22

I am a Linux desktop user.

Someone sends me a PDF file which is digitally signed. It is supposed to be signed using some kind of government / regulated body / official institution issued certificate.

Is there a way that I, as a typical end-user, could determine whether the signature is valid?

I know Windows Acrobat Reader works to some extend, though even there it's not really clear about the validity of a signature as opposed to the fact that it's there and seems to be from XYZ.

fixer1234
  • 27,064
  • 61
  • 75
  • 116
TorstenS
  • 361
  • 1
  • 2
  • 6
  • As with all digital signing certificates, if you don't trust the certificate that signed the document, the authenticity of the document cannot be confirmed. You can be signed a document with any certificate you want as the author, it all depends on the fact if the person reading the document trusts the certificate you used. Only you can determine if that is the case, I would just use the same approach I use to verify the certificate path of a website certificate, to verify the signing path of a signing certificate. – Ramhound Jul 24 '18 at 20:40
  • 1
    @Ramhound: I think the question is more along the lines "which utility will me show the chain of trust relevant to some given PDF with embedded certificates?" Offhand, I can't think of a tool where I know that it can access signatures in PDF files. I'd be interested in an answer to this, too. – dirkt Jul 25 '18 at 06:14
  • I am aware of what the question is, avoiding that question, due to the help center. – Ramhound Jul 25 '18 at 12:16
  • Does this answer your question? [How would I validate digital signature for PDFs in linux?](https://superuser.com/questions/976489/how-would-i-validate-digital-signature-for-pdfs-in-linux) – eadmaster Jan 27 '21 at 13:51

4 Answers4

21

I spent few hours experimenting with that and found that:

  1. pdfsig command from poppler-utils package is able to validate PDF signature. Usage is simple:

    pdfsig signed.pdf

    But for me it works only for visible signatures (version 0.62.0 on Fedora 28). For invisible signatures it shows:

    File 'signed.pdf' does not contain any signatures

  2. Master PDF Editor is a GUI tool which shows and validates signatures as shown on the picture below and it is enough to have free version. Master PDF Editor - Signatures

  3. LibreOffice Draw is able to show and validate signature using

    File -> Electronic signatures -> Electronic signatures

    But in my case it again shows only visible signatures.

zx485
  • 2,170
  • 11
  • 17
  • 24
cgrim
  • 311
  • 3
  • 5
  • 1
    What does "visible signature" mean to you? – TorstenS Oct 02 '18 at 11:09
  • @TorstenS _visible signature_ is for me that PDF has some additional annotation like visible image or text signalizing that the PDF is signed, it is like watermark. – cgrim Oct 02 '18 at 11:32
  • My best guess would be that a visible signature is not at all related to a cryptographic signature. Some PDF signing tools which allow you to cryptographically sign a PDF will also add a visible signature to the document, but that is usually not what you are interested in. – TorstenS Oct 02 '18 at 12:17
  • @TorstenS Look in the document [Digital Signatures Appearances](https://www.adobe.com/content/dam/acom/en/devnet/acrobat/pdfs/PPKAppearances.pdf) page 9: _PDF signatures can be visible or invisible._ Probably that visual _Signature annotation_ (not the signature itself) must be present in a PDF document and can be visible or invisible. I tried document where is only the digital signature but without that visual _Signature annotation_ and then tools which I listed in the answer cannot see it. – cgrim Oct 02 '18 at 12:31
3

In KDE you can use Okular which behaves similarly as Adobe Acrobat Reader on windows.

Alternatively you can in terminal shell use python's module pyhanko whose command returns something if document is signed, but this returned something is usually "failed" even though Adobe and Okular vaidate it positively.

loved.by.Jesus
  • 341
  • 4
  • 11
bogec
  • 152
  • 4
  • When invoked with `--pretty-print`, pyhanko provides quite a bit of detail -- e.g., `pyhanko sign validate --pretty-print sample.pdf ` – thomp45793 Jul 22 '23 at 20:11
1

Foxit PhantomPDF should be able to provide the functionality of verifying digital certificates - available on a purchase basis. Foxit Reader can only digitally sign the certificates. mutool sign signed.pdf functionality is not available in ubuntu builds. May be present in Arch.

Tshering Namgyal Wangdi
  • 11
  • 1
  • This is not Linux Software, according to their Datasheet_FoxitPhantomPDFBusiness.pdf – rwst Oct 06 '21 at 14:18
-1

I found something that works for now, but it’s a Flatpak container and containers are apparently not very safe. Therefore I will continue to use pyhanko.

Maybe it already works for you if you have a new enough Linux (version 21.01 of poppler). Otherwise, I followed the recommendation (https://cloudstore.zih.tu-dresden.de/index.php/s/j5BKKyJYZFBzGsB) that the most comfortable way is via flatpack (https://flathub.org/apps/details/org.kde.okular). I also tried building a container a little bit - unsuccessfully.

It works for me if I install a newer Okular via Flatpak:

1.) Install flatpak (https://flatpak.org/setup/Debian)

# apt install flatpak

# flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

2.) Install Okular (https://flathub.org/apps/details/org.kde.okular)

# flatpak install flathub org.kde.okular

# flatpak run org.kde.okular

3.) Setting up the certificate database (with personal certificate) (https://docs.kde.org/stable5/en/okular/okular/signatures.html#adding_digital_signatures, https://docs.kde.org/stable5/en/okular/okular/configure-backends.html, https://docs.kde.org/stable5/en/okular/okular/config-pdf.html#config-pdf-digital-signatures):

(( This step in case signing still doesn’t work. ))

In Okular: Settings -> Configure Backends -> radio tick “Custom:” and select the location where the Firefox data database with digital certificate is located (in my case it works /home/username/.mozilla/firefox/gwn47hz7.default-esr).

4.) Signature

Tools -> Digitally sign… -> (asks me for Firefox’s ‘master password’ in other words) -> draw a square for signature -> select digital certificate -> name of signed file.

bogec
  • 152
  • 4
  • You should spend more than a few minutes fixing the formatting of this answer by editing it. You should create clickable links, proper formatting (unnecessary headers make your answer difficult to read), and make sure you quote and cite all sources. You don't need to reply to this feedback with a comment, you can either take it into consideration, or simply ignore it. – Ramhound May 30 '23 at 16:18