Can it be possible to trust a certificate like in acrobat? #161
Comments
|
Hello, I have fixed it. Now, you can just open context menu and add the certificate as valid. |
|
It still shows not trusted and no green - tick either but certificate did get add to trusted store.
|
|
Strange, it worked for me. Could you please provide sample document, where it does not work? |
Unfortunately, I can't provide it. It is a government issued document. I don't know where to get similar dummy document. My search about that document show that it's certificate is x.509 certificate, they generate it with iTextPDF |
@JakubMelka Would you plz explain how to do this? I couldn't find the context menu as no menu gets open on right click. |
|
@itsKV, please try this: |
|
Sorry to say but that context menu doesn't come on any of the field from signature sidebar content. Nothing happens when you right click on any of them. This also happens for Actual PDF content too. Nothing happens when you right click or left click anywhere on the pdf content. I don't know if that's the normal behavior. |
|
Could you please try a newest install from daily build? Could you please attach problematic PDF, if it is possible? |
|
I am not installing the build but using the zip version by extracting it locally (no admin rights to install).
|
|
OK @itsKV , if you can post the certificates, please post them. |
|
Complete chain of trust is as follows. Read from bottom to top where root CA is at last and so on. |
|
Hey folks, what is the status of the issue ? This app is the only fully featured alternative to adobe. If this is done. It would be great. |
|
@lucifer-woo, sorry, I will try to take time to solve it. I will reopen the issue. |
|
Cool to know. Looking forward for the fix.
8 Sept 2024, by ***@***.***:
…
@lucifer-woo <https://github.com/lucifer-woo>> , sorry, I will try to take time to solve it. I will reopen the issue.
—
Reply to this email directly, > view it on GitHub <#161 (comment)>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/BHW4ETI6MI5AWWSCYOFHMEDZVRV73AVCNFSM6AAAAABCO4UCF6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZWG4ZTCMZSGY>> .
You are receiving this because you were mentioned.> Message ID: > <JakubMelka/PDF4QT/issues/161/2336731326> @> github> .> com>
|
|
Hello, I am not an expert in internet security and I was unable to create a PDF with the given certificate chain. But I think the workaround exists. @lucifer-woo, @itsKV, could you please try to install the root certificate to the system's certificate store? When PDF4QT validates the PDF's signatures, it also looks in the system's certificate store to retrieve the root certificates for the validation. |
|
I understand your frustation. But how do I install the root CA to the system CA. I am novice to this stuff. I am not that much proficient in this. Foxit PDF reader for linux also provides this feature. Maybe check it out as a reference ? As of now, I added the certificate by right clicking and "Add to Trusted certificates". I could also see it in Tools > Options > Signatures. But I cannot see it in Tools > Certificates. Is that a problem ? So far, this is how it is done - https://www.youtube.com/watch?v=aVNfUNlccZs. It's an old video. Trusting isn't even needed as of now because Adobe just validates and renders it using OCSP servers. No need to trust certificates. Maybe you need to rethink the logic behind it. Some docs regarding:
I think could be implemented using this python library : https://pyhanko.readthedocs.io/en/latest/cli-guide/validation.html I just pulled the web regarding this info. I don't know much other than these. |
The issue is not about root cert availability in cert store. The issue is UI bug which doesn't give option to validate the document's signature. See the OP. btw, the root and intermediate certs are already installed into windows store. |
See the article here... https://www.itechtics.com/update-root-certificates/ |
|
It isn't the same way for linux, I am not sure if those root and intermediate CA or installed. Can you tell the name ?
For windows, problem is validation. For linux, to trust and also validate.
16 Sept 2024, 13:05 by ***@***.***:
…
>
> I understand your frustation. But how do I install the root CA to the system CA. I am novice to this stuff. I am not that much proficient in this.
>
>
See the article here... > https://www.itechtics.com/update-root-certificates/
Adding the signature into PDF reader's trusted database in different and adding the certificate into operating system's root store is different thing.
—
Reply to this email directly, > view it on GitHub <#161 (comment)>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/BHW4ETPFVZZK4AL2DXV6QRTZW2C27AVCNFSM6AAAAABCO4UCF6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJSGIYDEMRZGI>> .
