Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Electronic signature support #10630

Open
vmiklos opened this issue Nov 29, 2024 · 29 comments
Open

Electronic signature support #10630

vmiklos opened this issue Nov 29, 2024 · 29 comments
Assignees
@vmiklos
Labels
24.04 enhancement New feature or request

Comments

@vmiklos
Copy link
Contributor

vmiklos commented Nov 29, 2024

Is your feature request related to a problem?

This is a follow-up to #9992, that one focused on digital signing with PEM files (similar to libreoffice signing on the desktop), this focuses on electronic signing using eIDEasy.

Describe the solution you'd like

Something that doesn't send the entire PDF file to an external server (only the hash of the document) and produces a qualified electronic signature, so it can be considered as a digital equivalent to handwritten signatures.

Describe alternatives you've considered

Just expose digital signing from libreoffice desktop, and declare that obtaining trusted certificates is somebody else's problem.

Additional context

The above GH issue already has a single working scenario for electronic signing, this one tracks the various still to be fixed details after something works end-to-end.
@vmiklos vmiklos added enhancement New feature or request unconfirmed labels Nov 29, 2024
@vmiklos vmiklos self-assigned this Nov 29, 2024
@vmiklos vmiklos mentioned this issue Nov 29, 2024
Closed
@vmiklos vmiklos added 24.04 and removed unconfirmed labels Nov 29, 2024
@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 2, 2024
edited
Loading

#10637 adds UI to select which eideasy provider to use, though anything redirect-based (e.g. D-Trust sign-me) is supposed to be not working, I'm working on a test env there to reproduce this.

Sample test.pdf.user-private-info.json, to be used with the smart-id-signature test provider:

{
    "ESignatureBaseUrl": "https://test.eideasy.com",
    "ESignatureSecret": "56RkLgZREDi1H0HZAvzOSAVlxu1Flx41",
    "ESignatureClientId": "2IaeiZXbcKzlP1KvjZH9ghty2IJKM8Lg",
    "SignatureCa": "-----BEGIN CERTIFICATE-----\nMIIG+DCCBeCgAwIBAgIQUkCP5k8r59RXxWzfbx+GsjANBgkqhkiG9w0BAQwFADB9\nMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1\nczEwMC4GA1UEAwwnVEVTVCBvZiBFRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBSb290\nIENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwIBcNMTYwODMwMTEyNDE1WhgP\nMjAzMDEyMTcyMzU5NTlaMGgxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0\naWZpdHNlZXJpbWlza2Vza3VzMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEcMBoG\nA1UEAwwTVEVTVCBvZiBFSUQtU0sgMjAxNjCCAiIwDQYJKoZIhvcNAQEBBQADggIP\nADCCAgoCggIBAOrKOByrJqS1QsKD4tXhqkZafPMd5sfxem6iVbMAAHKpvOs4Ia2o\nXdSvJ2FjrMl5szeT4lpHyzfECzO3nx7pvRLKHufi6lMwMGjtSI6DK8BiH9z7Lm+k\nNLunNFdIir0hPijjbIkjg9iwfaeST9Fi5502LsK7duhKuCnH7O0uMrS/MynJ4StA\nNGY13X2FvPW4qkrtbwsmhdN0Btro72O6/3O+0vbnq/yCWtcQrBGv3+8XEBdCqH5S\n/Rt0EugKX4UlVy5l0QUc8IrjGtdMsr9KDtvmVwlefXYKoLqkC7guMGOUNf6Y4AYG\nsPqfY4dG3N5YNp5FHDL7IO93h7TpRV3gyR38LiJsPHk5nES5mdPkNuEkCyg0zEKI\n7uJ4LUuBbjzZPp2gP7PN8Iqi9GP7V2NCz8vUVN3WpHvctsf0DMvZdV5pxqLY5ojy\nfhMsU4aMcGSQA9EK8ES3O1zBK1DW+btjbQjUFW1SIwCkB2yofFxge+vvzZGbvt2U\nGOE8oAL8/JzNxi9FbjTAbycrGWgEMQ0sM1fKc+OsvoaSy9m3ZQGph0+dbsouQpl3\nkpJvjDMzxxkrMqxdhlVMreLKGCMMxJMAGQEwVS5P93Nnmz8UbkmeomUJr3NrBo4+\nV9L5S4Kx1vTvD0p72xRYFyfifLOjs8qs7lR3yhkcBPQI78ERqxv31FWDAgMBAAGj\nggKFMIICgTAfBgNVHSMEGDAWgBS1NAqdpS8QxechDr7EsWVHGwN2/jAdBgNVHQ4E\nFgQUrrDq4Tb4JqulzAtmVf46HQK/ErQwDgYDVR0PAQH/BAQDAgEGMIHEBgNVHSAE\ngbwwgbkwPAYHBACL7EABAjAxMC8GCCsGAQUFBwIBFiNodHRwczovL3d3dy5zay5l\nZS9yZXBvc2l0b29yaXVtL0NQUzA8BgcEAIvsQAEAMDEwLwYIKwYBBQUHAgEWI2h0\ndHBzOi8vd3d3LnNrLmVlL3JlcG9zaXRvb3JpdW0vQ1BTMDsGBgQAj3oBAjAxMC8G\nCCsGAQUFBwIBFiNodHRwczovL3d3dy5zay5lZS9yZXBvc2l0b29yaXVtL0NQUzAS\nBgNVHRMBAf8ECDAGAQH/AgEAMCcGA1UdJQQgMB4GCCsGAQUFBwMJBggrBgEFBQcD\nAgYIKwYBBQUHAwQwfAYIKwYBBQUHAQEEcDBuMCAGCCsGAQUFBzABhhRodHRwOi8v\nb2NzcC5zay5lZS9DQTBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5zay5lZS9jZXJ0\ncy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRyZV9Sb290X0NBLmRlci5jcnQwQQYDVR0e\nBDowOKE2MASCAiIiMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAMCUGCCsGAQUFBwEDBBkwFzAVBggrBgEFBQcLAjAJBgcEAIvs\nSQEBMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHBzOi8vd3d3LnNrLmVlL3JlcG9zaXRv\ncnkvY3Jscy90ZXN0X2VlY2NyY2EuY3JsMA0GCSqGSIb3DQEBDAUAA4IBAQAiw1VN\nxp1Ho7FwcPlFqlLl6zb225IvpNelFX2QMbq1SPe41LuBW7WRZIV4b6bRQug55k8l\nAm8eX3zEXL9I+4Bzai/IBlMSTYNpqAQGNVImQVwMa64uN8DWo8LNWSYNYYxQzO7s\nTnqsqxLPWeKZRMkREI0RaVNoIPsciJvid9iBKTcGnMVkbrgyLzlXblLMU4I0pL2R\nWlfs2tr+XtCtWAvJPFskM2QZ2NnLjW8WroZr8TooocRA1vl/ruIAPC3FxW7zebKc\nA2B66j4tW7uyF2kPx4WWA3xgR5QZnn4ePEAYjJdu1eWd9KbeAbxPCfFOST43t0fm\n20HfV2Wp2PMEq4b2\n-----END CERTIFICATE-----\n"
}

