On 4/17/14 3:53 PM, Herbert Duerr wrote: > A small update on that topic: there is a simple workaround! Signing also > works on Mac and Linux if the environment variable > MOZILLA_CERTIFICATE_FOLDER is set to the currently active > mozilla/thunderbird/firefox/etc. profile. > > E.g. on Linux setting the environment variable could look like > MOZILLA_CERTIFICATE_FOLDER=sql:/home/xxx/.mozilla/firefox/23d7j.default > and on Mac it could look like > MOZILLA_CERTIFICATE_FOLDER="sql:/Users/xxx/Library/Application > Support/Firefox/Profiles/23d7j.default"
we have verified this on Linux as well and I think it is very usable and good workaround for now. We will create a wiki page where we describe in detail what the user have to do ... We should keep in mind that the workflow was far from optimal and relied heavily on a Mozilla cert store and still does. As I described earlier on Mac a not very common environment. Anyway I think we can proceed with the workaround for now. And thanks to Herbert who initially dropped the ugly old Mozilla stuff (kudos for this) and who find this easy workaround in nss (some further kudos for this). I will take care of uploading the RC4 when the server is back again (hope I will notice this in my vacation ;-)). Please test this feature with the upcoming RC4 and for some detail information please review issue https://issues.apache.org/ooo/show_bug.cgi?id=124701 Juergen > > Herbert > > On 17.04.2014 11:55, Jürgen Schmidt wrote: >> Hi, >> >> we currently have an issue with digital signing on non Windows >> platforms. The whole problem was introduced with the drop of some very >> old Mozilla stuff that made always problems. >> >> Feature description (simplified) >> Digital signing of document and/or macros is a feature to increase the >> integrity in a workflow where documents are exchanged and to build a >> trusted environment. >> >> 1. document signatures >> With a valid certificate it is possible to sign a document after it is >> saved. It is comparable with a seal. Other users loading this document >> will see a signature icon in the status bar that shows that this >> document is signed. Double click on this icon opens a dialog where the >> user can view the certificate. Two status are possible, the first one is >> that the certificate can be validated and is marked as trusted. The >> second (identified with the same icon + a yellow triangle warning sign) >> is where the certificate can't be validated automatically. >> >> 2. macro signatures >> Similar to documents the user can sign macros in the same way. When a >> user load a document with signed macros a dialog is opened to enable >> macros or not. In this dialog the user get also information that the >> macro is signed and is able to view the certificate. It is also possible >> to trust this certificate always and the next time the macro is accepted >> automatically. >> >> Problem >> This functionality was tightly coupled to Mozilla and made use of the >> Mozilla certificate store. At least on Linux and MacOS where as on >> Windows system certificate store was used directly. >> >> Current situation is that it still works on Windows but is partly broken >> on Linux and MacOS. Signing of new document or macros is not possible at >> all because no certificate store is available or better accessible. >> Signed documents can be loaded but the cert can't be validated. Signed >> macros can be loaded/enabled and executed. It is also possible to add an >> exception to trust this cert always to prevent the macro dialog in the >> future. >> >> >> General >> This feature heavily depends on the Mozilla certificate store which >> seems to be not optimal. For example on Mac the user would have to >> install Mozilla to make use of this feature. Standard browser for most >> users is Safari. >> A further observation is why I can't accept a cert for document >> signatures but for macro signatures. For example if I know where it >> comes from and know that it is a self signed cert why I can't trust this >> cert. >> >> Solution idea >> Rely on the system certificate store where possible similar to Windows, >> means on MacOS connect to the Keychain. On Linux it is still unclear to >> me how it can work. Maybe managing an own cert store and use openssl to >> access system resources to validate certificates. Or access via openssl >> an existing cert store for the user/system. I am no expert here and many >> open questions that have to be answered. >> >> Opinions and especially expert knowledge from an implementation >> perspective are highly appreciated and welcome. >> >> Juergen >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >> For additional commands, e-mail: dev-h...@openoffice.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
