Hans,
I found out why Acrobat isn’t reading time from signatures performed
with ConTeXt.
PAdES signatures require the /M key in the signature dictionary
(https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.02.01_60/en_31914201v010201p.pdf#page=19).
Just in case you wonder, this has been a requirement in previous
versions:
https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf#page=19
and
https://www.etsi.org/deliver/etsi_ts/103100_103199/103172/02.02.02_60/ts_103172v020202p.pdf#page=11.
Besides that, the CMS signature itself should not have any signing-time
attribute. It might have a timestamp token as unsigned attribute added
to the signature, as I already mentioned in my previous messages, but
I’m still investigating this.
BTW, there is an ongoing pull request to be able to have CMS signatures
without signing time attribute in OpenSSL
(https://github.com/openssl/openssl/pull/15783). But this still has to
be merged (after being finished).
The attached patch adds the /M entry in the signature dictionary.
This is the best we (or at least I) can do right now.
Many thanks for your help,
Pablo
--- Desktop/lpdf-sig.lmt 2024-12-10 19:47:10.259900550 +0100
+++ lpdf-sig.lmt 2024-12-10 20:00:27.168094593 +0100
@@ -84,6 +84,7 @@
Filter = pdfconstant("Adobe.PPKLite"),
SubFilter = pdfconstant("adbe.pkcs7.detached"),
Type = pdfconstant("Sig"),
+ M = lpdf.pdftimestamp(os.date("%Y-%m-%dT%H:%M:%S") .. os.timezone()),
-- Reasons = pdfunicode("just to be sure"),
Reference = reference,
}
_______________________________________________
dev-context mailing list -- dev-context@ntg.nl
To unsubscribe send an email to dev-context-le...@ntg.nl