The personal identity code is the public 30303039914 test number. It should result in a signature by "TESTNUMBER,OK" (a fake first+last name).

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 3, 2024

#10647 improves error handling when the client-id is bad; found while starting on the redirect method.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 4, 2024

#10654 adds a new /cool/signature endpoint, to be used with the redirect method.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 5, 2024

#10661 finishes support for redirect-based providers.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 6, 2024

#10672 starts moving eideasy calls that require a secret to the servers.

@vmiklos vmiklos mentioned this issue Dec 6, 2024
Closed
@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 9, 2024

#10688 finishes moving eideasy calls that require a secret to the server.

vmiklos added a commit to nextcloud/richdocuments that referenced this issue Dec 10, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
b8905c1 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.
vmiklos added a commit to nextcloud/richdocuments that referenced this issue Dec 10, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
67bd10e 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <[email protected]>
@vmiklos vmiklos mentioned this issue Dec 10, 2024
Merged
3 tasks
@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 10, 2024

nextcloud/richdocuments#4328 adds Nextcloud UI for for the new eideasy settings.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 11, 2024

#10706 fixes the l10n of the popup window, which was English-only previously.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 12, 2024

#10719 starts adding a country selector to the esign dialog.

vmiklos added a commit to nextcloud/richdocuments that referenced this issue Dec 12, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
45875ff 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <[email protected]>
@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 16, 2024

#10734 changes the WOPI key names for esign settings, based on feedback from Nextcloud.

vmiklos added a commit to nextcloud/richdocuments that referenced this issue Dec 16, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
b1ce7cd 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <[email protected]>
vmiklos added a commit to nextcloud/richdocuments that referenced this issue Dec 16, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
a9fa62c 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <[email protected]>
@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 17, 2024

#10743 adds filtering for the providers, so the ones relevant for a country will be shown, the others will be hidden.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 18, 2024

#10755 sorts the esign dialog dropdowns; which is now possible after tracking the input IDs/codes for these widgets.

