Re: [DISCUSS]: Digital signing of documents and macros
Niltze, all! On Thu, Apr 17, 2014 at 10:25 AM, Kay Schenk kay.sch...@gmail.com wrote: On Thu, Apr 17, 2014 at 10:19 AM, Juergen Schmidt jogischm...@gmail.comwrote: Am Donnerstag, 17. April 2014 um 17:59 schrieb Andrea Pescetti: Jürgen Schmidt wrote: On 4/17/14 3:53 PM, Herbert Duerr wrote: A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. ... we have verified this on Linux as well and I think it is very usable and good workaround for now. Thanks a lot for this. It shows, once again, that we take users into consideration. https://issues.apache.org/ooo/show_bug.cgi?id=124701 Am I right in understanding that no code changes are necessary then, merely configuring the environment appropriately? And that (waiting for the servers to wake up) this can be tested on 4.1.0-beta or any previous RC too? yes it should work with any RC and Beta (not tested) as well. We are indeed happen that Herbert find this workaround because everything else would have been taken much longer. The good thing for me is that I learned something new ;-) Juergen Yes, really good news! And thank you Herbert for this simple and creative solution! Although I am not familiar with the sql: prefix reference for environment variables (??) Good going! Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- - MzK Life is either a daring adventure, or nothing. -- Helen Keller Test case -- using GNU/LInux Debian with Apache OpenOffice 4.1.0 RC3: Follow instructions to create PKCS12 file (works on GNU/Linux, as well): http://stackoverflow.com/questions/20445365/create-pkcs12-file-with-self-signed-certificate-via-openssl-in-windows-for-my-a Import the self signed-certificate into Iceweasel (Firefox): Edit -- Preferences -- Certificates -- View Certificates -- Import -- (select file location) Close ApacheOO 4.1.0 RC3, if open. As explained at ( https://wiki.openoffice.org/wiki/Certificate_Detection ), at the Bash prompt type: export MOZILLA_CERTIFICATE_FOLDER=~/.mozilla/firefox/here put your user profile Subsequently -- from the same environment -- type command apacheoo --Assumed Setup - ApacheOO unpacks itself on /opt/openoffice4/ Accordingly (as root) it is necessary to create a symlink to start the application from the command line: ln -s /opt/openoffice4/program/soffice /usr/bin/apacheoo cd /opt/openoffice4/program/ ln -s soffice.bin apacheoo.bin This way any user in a GNU/Linux environment can start its /usr/bin/apacheoo instance from the Bash command. -- Picture: http://www.metztli-it.com/blog/index.php/ixiptli/aF9 -- Jose R R http://www.metztli-it.com - NEW Apache OpenOffice 4.0.1! Download for GNU/Linux, Mac OS, Windows. - Daylight Saving Time in USA Canada ends: Sunday, November 02, 2014 - - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [DISCUSS]: Digital signing of documents and macros
Hi, Besides we validate issue below with some self-signed certificates that are attached to this issue, we are looking for volunteers to test this feature with the upcoming RC4 by: 1. Create a new authority certificate and use this to create new test certs 2. Test the validation with these test certs Please let us know your test results and share(upload) your test documents with valid and good certificates, in below issue if possible. Thanks! https://issues.apache.org/ooo/show_bug.cgi?id=124701 On Fri, Apr 18, 2014 at 2:35 AM, Jose R R jose@metztli-it.com wrote: Niltze, all! On Thu, Apr 17, 2014 at 10:25 AM, Kay Schenk kay.sch...@gmail.com wrote: On Thu, Apr 17, 2014 at 10:19 AM, Juergen Schmidt jogischm...@gmail.com wrote: Am Donnerstag, 17. April 2014 um 17:59 schrieb Andrea Pescetti: Jürgen Schmidt wrote: On 4/17/14 3:53 PM, Herbert Duerr wrote: A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. ... we have verified this on Linux as well and I think it is very usable and good workaround for now. Thanks a lot for this. It shows, once again, that we take users into consideration. https://issues.apache.org/ooo/show_bug.cgi?id=124701 Am I right in understanding that no code changes are necessary then, merely configuring the environment appropriately? And that (waiting for the servers to wake up) this can be tested on 4.1.0-beta or any previous RC too? yes it should work with any RC and Beta (not tested) as well. We are indeed happen that Herbert find this workaround because everything else would have been taken much longer. The good thing for me is that I learned something new ;-) Juergen Yes, really good news! And thank you Herbert for this simple and creative solution! Although I am not familiar with the sql: prefix reference for environment variables (??) Good going! Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- - MzK Life is either a daring adventure, or nothing. -- Helen Keller Test case -- using GNU/LInux Debian with Apache OpenOffice 4.1.0 RC3: Follow instructions to create PKCS12 file (works on GNU/Linux, as well): http://stackoverflow.com/questions/20445365/create-pkcs12-file-with-self-signed-certificate-via-openssl-in-windows-for-my-a Import the self signed-certificate into Iceweasel (Firefox): Edit -- Preferences -- Certificates -- View Certificates -- Import -- (select file location) Close ApacheOO 4.1.0 RC3, if open. As explained at ( https://wiki.openoffice.org/wiki/Certificate_Detection), at the Bash prompt type: export MOZILLA_CERTIFICATE_FOLDER=~/.mozilla/firefox/here put your user profile Subsequently -- from the same environment -- type command apacheoo --Assumed Setup - ApacheOO unpacks itself on /opt/openoffice4/ Accordingly (as root) it is necessary to create a symlink to start the application from the command line: ln -s /opt/openoffice4/program/soffice /usr/bin/apacheoo cd /opt/openoffice4/program/ ln -s soffice.bin apacheoo.bin This way any user in a GNU/Linux environment can start its /usr/bin/apacheoo instance from the Bash command. -- Picture: http://www.metztli-it.com/blog/index.php/ixiptli/aF9 -- Jose R R http://www.metztli-it.com - NEW Apache OpenOffice 4.0.1! Download for GNU/Linux, Mac OS, Windows. - Daylight Saving Time in USA Canada ends: Sunday, November 02, 2014 - - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Regards, Yu Zhen
[DISCUSS]: Digital signing of documents and macros
Hi, we currently have an issue with digital signing on non Windows platforms. The whole problem was introduced with the drop of some very old Mozilla stuff that made always problems. Feature description (simplified) Digital signing of document and/or macros is a feature to increase the integrity in a workflow where documents are exchanged and to build a trusted environment. 1. document signatures With a valid certificate it is possible to sign a document after it is saved. It is comparable with a seal. Other users loading this document will see a signature icon in the status bar that shows that this document is signed. Double click on this icon opens a dialog where the user can view the certificate. Two status are possible, the first one is that the certificate can be validated and is marked as trusted. The second (identified with the same icon + a yellow triangle warning sign) is where the certificate can't be validated automatically. 2. macro signatures Similar to documents the user can sign macros in the same way. When a user load a document with signed macros a dialog is opened to enable macros or not. In this dialog the user get also information that the macro is signed and is able to view the certificate. It is also possible to trust this certificate always and the next time the macro is accepted automatically. Problem This functionality was tightly coupled to Mozilla and made use of the Mozilla certificate store. At least on Linux and MacOS where as on Windows system certificate store was used directly. Current situation is that it still works on Windows but is partly broken on Linux and MacOS. Signing of new document or macros is not possible at all because no certificate store is available or better accessible. Signed documents can be loaded but the cert can't be validated. Signed macros can be loaded/enabled and executed. It is also possible to add an exception to trust this cert always to prevent the macro dialog in the future. General This feature heavily depends on the Mozilla certificate store which seems to be not optimal. For example on Mac the user would have to install Mozilla to make use of this feature. Standard browser for most users is Safari. A further observation is why I can't accept a cert for document signatures but for macro signatures. For example if I know where it comes from and know that it is a self signed cert why I can't trust this cert. Solution idea Rely on the system certificate store where possible similar to Windows, means on MacOS connect to the Keychain. On Linux it is still unclear to me how it can work. Maybe managing an own cert store and use openssl to access system resources to validate certificates. Or access via openssl an existing cert store for the user/system. I am no expert here and many open questions that have to be answered. Opinions and especially expert knowledge from an implementation perspective are highly appreciated and welcome. Juergen - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [DISCUSS]: Digital signing of documents and macros
A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. E.g. on Linux setting the environment variable could look like MOZILLA_CERTIFICATE_FOLDER=sql:/home/xxx/.mozilla/firefox/23d7j.default and on Mac it could look like MOZILLA_CERTIFICATE_FOLDER=sql:/Users/xxx/Library/Application Support/Firefox/Profiles/23d7j.default Herbert On 17.04.2014 11:55, Jürgen Schmidt wrote: Hi, we currently have an issue with digital signing on non Windows platforms. The whole problem was introduced with the drop of some very old Mozilla stuff that made always problems. Feature description (simplified) Digital signing of document and/or macros is a feature to increase the integrity in a workflow where documents are exchanged and to build a trusted environment. 