You are receiving this because you were mentioned.> Message ID: > <JakubMelka/PDF4QT/issues/161/2352202292> @> github> .> com>
|
|
Hello, I have tried to fix it. Could you please try this build? https://github.com/JakubMelka/PDF4QT/actions/runs/11306021848 Thank you. |
|
I tried it in both But still it is :
It does not verify or render the signature. I would suggest OCSP based revocation checking and render it instead of blindly trusting it like adobe trusts. I cannot see anything under Tools > Certificates. Just blank. |
|
@lucifer-woo OSCP based revocation checking is not always possible. As some CA might not have OSCP Responder endpoint. Additionally, the LTV(long term validation) signatures tend to contain everything(Cert Chain, CRL responses, OSCP responses, Timestamp) it needs to validate the signature, and thus do not need internet to validate signature. So a standalone implementation is required anyway. Regarding the bug, I tried adding Root CA from a signature to Trusted list. It worked as intended. Root Certificate added and signature validated fine. @JakubMelka Adobe manages/updates its AATL Roots via this URL - http://trustlist.adobe.com/tl12.acrobatsecuritysettings |
|
Alright.
@dipak-progrc Do you mean, as right clicking and "add to .." or extracting the cert, add to system's root store and verifiying it ? Because, I cannot verify and validate the signature at all from the new builds. |
|
@lucifer-woo I added the certificate by right clicking on the Root certificate of chain shown in Signature, then clicked the only option shown in the context menu - "Add to trusted certificates". The options for Digital Signature Verification are set as - I used PDF4QT-1.4.0.0-x86_64.AppImage on Ubuntu 24 Desktop. |
|
I have the same settings as you. But I can't verify and render the digital signature to a Greencheck mark as the OP denotes. Using Fedora 40, Installed the |
|
I have added the AATL certificates, please have a look on it. @IDontKnow2Code, @lucifer-woo, @dipak-progrc, please test the instalations here: |
|
@JakubMelka I tested the Linux version. But it fails with error "Certificate validation failed with code 26" for the Adobe Trust List pdf file, which is digitally signed by Adobe. The sample file can be downloaded from the AATL Trust List link I provided earlier. |
I tried this build it states Trusted Certificate not found.
|
|
@IDontKnow2Code I think in your case the Signature Field in the PDF file might not have the complete certificate chain. Can you confirm this with some other tools like Adobe Acrobat, or PKI Tools - PDF Validator ? Edit: I confirmed by downloading my Aadhaar PDF, the file has incomplete chain. @IDontKnow2Code you can try with some Digitally Signed eGazzete pdf. |
I opened Aadhaar in acrobat reader in win 11 it works fine.
|
@IDontKnow2Code This may be because you already have the DS UIDAI Certificate trusted manually. Check the Root Trust Store of your OS. |
I don't understand what you mean can you elaborate? |
@IDontKnow2Code Similar to the PDF4QT, in Adobe Acrobat Reader we can add a certificate to the Trusted List. So I am speculating that at some point in the past, the system you are working on have had the DS UIDAI Certificate manually added to the Root Trust. That's why, the Aadhaar PDFs even with the single certificate in the chain are validating fine. A point here can be made - if the certificate is already added to the Root Trust, why cant PDF4QT obey that and validate the signature! @JakubMelka To see if the DS UIDAI certificate is added manually, you may check your Root Trust Certificates Store. The way to access the Store varies from OS to OS. In case of Adobe Acrobat Reader, you may go to Preference > Signatures(Sidebar of Dialog) > Identities & Trusted Certificates > More > Trusted Certificate(Sidebar of Dialog). The DS UIDAI certificate is not supposed to be in that list, as it is not a Root CA. Digital Signature Certificates issued in India all have to terminate in single root, that is CCA India. |
Yes I can see there is I can confirm that both Linux and windows version of PDF4QT shows this same error
|
|
The same thing for me like @IDontKnow2Code both on Linux and Windows. Just works flawlessly in Adobe. I think the problem is Rendering the green check as we have trusted the certificate already as @dipak-progrc said. You need to render it as in the OG picture that seems to be the problem. |
|
I need a sample document to do that. |
|
Nobody here would do it. It's a critical document. As per a reddit post, I found this - https://www.mupdf.com/. Need to figure how to use it to validate. I have of I am trying this way - https://mupdf.readthedocs.io/en/latest/mutool-run-js-api.html#validateSignature Foxit PDF reader on Linux could do this as of now. But I do not trust it at all. |
|
I used Digital Signature Info of: file0.pdf
Digital Signature Info of: file1.pdf
Seems like the signature itself is a different type. I don't things very much. Just a guess.