@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 19, 2024

https://gerrit.libreoffice.org/c/core/+/178784 starts on visual signing: first just make sure a single signature gets inserted on the Draw / PDF .uno:InsertSignatureLine case. COOL side patch to trigger the UNO command:
patch.txt

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 3, 2025

https://gerrit.libreoffice.org/c/core/+/179701 continues on visual signing (digital signature as a start): now the visual signature shape is inserted, but the actual crypto signature is not yet attempted.

To test it, sample test.pdf.wopi.json:

{
    "UserPrivateInfo": {
        "SignatureCert": "-----BEGIN CERTIFICATE-----\nMIIFGDCCAwCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsx\nEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0\nMSkwJwYDVQQDDCBYbWxzZWN1cml0eSBJbnRlcm1lZGlhdGUgUm9vdCBDQTAgFw0y\nNDExMDQxMzU5MzZaGA8yMTI0MTAxMTEzNTkzNlowazELMAkGA1UEBhMCVUsxEDAO\nBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0MSsw\nKQYDVQQDDCJYbWxzZWN1cml0eSBSU0EgVGVzdCBleGFtcGxlIEFsaWNlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqlpd+/zpqLjZiZ+l4TDg1esWEuc/\nJyjotRnB7ILCvzDME69Y1E4selzGNNHw2kywR2n9pIs2IClnsJ5XH91mIrJVbLDH\n9XZYLN/HTI3sd/5dpx8D4JWupPMm+EOkWhugzmI6XhptLEEyoDuUuGQa0N4oXD3y\n2Oav8fwwzvqS6DeXKxlEdOhSVmuXHhVmx7r6nDE8vJmfnup2WIPup9vc/yfU6+D1\nUedFzH8qPL9/2PxP0Rrn9YLGr5WLGw+MgvlsyLoES9G5nSftnYTe08Xf0hhaAdCf\nW8K2hQ2XBTsK/KrashoBlXO6adR33uaw+rugSQ+4m3YSaRYUNfdgSBb2jQIDAQAB\no4HFMIHCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDMGCWCGSAGG+EIB\nDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O\nBBYEFHBBX5G0wvOjMtOuqjN4BH5yB+vIMB8GA1UdIwQYMBaAFByJe+GbqWZbL2mh\nsoEIibQICwp3MA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI\nKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBAGcPB3Paby8pTxJTkDTx7urYKwT0\n0ypJ+C37pJjc6o2y88a92rbucTyB12dZU+va43M7w1o2QefOnu0F3wqonclAOXWz\nyxyiv32Du9yzN+EUYgBRAN2zyG32yzdzSp/GEnmOosHfR+xuhN05WX573SmvTN8H\nYIcnsq2bBRiViGrNaTiPdevGRsLeoSLI2V8aUauDmxEydvgqrMI7OAOjyvOmP5fi\nVa1QnB5JpFIxZ21y41Mg78akkcBIyxd/f8EZLqbxNUvT173JiqEj11Ni5F6v2jTr\nmICAFAkwWNW5PeEAO7ZNQlpHJw7pzD3L6U1zL/VykLCBHh+y+kuVg54XW8K6RxPZ\nlonqBfgJ8qBIvwi7taw+lxvv7VxvzmNzuHgXpcy9/EovuPc95c4wuqVxM/UXs6lE\n9kVZH+/K5C3afTs0fqsR4hN5r3XV9c1aRVWPBZCOvALFU3amW75yN3n/Hxs0NSOX\ng74uwtSVQnrllZM59oPVU2Rqflc0ICObwl3veqaC0C2/PlH9SFGyH7mCgRj5+Z3R\ngyifiDSt7mSZNNRmHOIjqD9xPbMo4ppVd5LmgqwagrBhj5owUt1Ysvd9yQRX+aqt\nZFjUcoIBPGu9BB+kLqCub6D3SNc8oZTTHhZUxk+n5HDtqaREFQd2E4Cvr9r191VF\nR9ty6Z0WYdE4wFjm\n-----END CERTIFICATE-----\n",
        "SignatureKey": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqWl37/OmouNmJ\nn6XhMODV6xYS5z8nKOi1GcHsgsK/MMwTr1jUTix6XMY00fDaTLBHaf2kizYgKWew\nnlcf3WYislVssMf1dlgs38dMjex3/l2nHwPgla6k8yb4Q6RaG6DOYjpeGm0sQTKg\nO5S4ZBrQ3ihcPfLY5q/x/DDO+pLoN5crGUR06FJWa5ceFWbHuvqcMTy8mZ+e6nZY\ng+6n29z/J9Tr4PVR50XMfyo8v3/Y/E/RGuf1gsavlYsbD4yC+WzIugRL0bmdJ+2d\nhN7Txd/SGFoB0J9bwraFDZcFOwr8qtqyGgGVc7pp1Hfe5rD6u6BJD7ibdhJpFhQ1\n92BIFvaNAgMBAAECggEATKOTHMbPqCRhWdUFH6aJwDOfHqoCc2+oIbGQ2QKK8tDV\nPxXn9LumrvYGBcVdghh2ReqdPeWTWCzIhWD2+VL1nC522AtAKmIvkSCr3PkMpX8+\nSu1dJTCx/WuW4KIt0owTcEYo1CU3cG10hTnI0pvWpJkNt1H3azV9enRm0PdSGD4M\ns/UYbRD8wSmtGm7ge1ZfMXjQM+8nF2dGegRv5I6cw8fCjfkIqcgW7Wv/jG2CiI/z\n5ytQ6Vf77mUMVb38wtjdfcaJTslK+5DcWYm87OnYhE6TPRjshnGDk+ccz8uOKDSd\nnD5ufXGcD+/8HLDT+zxD0uTKOyo3WoBP3vudxZVdUQKBgQDuEGcEqiy6Vc3skUQq\nBbiJDZtVRW5s+jBDrKCfcV7Gejqg9dOH3ylzYXjBX3uLu6HUPUcnQeq6NmQEMIv1\nJ97fw8spTYPPy/hC0vuEjxWceWvc78JxXK5Ejo+k5BpLbW4+bfMP+JY2jw6/H366\nMfVEO0MDTbVPYHOV15xKO6ctewKBgQC3MAFcxfZghNCG6ljnpf3oGB58R7KNRLYM\ndNllA90+7M0yGvmJ5yb6+GxNE3iLfOBC55HVSoaaU+JaH7xsdMpR6175Xwqf5xpG\nFgXgIdRe3n/CZVaUP8P04qMrwdLddvh83LlGdgAyrO1rHmLsFi/7229Ovo3t0NNN\n7OUiVTR5lwKBgCKIyJj5osFpHxU5QX0jFVD0Y1ssVkeCx6uZiDd497mtE4I0BvqH\n2fh95EmQ81gi4Ofr971vJ4DZ0Qp2jGcE4KTvPzJ/pyZmvV3cQ1ZId2caihYjxb4y\nJqmVUKsn19SnTD3ML11av1esywPYqsaR5rV+L0t0Y1/fawUKoQZ3vtmvAoGAWfAH\nuzS2Mc0DVDnaTGECt+CflwTcdN83QgZcdWvgQ/SfCeqUeVAzoyQ0h+L3XASDVlW7\nE6zzSPHGP9k0+Uqdynp0tpoi7T7Zd294kwII8krrDtYSG9byrlhXJDSVAoZWmXcE\nv8NPdZHRPrY8ewypok2p6E9F/2x3Udrs5F5Q1SECgYBv4sbAXkLxmyunJYUqCKOx\nbIXgLEchSj25XZcyErGiom+JHDtmqySDecYlLkq7LP0GF8aj1obBDo1040ZDixng\nK8khqq0SWr0meKjcOB+PbVRzqKF2+acETz+3ZRfTtszPueEyqRWmR00M5If4zO/a\nHUGB9ZTnoiZ//YPgV40CMQ==\n-----END PRIVATE KEY-----\n",
