Hi, we currently have an issue with digital signing on non Windows platforms. The whole problem was introduced with the drop of some very old Mozilla stuff that made always problems.
Feature description (simplified) Digital signing of document and/or macros is a feature to increase the integrity in a workflow where documents are exchanged and to build a trusted environment. 1. document signatures With a valid certificate it is possible to sign a document after it is saved. It is comparable with a seal. Other users loading this document will see a signature icon in the status bar that shows that this document is signed. Double click on this icon opens a dialog where the user can view the certificate. Two status are possible, the first one is that the certificate can be validated and is marked as trusted. The second (identified with the same icon + a yellow triangle warning sign) is where the certificate can't be validated automatically. 2. macro signatures Similar to documents the user can sign macros in the same way. When a user load a document with signed macros a dialog is opened to enable macros or not. In this dialog the user get also information that the macro is signed and is able to view the certificate. It is also possible to trust this certificate always and the next time the macro is accepted automatically. Problem This functionality was tightly coupled to Mozilla and made use of the Mozilla certificate store. At least on Linux and MacOS where as on Windows system certificate store was used directly. Current situation is that it still works on Windows but is partly broken on Linux and MacOS. Signing of new document or macros is not possible at all because no certificate store is available or better accessible. Signed documents can be loaded but the cert can't be validated. Signed macros can be loaded/enabled and executed. It is also possible to add an exception to trust this cert always to prevent the macro dialog in the future. General This feature heavily depends on the Mozilla certificate store which seems to be not optimal. For example on Mac the user would have to install Mozilla to make use of this feature. Standard browser for most users is Safari. A further observation is why I can't accept a cert for document signatures but for macro signatures. For example if I know where it comes from and know that it is a self signed cert why I can't trust this cert. Solution idea Rely on the system certificate store where possible similar to Windows, means on MacOS connect to the Keychain. On Linux it is still unclear to me how it can work. Maybe managing an own cert store and use openssl to access system resources to validate certificates. Or access via openssl an existing cert store for the user/system. I am no expert here and many open questions that have to be answered. Opinions and especially expert knowledge from an implementation perspective are highly appreciated and welcome. Juergen --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
