A small update on that topic: there is a simple workaround! Signing also
works on Mac and Linux if the environment variable
MOZILLA_CERTIFICATE_FOLDER is set to the currently active
mozilla/thunderbird/firefox/etc. profile.
E.g. on Linux setting the environment variable could look like
MOZILLA_CERTIFICATE_FOLDER=sql:/home/xxx/.mozilla/firefox/23d7j.default
and on Mac it could look like
MOZILLA_CERTIFICATE_FOLDER="sql:/Users/xxx/Library/Application
Support/Firefox/Profiles/23d7j.default"
Herbert
On 17.04.2014 11:55, Jürgen Schmidt wrote:
Hi,
we currently have an issue with digital signing on non Windows
platforms. The whole problem was introduced with the drop of some very
old Mozilla stuff that made always problems.
Feature description (simplified)
Digital signing of document and/or macros is a feature to increase the
integrity in a workflow where documents are exchanged and to build a
trusted environment.
1. document signatures
With a valid certificate it is possible to sign a document after it is
saved. It is comparable with a seal. Other users loading this document
will see a signature icon in the status bar that shows that this
document is signed. Double click on this icon opens a dialog where the
user can view the certificate. Two status are possible, the first one is
that the certificate can be validated and is marked as trusted. The
second (identified with the same icon + a yellow triangle warning sign)
is where the certificate can't be validated automatically.
2. macro signatures
Similar to documents the user can sign macros in the same way. When a
user load a document with signed macros a dialog is opened to enable
macros or not. In this dialog the user get also information that the
macro is signed and is able to view the certificate. It is also possible
to trust this certificate always and the next time the macro is accepted
automatically.
Problem
This functionality was tightly coupled to Mozilla and made use of the
Mozilla certificate store. At least on Linux and MacOS where as on
Windows system certificate store was used directly.
Current situation is that it still works on Windows but is partly broken
on Linux and MacOS. Signing of new document or macros is not possible at
all because no certificate store is available or better accessible.
Signed documents can be loaded but the cert can't be validated. Signed
macros can be loaded/enabled and executed. It is also possible to add an
exception to trust this cert always to prevent the macro dialog in the
future.
General
This feature heavily depends on the Mozilla certificate store which
seems to be not optimal. For example on Mac the user would have to
install Mozilla to make use of this feature. Standard browser for most
users is Safari.
A further observation is why I can't accept a cert for document
signatures but for macro signatures. For example if I know where it
comes from and know that it is a self signed cert why I can't trust this
cert.
Solution idea
Rely on the system certificate store where possible similar to Windows,
means on MacOS connect to the Keychain. On Linux it is still unclear to
me how it can work. Maybe managing an own cert store and use openssl to
access system resources to validate certificates. Or access via openssl
an existing cert store for the user/system. I am no expert here and many
open questions that have to be answered.
Opinions and especially expert knowledge from an implementation
perspective are highly appreciated and welcome.
Juergen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