        "SignatureCa": "-----BEGIN CERTIFICATE-----\nMIIFsjCCA5qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVUsx\nEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFhtbHNlY3VyaXR5IFJTQSBUZXN0\nMSUwIwYDVQQDDBxYbWxzZWN1cml0eSBSU0EgVGVzdCBSb290IENBMCAXDTI0MTEw\nNDEzNTkzNloYDzIxMjQxMDExMTM1OTM2WjBpMQswCQYDVQQGEwJVSzEQMA4GA1UE\nCAwHRW5nbGFuZDEdMBsGA1UECgwUWG1sc2VjdXJpdHkgUlNBIFRlc3QxKTAnBgNV\nBAMMIFhtbHNlY3VyaXR5IEludGVybWVkaWF0ZSBSb290IENBMIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEAy74HyD/dZsPmVM1DPk8hkHndXHIAnsdWsiUQ\nMNBj82FxrAVZmcfaMbttBqSOnTQgssvMadHiZixhnQNFizkbiRR/X56oHpgwwdQ0\nuVvBrTJkhCw0QUoItChRuZtW4t8V/wbW4h6ifA5mA7faOGXw5MtiPDjm5cpq14/2\n+595+r0CTMnKbBgETUX45wCw1sLWg2xclRccyZAaiWurpJMHwYAmjsb8BvfvXHnG\n6zs0/tgAQfVkxqS52N6ILLmahgXZTGhosDVbRFE/w8pxKvp9SgY5ZeA5hf+SbkZ9\nor3u3usi8IegDY7W1lvoqm9vLMK1spX3QUW84i5HZDVUzhqNtG3s9gSdJSSnm1U2\nwzqPLg36puDJtGg+BmLjpeW1PX7zsWDCj0cLUocWmf3dvULdXT0111FeWcT6AscG\n+5MF5gy3pz8f1aqu9YgdPxin30xDJtlobjYSRJFtv4024gIdDOu7xCbJ3/8UM+lv\nVydXsl124hgtWf5u+UaWArOeLcE5wQ16XYF6nxCPPuRKsf4CjkDYtjGPPfMpfVsv\nSJbr/qkqANmKRYHlEUmbPL0CZF7yV4FIVREgBCcJ9pqsMP04kizNZb5TCe/nvQZo\nIX4vXxEkMnrThsFFUYpnh9zkeMnV8LVJaROT5k29s/vT5VLdZyMbSFr1/ZnbDOg7\nm1NTecsCAwEAAaNmMGQwHQYDVR0OBBYEFByJe+GbqWZbL2mhsoEIibQICwp3MB8G\nA1UdIwQYMBaAFFmeM1SUBpa4QylS7oHYvfVIc/XsMBIGA1UdEwEB/wQIMAYBAf8C\nAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCDAWSSFzLhXuvz\nLiDHJE9UbnbGhFkAuo7iEkGeOZhZTK8YbADMpTWuFXEIuQhJpd3ekl1ZDVImH3yr\njaTDtDgkIFLMy82/C42aM51IH9xIX5j55BJbScfCqTWNamensEv5mqw7/3uX/4g+\n3Vw8Gkp4w7grQHsDfbNjeml+bYfbtZydG5/W5Uom/BHs2lWr6aohYO3lU5sb69BF\nyL8eQoXIXTY0H7roqdWKDPZsIzxUUUQqrpP7FPTzL1BU/NKnMWdMpv3WDSH8mkV1\nu4VTwrb7Oxn6TzFm1NniBxod7FKnq0ejzrh49B6R0zFkj6TPbqStWGj2cnboTN4v\nSkKF9QDa9HFA9fzzgeJdL8EuwWlU0vPDm7Q6aM6cbrFmLLcDUExTgdbWdxKu8D+D\n3wAjxOIKO6qxveWkopkIeTm0rKubU/oAGWA7QPv+Et0xmoRRpWKZyHMGmTyNh6ae\nFVI2UxR0eTBjU0rIOKZkytTX2tr+4Gzx6xuacnNV4wA7XnIrzp5Uc+Njas2uzhmc\n/1wznTG0tq1DZo/g085a7wWERPme8mbSMsol74iZAc5DLIRt4epVRm9nG4+dB7Lk\ngwGM1CyIzbnwqRLqzV7m/u/qWGUZmEWZ0A1OxhsS1XVLgzFhRhEmJtOCMBoVr84q\nFg80w38JGfIw5YjSmcLyHLyPNl6qpA==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFvTCCA6WgAwIBAgIUa8msq/6wbA5lWRQOQD1eZaw5Pv4wDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxHTAbBgNVBAoMFFht\nbHNlY3VyaXR5IFJTQSBUZXN0MSUwIwYDVQQDDBxYbWxzZWN1cml0eSBSU0EgVGVz\ndCBSb290IENBMCAXDTI0MTEwNDEzNTkzNVoYDzIxMjQxMDExMTM1OTM1WjBlMQsw\nCQYDVQQGEwJVSzEQMA4GA1UECAwHRW5nbGFuZDEdMBsGA1UECgwUWG1sc2VjdXJp\ndHkgUlNBIFRlc3QxJTAjBgNVBAMMHFhtbHNlY3VyaXR5IFJTQSBUZXN0IFJvb3Qg\nQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDDS5/VmUFtBM2wjTQL\ngQ9yXoeV+bivf7LAx7LCyL0FvTSGBkPwpB8rEmREm2JPPD9a53DhuiVCBomMiTDi\ntInAxKuTWpMuTxfNXLTkgDrW0VJrRg0yjviDokn37638s5r2Qbn43gIVGSPxg0mJ\npRNchWqOh6EpgZP+w3EY6w3W3oUnVWvVskw/EBqaW18GA+jEC1KRG5HwSVDZwh2n\nkqTwiBE0zKlA9BUJ6aeMtDghUk/kur7r8UX4L71U6hlgfw40bmdcRJYJBFuOks7O\nGHHkaSLIhdfmRfpbKVo5jumWsreiQegEmMKwJ8qaCbne/sH/iRi+EChuWRM9pr7X\nb2sgHKb+eNVOQOcDMFTCNS7309ubANDPuHQEBFnZT8PVIsQ2iIJKNb8ZnUSeKRH+\nmO6E9EDqjv3extie6U+x/4ctQ6TITlrwGFgL96mzx+PIyPRXtw1KdYlyR1/KOTy2\nsU3R5xrnyuRL/VR8ckF13LZWzLpltiZrmYfA5TJbALjn042enIZ4H8LqWKBlIGsy\nJY58x4qVEcP0EiDbzBk4IOXQ0eTD3YLdTn2Ybb68TQ4nf1/LDTZJGJjrKMk4RghI\nWLNU9oBLBYH4pegvWlPRiKFryiJVI/25mH+kYmWe8pG+5pAUHnosQbt5uBm1DiFu\ns+gnBXuVxZDcctbylv4Y8ILfLQIDAQABo2MwYTAdBgNVHQ4EFgQUWZ4zVJQGlrhD\nKVLugdi99Uhz9ewwHwYDVR0jBBgwFoAUWZ4zVJQGlrhDKVLugdi99Uhz9ewwDwYD\nVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIB\nAJEn8mM8YJMGUJLl/uVfF40L9irUSdL9R/aX7FCDvJ1FMZzBROKn7tRpar3d82+S\nOQn98o/xRUirD8gCQW40+Fe/qQyUjuhbXukv+DPnnGQ5jIsv79iPwWiKcXX/1M54\n/PmXSf+/3WM1YytCsZ/aXSEN+uCvkfQFBuP+Gn56InFAH+/RfEqLtKiEWT5AV/Mf\ni6zwr09GOd7MKM5L8H2BbdLZ9fHMXwbQMJd2qpi11fqYBqcXb9X++M2vSvYIiBga\npH9wBqabaCqQJGDLmBhNZIqI4/sseorpMCFLWqziz57lTxg+kjYkLlXXRKwXx3VR\nps+cnf7mIP3SLpiyslp1Q8NfPa+NpewJ4+2l49J+BQWhv9YMjUp9w8kUaBuKxCJ3\nWqwSXjG7WTLYV4xGkWV7Q5zN1CyzQ9VlRYhbILHYOL3kcj/hoHBoSKQHOpiPUhxq\nSZpj4lnO/kdUVuhId0KJjS9wNXMoMWAdXW04DhiqYjRapMXcdgFPkWYcbytYjtyG\nVQToeLzfsQBW0r5eF9KYSmnpDwWH82fhcU1heZMJEXs4Ttu2AWp2ycD7keFUR9G8\nd2h/o1l1dFcw+QrYNkhcEVdAZIPBG64dPlTHeeGJlKw9W+/mxeB3/JBTIvSbV+BC\nc6agWn8unRRnVW3O7Tw7EUpwPOe2wmDevGzfOYNICjwS\n-----END CERTIFICATE-----\n"
    }
}