|
|
Adobe reader checks and validates it based on PKCS7 Signature via OCSP to a domain named These are final things/help I could provide from my side. I hope it's informative. |
|
@lucifer-woo, I think in the link under this video: https://www.youtube.com/watch?v=aVNfUNlccZs there is a sample document, but for some reason, I am not able to download it. Could you please attach it? |
|
It is a link to download the actual document of a person not a sample document. |
|
@lucifer-woo, is there some sample document signed with this certificate (for example, some public document), where the problem is observable? |
|
This is a supreme court of India document on a controversial case. I had it for a case study. It has a digital signature similar to that of the ones as in Aadhaar. I hope you can make use of it. |
|
Hello @lucifer-woo, the certificate in the document has expired. However, if you setup it this way, you can verify it: However, I do not change graphics of the form field. |
|
Well, a lot of other public available case documents on SCI's website could be used for testing in the case of this. We insist on Graphical change of it since, in case we print a document with a digital signature but doesn't have a QR code. It might be a hurdle for us in real life while submitting documents. Since, if QR code is not present only digital signature, officials could not verify documents and is returned back for correction. The problem for all commentors on the issue here is not only adding it to the trusted certificate store (which it gets successfully added) rather change it in the graphical form as Adobe does too to the Green checkmark. Use this in case, you need a new document |
|
If I am right, the form field is separate and just a layer over the actual document than a part of PDF. So, it could be possible to change it graphically, mostly Yes, the signature is valid and AATL seems to be working correctly as intended, since I don't see Trust certificate not found and elephant in the room is graphic change. Question : Is AATL, static or dynamically updated by fetching from the URL provided by Dipak ? If not updated, I would suggest Github actions to update the AATL to a Github file in the repostiory and make the app fetch it at certain intervals of time or on demand when a trusted certificate is not found for a signature. |
|
In terms of PDF Specification, @JakubMelka 's implementation is conforming to the requirements. The In-Document visualizations of signature validity has been deprecated years ago. Adobe and other popular viewers are providing the feature because of backward compatibility. The reason, I believe, for the deprecation of in-document visualization is to thwart attempts to edit a pdf into a "valid signed pdf" by just placing a green checkbox. The PDF specs wanted to move the visible signs of pdf validation out of the page to Application UI. Application UI cannot be controlled by the PDF file contents. Thus, it is way more reliable when it comes to checking validation status. Further reading - Stackoverflow answer on PDF Sign Appearance by mkl But I do understand the practical need for the visible change of the Signature Appearance when the signature gets validated successfully. Many institutions have formed their rules around this feature. I have even seen institutions suggesting users to add the signer's certificate to the Trusted List, in order to get the green-tick validation on their documents. Not having this feature might be a big blocker to that section of users. I'd vouch for this feature as well. |
|
Additionally, I'd recommend a dynamic approach in terms of processing AATL list. The list does gets updated from time to time (last update Aug 30, 2024). I am not that experienced with C++ and QT, but from the code I think the current implementation ships the XML from AATL url pdf with PDF4QT binary, and uses it as trust store. This eliminates scope for updation at user side, if the user keeps using older version of the PDF4QT. I think a better implementation would be to do a HEAD request to the AATL url, check for the last modified header, compare it with the current AATL's last modified date; if newer, download the file, extract xml, update AATL. Nevertheless, huge respects for @JakubMelka for implementing 3 major features while addressing this issue. |
|
Well, Foxit PDF also provides the features as adobe for backwards compatibility too. |
|
@lucifer-woo, I will consider to implement a way how to adjust the appearance of the form field with a signature. How should it look like? Maybe green check and display a text "PDF4QT successfully validated the signature"? Or red mark in case of error? @dipak-progrc, I thought about it but I do not want to access internet - I would like that PDF4QT can work completely without internet connection. |
|
Well, It would be better if it follows like Adobe and message like you said. It is the most used one. Sorry for delay. I didn't receive notification. |
Maybe create a GitHub action that builds the app with the latest file on a weekly or monthly basis ? |
|
Yes, I am planning to do that - but after I resolve the linux Flatpak problem. |
|
This might help you. this is what I have been telling from the beginning. |
Here is the reference for what I am asking?
The text was updated successfully, but these errors were encountered: