to look at the Document Properties and see what the actual Subject Common Name on the certificate is and confirm that it matches the visible hint, if the visible hint is present - or alternatively take the opportunity to open the signatures panel when offered to do so on opening a digitally signed document.

There would be some argument for giving the user the option of turning off the visible hint altogether.

Sure. It could work differently. You’ve built from source so you could easily completely override the text that is included so that it does not come from the certificate but instead is your name hardcoded in title case, or you could override it to convert the name on the certificate into title case before using it. (The rules for title case are locale / language sensitive though. Maybe you only need Greek to work.)

Yes, the digital signature is a crypto-signature. But the software creating this crypto-signature, often create a stamp on the document that says things like “signed by that person”. This stamp is called “visible signature” and provides an easy interface to click on it and access the details of the crypto-signature. LibreOffice signs pdf documents, that is it adds a cryptosignature but does not add a visible one (a stamp). Acrobat, JSignPDF, easypdfsign and latest okular are capable of adding a signature stamp as well as the crypto-signature. It is the visible part people often want to customize.

That sounds like a bad idea: people will get used to looking at the content (can be falsified) instead of the metadata (cannot be falsified) to check for a signature, and end up believing untrue things.

1 Like

Yes. That’s what I meant by

There would be some argument for giving the user the option of turning off the visible hint altogether.

By “user” I meant “the creator of the document”.

and by

The visible hint is a bit misleading because […]

True, I agree, but this is the state of things right now. It started with Acrobat i think. People got used to see a “visible” part. FOSS tries to follow. If I sign without a visible part they bug me: “where is the signature?” which exactly proves your point. i can not be always the “different” and “difficult” guy. I always check signatures for myself. It is the other side’s job to do the same.

It is Adobe that should have thought of this being a bad idea. Now people expect the visible part. Unfortunately. But isn’t that what most for-profit companies do? They prefer an uneducated audience so they can manipulate it, Fb being one of the greatest examples.