COOL side WIP patch: patch.txt

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 6, 2025

https://gerrit.libreoffice.org/c/core/+/179821 finishes the core side of visual signing.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 7, 2025

#10862 adds initial support for visual signing on the COOL side (digital signing only, no move/resize yet).

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 8, 2025

https://gerrit.libreoffice.org/c/core/+/179938 allows setting the position of the visual signature while digital-signing. COOL side WIP patch for manual testing:

diff --git a/browser/src/control/Permission.js b/browser/src/control/Permission.js
index 7e18cda38b..2495101190 100644
--- a/browser/src/control/Permission.js
+++ b/browser/src/control/Permission.js
@@ -243,6 +243,7 @@ L.Map.include({
 
 	// Is user currently in editing mode
 	isEditMode: function() {
-		return this._permission === 'edit';
+		//return this._permission === 'edit';
+		return true;
 	}
 });

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 9, 2025

https://gerrit.libreoffice.org/c/core/+/179994 allows setting the size of the signature line, completing the core side of the "visual signature + digital signatures + LOK" part.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 10, 2025

#10891 handles the COOL side of visual signing for digital signing. Next will be the same for electronic signing.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 13, 2025

https://gerrit.libreoffice.org/c/core/+/180167 starts fixing visual signing for esign, first to allow inserting the visual signature on the core side.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 14, 2025

#10927 is the COOL side to use the "external" mode of inserting signature lines.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 15, 2025

https://gerrit.libreoffice.org/c/core/+/180264 fixes the graphic selection in the esign + visual sign case.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 16, 2025

https://gerrit.libreoffice.org/c/core/+/180332 is a cleanup: have less code in the model (instead of the view) to track visual signatures of a user.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 17, 2025

#10955 simplifies the UI: now there is a single "insert" menu item and the signing is then finished with a snackbar.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 20, 2025

https://gerrit.libreoffice.org/c/core/+/180496 fixes the problem that the signature line shape was still possible to modify after esign finished.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 21, 2025
edited
Loading

#10973 adds 4 fixes on the COOL JS side for this, and with this the feature seems to be in a reasonable state.

Edit:

To repeat the latest info here: to test this on your own NC instance, you need to:

  1. Install a richdocuments against NC 31 beta
  2. Configure the test eID Easy endpoint, as documented in https://github.com/nextcloud/richdocuments/blob/main/docs/app_settings.md#electronic-signature
  3. Set the eID Easy client id and secret tokens, you can use the test data from https://docs.eideasy.com/guide/test-environment.html#sandbox-test-environments-credentials, i.e. secret can be 56RkLgZREDi1H0HZAvzOSAVlxu1Flx41 and client ID can be 2IaeiZXbcKzlP1KvjZH9ghty2IJKM8Lg -- you can set these at NC's /settings/admin/richdocuments page
  4. When selecting a country and provider, easiest is to select Estonia and the smart-id provider, that will accept a test personal number 30303039914 when you are asked about one in the popup.
  5. If you want to get a green sign after signing, you need to test the test CA of the provider. CA to be trusted for the test smart-id instance is estonia.txt, you can set this as trusted for your user at /settings/user/richdocuments in the CA chain textarea.

(You can also use Germany and d-trust as a provider, which results in a signature actually authored by your name, the CA chain to trust for that is germany.txt.)

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 22, 2025

https://gerrit.libreoffice.org/c/core/+/180569 tries to simplify the signature line interaction, so you typically just need to move the widget to the right place and not resize it.

Also, repeating here on what test.pdf.wopi.json to place next to a test.pdf file test esign in a 'make run' session (Estonia / smart-id case will pass test cert validation with this):