1. document signatures With a valid certificate it is possible to sign a document after it is saved. It is comparable with a seal. Other users loading this document will see a signature icon in the status bar that shows that this document is signed. Double click on this icon opens a dialog where the user can view the certificate. Two status are possible, the first one is that the certificate can be validated and is marked as trusted. The second (identified with the same icon + a yellow triangle warning sign) is where the certificate can't be validated automatically. 2. macro signatures Similar to documents the user can sign macros in the same way. When a user load a document with signed macros a dialog is opened to enable macros or not. In this dialog the user get also information that the macro is signed and is able to view the certificate. It is also possible to trust this certificate always and the next time the macro is accepted automatically. Problem This functionality was tightly coupled to Mozilla and made use of the Mozilla certificate store. At least on Linux and MacOS where as on Windows system certificate store was used directly. Current situation is that it still works on Windows but is partly broken on Linux and MacOS. Signing of new document or macros is not possible at all because no certificate store is available or better accessible. Signed documents can be loaded but the cert can't be validated. Signed macros can be loaded/enabled and executed. It is also possible to add an exception to trust this cert always to prevent the macro dialog in the future. General This feature heavily depends on the Mozilla certificate store which seems to be not optimal. For example on Mac the user would have to install Mozilla to make use of this feature. Standard browser for most users is Safari. A further observation is why I can't accept a cert for document signatures but for macro signatures. For example if I know where it comes from and know that it is a self signed cert why I can't trust this cert. Solution idea Rely on the system certificate store where possible similar to Windows, means on MacOS connect to the Keychain. On Linux it is still unclear to me how it can work. Maybe managing an own cert store and use openssl to access system resources to validate certificates. Or access via openssl an existing cert store for the user/system. I am no expert here and many open questions that have to be answered. Opinions and especially expert knowledge from an implementation perspective are highly appreciated and welcome. Juergen - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [DISCUSS]: Digital signing of documents and macros
On 4/17/14 3:53 PM, Herbert Duerr wrote: A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. E.g. on Linux setting the environment variable could look like MOZILLA_CERTIFICATE_FOLDER=sql:/home/xxx/.mozilla/firefox/23d7j.default and on Mac it could look like MOZILLA_CERTIFICATE_FOLDER=sql:/Users/xxx/Library/Application Support/Firefox/Profiles/23d7j.default we have verified this on Linux as well and I think it is very usable and good workaround for now. We will create a wiki page where we describe in detail what the user have to do ... We should keep in mind that the workflow was far from optimal and relied heavily on a Mozilla cert store and still does. As I described earlier on Mac a not very common environment. Anyway I think we can proceed with the workaround for now. And thanks to Herbert who initially dropped the ugly old Mozilla stuff (kudos for this) and who find this easy workaround in nss (some further kudos for this). I will take care of uploading the RC4 when the server is back again (hope I will notice this in my vacation ;-)). Please test this feature with the upcoming RC4 and for some detail information please review issue https://issues.apache.org/ooo/show_bug.cgi?id=124701 Juergen Herbert On 17.04.2014 11:55, Jürgen Schmidt wrote: Hi, we currently have an issue with digital signing on non Windows platforms. The whole problem was introduced with the drop of some very old Mozilla stuff that made always problems. Feature description (simplified) Digital signing of document and/or macros is a feature to increase the integrity in a workflow where documents are exchanged and to build a trusted environment. 1. document signatures With a valid certificate it is possible to sign a document after it is saved. It is comparable with a seal. Other users loading this document will see a signature icon in the status bar that shows that this document is signed. Double click on this icon opens a dialog where the user can view the certificate. Two status are possible, the first one is that the certificate can be validated and is marked as trusted. The second (identified with the same icon + a yellow triangle warning sign) is where the certificate can't be validated automatically. 