I have been able to trace this back to LibO 3.6.
Placing a digital signature (using our self signed CA) does not work under Windows 10, using LibO 3.6 to 5.2.
It works fine under linux using firefox or thunderbird store, Windows XP, Windown 7.
Under Windows 10 you can open the Digital signature dialog, add and select the certificate you want. Also, LibO shows the certificate and the CA certificate are valid. When adding, nothing happens and the list of certificates remains empty.
@tml: maybe for when you are at this subject?
Digital signature in what? PDF, ODF, OOXML?
(In reply to Tor Lillqvist from comment #2)
> Digital signature in what? PDF, ODF, OOXML?
Set to NEEDINFO.
Ferry: Change back to UNCONFIRMED after you have provided the information.
Hmm. I would have thought this to be easy enough to verify.
But anyways: this is with placing a signature on a ODF.
Ok, I tried to figure out the cert & signature process under Win (10), but somehow failed at the final steps.
I used this handy trick to create a self-signed cert: http://windowsitpro.com/blog/creating-self-signed-certificates-powershell
I double-clicked the cert file and imported it to my Trusted Root certs.
For getting my cert into Firefox, I examined this page https://wiki.mozilla.org/CA:AddRootToFirefox and tried first the creation of the configuration parameter security.enterprise_roots.enabled in about:config. Then I tried CCK2.
I just could not get LibreOffice to see my cert.
Ferry: do you have a solution so I could test?
My collegae may just have solved this.
Not sure if I'm explaining this right, but I believe the problem is caused by our certificates were based on sha1. He created new sha256 certs (without changing the ca) and now it works on win10.
@Buovjaga Our certificates have the users private and public key as well as the ca public key. All you need to do is import into the firefox cert store and enable trust on the ca cert. I think the link you followed is too complex. We use the same certs to access our owncloud server, so I am attaching our instructions for that, hope that helps you.
Created attachment 131084 [details]
Instructions on installing self signed certificates
(In reply to Ferry Toth from comment #6)
> My collegae may just have solved this.
> Not sure if I'm explaining this right, but I believe the problem is caused
> by our certificates were based on sha1. He created new sha256 certs (without
> changing the ca) and now it works on win10.
So you can set this issue to WorksForMe then?
> @Buovjaga Our certificates have the users private and public key as well as
> the ca public key. All you need to do is import into the firefox cert store
> and enable trust on the ca cert.
From what I know, Windows has a procedure that does not involve Firefox or Thunderbird.
(In reply to Ferry Toth from comment #7)
> Created attachment 131084 [details]
> Instructions on installing self signed certificates
On page 2 is the main point. I used the "too complex" things, because the situation does not go so simply as described.
I have added my cert to "Your certificates", yet it does not appear in the "Organizations" list.
So could someone please tell me how to create such a cert that can be imported so simply to Firefox? This is important beyond this (now WFM) report: we need to create documentation for the bug testing team. I have avoided all reports related to digital signatures, because I had no idea how to test them. Now my expectations proved real: it is nightmarishly hard to set this up.
@Buovjaga Ok, so the difficulty is how to create a certificate. I'll check with my colleague, but your right, it is a pain.
@ Cor Nouws WFM, I don't know. sha1 based certs have worked for us for years, and still do on linux and windows7. The problem is with windows10 and that remains. We have worked around this by changing to sha256, and this might be inevitable. In that case it might need updated documentation.
(In reply to Ferry Toth from comment #10)
> @ Cor Nouws WFM, I don't know. sha1 based certs have worked for us for
> years, and still do on linux and windows7. The problem is with windows10 and
> that remains. We have worked around this by changing to sha256, and this
> might be inevitable. In that case it might need updated documentation.
Well, it seems to be intentional on Microsoft's part: https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/
@Buovjaga The link to the Windows blog shows that the behavior we see is not intentional as sha1 certs would be deprecated for Edge and Internet Explorer on Windows 10, 8 and 7. Also "only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program".
@ Cor Nouws Regarding importing certificates into Windows certificate store: you are right, on windows Libreoffice uses the certificates from the windows store. One way to get there is from the Control Panel, another from Internet Explorer settings, as shown in our document. Adding to Firefox store will work for Libreoffice under Linux (as well as for contacting our Owncloud server using Firefox, which is unrelated to this bug).
We have the sign libre office not working on windows 10.
We use libre office last version 64 bits on windows 10 last version.
We have a certificate working when we sign pdf.
When we select this certificate in libre office (writer or another program) : list of sign certificates is empty....
Bernard, as can be seen in comment #4, this bug is about signatures in ODF, not PDF. Just saying; not looking into this bug.
Just seen this https://vmiklos.hu/blog/xmlsec-lo54.html
which is possibly the solution..
Could you please try to reproduce it with the latest version of LibreOffice from https://www.libreoffice.org/download/libreoffice-fresh/ ?
I have set the bug's status to 'NEEDINFO'. Please change it back to 'UNCONFIRMED' if the bug is still present in the latest version.
*** This bug has been marked as a duplicate of bug 94903 ***