{
    "ServerPrivateInfo": {
        "ESignatureBaseUrl": "https://test.eideasy.com",
        "ESignatureClientId": "2IaeiZXbcKzlP1KvjZH9ghty2IJKM8Lg",
        "ESignatureSecret": "56RkLgZREDi1H0HZAvzOSAVlxu1Flx41"
    },
    "UserPrivateInfo": {
        "SignatureCa": "-----BEGIN CERTIFICATE-----\nMIIG+DCCBeCgAwIBAgIQUkCP5k8r59RXxWzfbx+GsjANBgkqhkiG9w0BAQwFADB9\nMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1\nczEwMC4GA1UEAwwnVEVTVCBvZiBFRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBSb290\nIENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwIBcNMTYwODMwMTEyNDE1WhgP\nMjAzMDEyMTcyMzU5NTlaMGgxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0\naWZpdHNlZXJpbWlza2Vza3VzMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEcMBoG\nA1UEAwwTVEVTVCBvZiBFSUQtU0sgMjAxNjCCAiIwDQYJKoZIhvcNAQEBBQADggIP\nADCCAgoCggIBAOrKOByrJqS1QsKD4tXhqkZafPMd5sfxem6iVbMAAHKpvOs4Ia2o\nXdSvJ2FjrMl5szeT4lpHyzfECzO3nx7pvRLKHufi6lMwMGjtSI6DK8BiH9z7Lm+k\nNLunNFdIir0hPijjbIkjg9iwfaeST9Fi5502LsK7duhKuCnH7O0uMrS/MynJ4StA\nNGY13X2FvPW4qkrtbwsmhdN0Btro72O6/3O+0vbnq/yCWtcQrBGv3+8XEBdCqH5S\n/Rt0EugKX4UlVy5l0QUc8IrjGtdMsr9KDtvmVwlefXYKoLqkC7guMGOUNf6Y4AYG\nsPqfY4dG3N5YNp5FHDL7IO93h7TpRV3gyR38LiJsPHk5nES5mdPkNuEkCyg0zEKI\n7uJ4LUuBbjzZPp2gP7PN8Iqi9GP7V2NCz8vUVN3WpHvctsf0DMvZdV5pxqLY5ojy\nfhMsU4aMcGSQA9EK8ES3O1zBK1DW+btjbQjUFW1SIwCkB2yofFxge+vvzZGbvt2U\nGOE8oAL8/JzNxi9FbjTAbycrGWgEMQ0sM1fKc+OsvoaSy9m3ZQGph0+dbsouQpl3\nkpJvjDMzxxkrMqxdhlVMreLKGCMMxJMAGQEwVS5P93Nnmz8UbkmeomUJr3NrBo4+\nV9L5S4Kx1vTvD0p72xRYFyfifLOjs8qs7lR3yhkcBPQI78ERqxv31FWDAgMBAAGj\nggKFMIICgTAfBgNVHSMEGDAWgBS1NAqdpS8QxechDr7EsWVHGwN2/jAdBgNVHQ4E\nFgQUrrDq4Tb4JqulzAtmVf46HQK/ErQwDgYDVR0PAQH/BAQDAgEGMIHEBgNVHSAE\ngbwwgbkwPAYHBACL7EABAjAxMC8GCCsGAQUFBwIBFiNodHRwczovL3d3dy5zay5l\nZS9yZXBvc2l0b29yaXVtL0NQUzA8BgcEAIvsQAEAMDEwLwYIKwYBBQUHAgEWI2h0\ndHBzOi8vd3d3LnNrLmVlL3JlcG9zaXRvb3JpdW0vQ1BTMDsGBgQAj3oBAjAxMC8G\nCCsGAQUFBwIBFiNodHRwczovL3d3dy5zay5lZS9yZXBvc2l0b29yaXVtL0NQUzAS\nBgNVHRMBAf8ECDAGAQH/AgEAMCcGA1UdJQQgMB4GCCsGAQUFBwMJBggrBgEFBQcD\nAgYIKwYBBQUHAwQwfAYIKwYBBQUHAQEEcDBuMCAGCCsGAQUFBzABhhRodHRwOi8v\nb2NzcC5zay5lZS9DQTBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5zay5lZS9jZXJ0\ncy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRyZV9Sb290X0NBLmRlci5jcnQwQQYDVR0e\nBDowOKE2MASCAiIiMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAMCUGCCsGAQUFBwEDBBkwFzAVBggrBgEFBQcLAjAJBgcEAIvs\nSQEBMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHBzOi8vd3d3LnNrLmVlL3JlcG9zaXRv\ncnkvY3Jscy90ZXN0X2VlY2NyY2EuY3JsMA0GCSqGSIb3DQEBDAUAA4IBAQAiw1VN\nxp1Ho7FwcPlFqlLl6zb225IvpNelFX2QMbq1SPe41LuBW7WRZIV4b6bRQug55k8l\nAm8eX3zEXL9I+4Bzai/IBlMSTYNpqAQGNVImQVwMa64uN8DWo8LNWSYNYYxQzO7s\nTnqsqxLPWeKZRMkREI0RaVNoIPsciJvid9iBKTcGnMVkbrgyLzlXblLMU4I0pL2R\nWlfs2tr+XtCtWAvJPFskM2QZ2NnLjW8WroZr8TooocRA1vl/ruIAPC3FxW7zebKc\nA2B66j4tW7uyF2kPx4WWA3xgR5QZnn4ePEAYjJdu1eWd9KbeAbxPCfFOST43t0fm\n20HfV2Wp2PMEq4b2\n-----END CERTIFICATE-----\n"
    }
}

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 23, 2025

#10992 fixes the graphic selection handles on non-first PDF pages.

@vmiklos
Copy link
Contributor Author

vmiklos commented Jan 27, 2025

#11019 provides 4 more fixes for the non-first PDF page signing case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vmiklos vmiklos

Labels
24.04 enhancement New feature or request
Projects
Collabora Online
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vmiklos