2. macro signatures Similar to documents the user can sign macros in the same way. When a user load a document with signed macros a dialog is opened to enable macros or not. In this dialog the user get also information that the macro is signed and is able to view the certificate. It is also possible to trust this certificate always and the next time the macro is accepted automatically. Problem This functionality was tightly coupled to Mozilla and made use of the Mozilla certificate store. At least on Linux and MacOS where as on Windows system certificate store was used directly. Current situation is that it still works on Windows but is partly broken on Linux and MacOS. Signing of new document or macros is not possible at all because no certificate store is available or better accessible. Signed documents can be loaded but the cert can't be validated. Signed macros can be loaded/enabled and executed. It is also possible to add an exception to trust this cert always to prevent the macro dialog in the future. General This feature heavily depends on the Mozilla certificate store which seems to be not optimal. For example on Mac the user would have to install Mozilla to make use of this feature. Standard browser for most users is Safari. A further observation is why I can't accept a cert for document signatures but for macro signatures. For example if I know where it comes from and know that it is a self signed cert why I can't trust this cert. Solution idea Rely on the system certificate store where possible similar to Windows, means on MacOS connect to the Keychain. On Linux it is still unclear to me how it can work. Maybe managing an own cert store and use openssl to access system resources to validate certificates. Or access via openssl an existing cert store for the user/system. I am no expert here and many open questions that have to be answered. Opinions and especially expert knowledge from an implementation perspective are highly appreciated and welcome. Juergen - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail:
Re: [DISCUSS]: Digital signing of documents and macros
Jürgen Schmidt wrote: On 4/17/14 3:53 PM, Herbert Duerr wrote: A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. ... we have verified this on Linux as well and I think it is very usable and good workaround for now. Thanks a lot for this. It shows, once again, that we take users into consideration. https://issues.apache.org/ooo/show_bug.cgi?id=124701 Am I right in understanding that no code changes are necessary then, merely configuring the environment appropriately? And that (waiting for the servers to wake up) this can be tested on 4.1.0-beta or any previous RC too? Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [DISCUSS]: Digital signing of documents and macros
Am Donnerstag, 17. April 2014 um 17:59 schrieb Andrea Pescetti: Jürgen Schmidt wrote: On 4/17/14 3:53 PM, Herbert Duerr wrote: A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. ... we have verified this on Linux as well and I think it is very usable and good workaround for now. Thanks a lot for this. It shows, once again, that we take users into consideration. https://issues.apache.org/ooo/show_bug.cgi?id=124701 Am I right in understanding that no code changes are necessary then, merely configuring the environment appropriately? And that (waiting for the servers to wake up) this can be tested on 4.1.0-beta or any previous RC too? yes it should work with any RC and Beta (not tested) as well. We are indeed happen that Herbert find this workaround because everything else would have been taken much longer. The good thing for me is that I learned something new ;-) Juergen Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [DISCUSS]: Digital signing of documents and macros
On Thu, Apr 17, 2014 at 10:19 AM, Juergen Schmidt jogischm...@gmail.comwrote: Am Donnerstag, 17. April 2014 um 17:59 schrieb Andrea Pescetti: Jürgen Schmidt wrote: On 4/17/14 3:53 PM, Herbert Duerr wrote: A small update on that topic: there is a simple workaround! Signing also works on Mac and Linux if the environment variable MOZILLA_CERTIFICATE_FOLDER is set to the currently active mozilla/thunderbird/firefox/etc. profile. ... we have verified this on Linux as well and I think it is very usable and good workaround for now. Thanks a lot for this. It shows, once again, that we take users into consideration. https://issues.apache.org/ooo/show_bug.cgi?id=124701 Am I right in understanding that no code changes are necessary then, merely configuring the environment appropriately? And that (waiting for the servers to wake up) this can be tested on 4.1.0-beta or any previous RC too? yes it should work with any RC and Beta (not tested) as well. We are indeed happen that Herbert find this workaround because everything else would have been taken much longer. The good thing for me is that I learned something new ;-) Juergen Yes, really good news! And thank you Herbert for this simple and creative solution! Although I am not familiar with the sql: prefix reference for environment variables (??) Good going! Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- - MzK Life is either a daring adventure, or nothing. -- Helen Keller