Bug 102276 - Digital signature does not work with Windows 10
Summary: Digital signature does not work with Windows 10
Status: RESOLVED DUPLICATE of bug 94903
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
3.6 all versions
Hardware: x86-64 (AMD64) Windows (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2016-09-19 11:41 UTC by Ferry Toth
Modified: 2017-07-18 16:09 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments
Instructions on installing self signed certificates (748.07 KB, application/pdf)
2017-02-10 18:41 UTC, Ferry Toth
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ferry Toth 2016-09-19 11:41:01 UTC
I have been able to trace this back to LibO 3.6.

Placing a digital signature (using our self signed CA) does not work under Windows 10, using LibO 3.6 to 5.2.

It works fine under linux using firefox or thunderbird store, Windows XP, Windown 7.

Under Windows 10 you can open the Digital signature dialog, add and select the certificate you want. Also, LibO shows the certificate and the CA certificate are valid. When adding, nothing happens and the list of certificates remains empty.
Comment 1 Cor Nouws 2016-09-20 08:26:45 UTC
@tml: maybe for when you are at this subject?
Comment 2 Tor Lillqvist 2016-09-20 08:50:42 UTC
Digital signature in what? PDF, ODF, OOXML?
Comment 3 Buovjaga 2016-10-09 10:57:57 UTC
(In reply to Tor Lillqvist from comment #2)
> Digital signature in what? PDF, ODF, OOXML?

Set to NEEDINFO.
Ferry: Change back to UNCONFIRMED after you have provided the information.
Comment 4 Ferry Toth 2016-10-12 19:06:44 UTC
Hmm. I would have thought this to be easy enough to verify.

But anyways: this is with placing a signature on a ODF.
Comment 5 Buovjaga 2017-02-10 15:13:48 UTC
Ok, I tried to figure out the cert & signature process under Win (10), but somehow failed at the final steps.

I used this handy trick to create a self-signed cert: http://windowsitpro.com/blog/creating-self-signed-certificates-powershell

I double-clicked the cert file and imported it to my Trusted Root certs.

For getting my cert into Firefox, I examined this page https://wiki.mozilla.org/CA:AddRootToFirefox and tried first the creation of the configuration parameter security.enterprise_roots.enabled in about:config. Then I tried CCK2.

I just could not get LibreOffice to see my cert.

Ferry: do you have a solution so I could test?
Comment 6 Ferry Toth 2017-02-10 18:40:09 UTC
My collegae may just have solved this. 

Not sure if I'm explaining this right, but I believe the problem is caused by our certificates were based on sha1. He created new sha256 certs (without changing the ca) and now it works on win10.

@Buovjaga Our certificates have the users private and public key as well as the ca public key. All you need to do is import into the firefox cert store and enable trust on the ca cert. I think the link you followed is too complex. We use the same certs to access our owncloud server, so I am attaching our instructions for that, hope that helps you.
Comment 7 Ferry Toth 2017-02-10 18:41:41 UTC
Created attachment 131084 [details]
Instructions on installing self signed certificates
Comment 8 Cor Nouws 2017-02-10 19:16:52 UTC
(In reply to Ferry Toth from comment #6)
> My collegae may just have solved this. 
> 
> Not sure if I'm explaining this right, but I believe the problem is caused
> by our certificates were based on sha1. He created new sha256 certs (without
> changing the ca) and now it works on win10.

So you can set this issue to WorksForMe then?

> @Buovjaga Our certificates have the users private and public key as well as
> the ca public key. All you need to do is import into the firefox cert store
> and enable trust on the ca cert.

From what I know, Windows has a procedure that does not involve Firefox or Thunderbird.
Comment 9 Buovjaga 2017-02-10 19:43:53 UTC
(In reply to Ferry Toth from comment #7)
> Created attachment 131084 [details]
> Instructions on installing self signed certificates

On page 2 is the main point. I used the "too complex" things, because the situation does not go so simply as described.

I have added my cert to "Your certificates", yet it does not appear in the "Organizations" list.

So could someone please tell me how to create such a cert that can be imported so simply to Firefox? This is important beyond this (now WFM) report: we need to create documentation for the bug testing team. I have avoided all reports related to digital signatures, because I had no idea how to test them. Now my expectations proved real: it is nightmarishly hard to set this up.
Comment 10 Ferry Toth 2017-02-11 13:20:49 UTC
@Buovjaga Ok, so the difficulty is how to create a certificate. I'll check with my colleague, but your right, it is a pain.

@ Cor Nouws WFM, I don't know. sha1 based certs have worked for us for years, and still do on linux and windows7. The problem is with windows10 and that remains. We have worked around this by changing to sha256, and this might be inevitable. In that case it might need updated documentation.
Comment 11 Buovjaga 2017-02-11 14:10:35 UTC
(In reply to Ferry Toth from comment #10)
> @ Cor Nouws WFM, I don't know. sha1 based certs have worked for us for
> years, and still do on linux and windows7. The problem is with windows10 and
> that remains. We have worked around this by changing to sha256, and this
> might be inevitable. In that case it might need updated documentation.

Well, it seems to be intentional on Microsoft's part: https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/
Comment 12 Ferry Toth 2017-02-14 09:08:48 UTC
@Buovjaga The link to the Windows blog shows that the behavior we see is not intentional as sha1 certs would be deprecated for Edge and Internet Explorer on Windows 10, 8 and 7. Also "only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program".
Comment 13 Ferry Toth 2017-02-14 09:15:02 UTC
@ Cor Nouws Regarding importing certificates into Windows certificate store: you are right, on windows Libreoffice uses the certificates from the windows store. One way to get there is from the Control Panel, another from Internet Explorer settings, as shown in our document. Adding to Firefox store will work for Libreoffice under Linux (as well as for contacting our Owncloud server using Firefox, which is unrelated to this bug).
Comment 14 Bernard Laurent 2017-04-10 16:31:15 UTC
Hello. 

We have the sign libre office not working on windows 10.
We use libre office last version 64 bits on windows 10 last version. 
We have a certificate working when we sign pdf. 
When we select this certificate in libre office (writer or another program) : list of sign certificates is empty....
Comment 15 Tor Lillqvist 2017-04-10 16:34:34 UTC
Bernard, as can be seen in comment #4, this bug is about signatures in ODF, not PDF. Just saying; not looking into this bug.
Comment 16 Cor Nouws 2017-05-18 07:41:09 UTC
Hi Ferry,

Just seen this https://vmiklos.hu/blog/xmlsec-lo54.html
which is possibly the solution..
Ciao
Comment 17 Xisco Faulí 2017-05-23 22:00:38 UTC Comment hidden (obsolete)
Comment 18 Buovjaga 2017-07-06 14:26:29 UTC

*** This bug has been marked as a duplicate of bug 94903 ***