Download it now!
Bug 125636 - Explain types and sources of certificates in Digital Signatures - Select certificate dialog
Summary: Explain types and sources of certificates in Digital Signatures - Select cert...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Documentation (show other bugs)
Version:
(earliest affected)
6.2.4.2 release
Hardware: x86-64 (AMD64) Windows (All)
: medium normal
Assignee: Not Assigned
URL: https://help.libreoffice.org/7.0/en-U...
Whiteboard:
Keywords:
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2019-06-02 11:38 UTC by Péter Tarján
Modified: 2020-12-04 17:34 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments
Select certificate window empty (80.63 KB, image/jpeg)
2019-06-02 11:41 UTC, Péter Tarján
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Péter Tarján 2019-06-02 11:38:39 UTC
Description:
Kleopatra and Firefox shows my certificates. LibreOffice's Digital Signatures - Sign Document dialog windows is empty. 

Steps to Reproduce:
1. File | Digital Signatures | Digital Signatures
2. Sign Document

Actual Results:
The "select certificate" dialog window comes up empty.

Expected Results:
The "select certificate" dialog window should show certificates.


Reproducible: Always


User Profile Reset: Yes


OpenGL enabled: Yes

Additional Info:
Comment 1 Péter Tarján 2019-06-02 11:41:30 UTC
Created attachment 151847 [details]
Select certificate window empty
Comment 2 Timur 2019-06-17 08:56:42 UTC
Please give all the details:
Which certificates do you have? 
What is Kleopatra version, is is standalone or bundled software? 
Are you testing with ODT?
Comment 3 Péter Tarján 2019-06-19 09:34:47 UTC
I have Kleopatra Version 3.1.7-gpg4win-3.1.7 standalone.
Yes, I am testing with ODT.
About the certificates: not sure what you are asking. Kleopatra shows a number of certificates, my own is a certified, valid OpenPGP certificate. If you any other info, I'd be happy to provide it.
Comment 4 QA Administrators 2019-06-20 02:51:13 UTC Comment hidden (obsolete)
Comment 5 Dvorak David 2019-11-18 10:47:05 UTC
I can confirm it - in Linux LO don't detect personal certificate. Tested it with:

- Ubuntu 14.04_amd64 with LO 6.1.5.2
- Ubuntu 16.04.6_amd64 with LO 6.2.8.2
- Ubuntu 18.04.3_amd64 with LO 6.3.3.2
- in all cases with format of certificate .pfx and .p12
- in all cases with certificate installed in Thunderbird and FF and switching between path in LO=>Tools=>options=>security=>certificate path.

In all cases there is the same result => don't see personal certificate. It doesn't matter if personal certificate is installed in Thunderbird or Firefox. LO correctly detect path from "Tools=>options=>security=>certificate path", but window in dialogue for select certificate is empty.

Another, in Windows7 with LO 6.2 working it correctly, Bug is only in Linux version.
Comment 6 Péter Tarján 2019-11-18 20:17:08 UTC
> Another, in Windows7 with LO 6.2 working it correctly, Bug is only in Linux
> version.

Is that 32 or 64 bit Windows7 and LO? 
My problem is on Windows7 64 bit. Not sure if that's relevant, though.
Comment 7 Dvorak David 2019-11-18 21:29:02 UTC
In configuration Win7_64 + LO 6.2 or LO 6.3 is digital signature working correctly.
Comment 8 László Meskó 2019-12-01 16:54:47 UTC
On Linux a workaround is to set the environment variable to the Firefox or Thunderbird profile folder:
MOZILLA_CERTIFICATE_FOLDER=sql:/home/lml/.thunderbird/something.default 

The difference from the detected values shown in the Tools=>options=>security=>certificate path dialog is the "sql:".

It seems LO does not use the (otherwise correctly determined) certificate path.
And the combo box in certificate path dialog suggests that you can select between thunderbird/firefox/manual 

I suggest to improve LO help:
- Help should express more clearly that on Linux the keystore is in Firefox/Thunderbird and nothing to do with the certificate manager (Seahorse, Kleopatra etc) even if it can be started whith the "Start certificate manager" button
- Mention about the "sql:" (and maybe other) prefix
Comment 9 László Meskó 2019-12-01 16:59:53 UTC
And the combo box in certificate path dialog suggests that you can select between thunderbird/firefox/manual but openoffice documentation states it is a fixed order:
https://wiki.openoffice.org/wiki/How_to_use_digital_Signatures
Comment 10 László Meskó 2019-12-01 17:15:59 UTC
I also confirm the bug on Ubuntu 19.10_amd64 with LO 6.3.3.2 using .p12 certificate (imported into Thunderbird).
Comment 11 Péter Tarján 2020-05-01 07:48:24 UTC
Further details and partial workaround for Windows7 64bit

I followed the very detailed recipe on this page:
https://askubuntu.com/questions/122058/how-do-i-make-a-digital-certificate-available-to-libreoffice-writer-for-digital
It didn't work for me, LO still can't see any certificates in Kleopatra. (I use Thunderbird too.)

I could, however, add my CACert X509 certificate to the windows certificate store from Control Panel's Credential Manager, and then it shows up in the "Select certificate" window and I can actually sign with it. 

I still can't sign an existing pdf (I get error messages like something-or-other.tmp does not exist.)

And LO still doesn't see *any* certificates stored in Kleopatra, so I can't use gpg keys.
Comment 12 Timur 2020-05-29 19:38:08 UTC
There are more issues here. 

(In reply to Péter Tarján from comment #0)
> Kleopatra and Firefox show my certificates. LibreOffice's Digital
> Signatures - Sign Document dialog windows is empty. 
Kleopatra and Firefox keep it's own certificate store. LO in Windows uses GPG4win and Kleopatra as seen in bug 116085. 
I guess LO should also use Windows system store but seems it doesn't.
For Linux I read on web that we must have LibreOffice, GnuPG, and Seahorse installed. But what about Kleopatra. 

Documentation is not OK, https://help.libreoffice.org/7.0/en-US/text/shared/01/digitalsignatures.html doesn't mention Cetificate Manager at all.
So I confirm this bug as Documentation, all should be in Help. And other issues to be seen after bug 130354.

(In reply to Péter Tarján from comment #11)
> I could, however, add my CACert X509 certificate to the windows certificate
> store from Control Panel's Credential Manager, and then it shows up in the
> "Select certificate" window and I can actually sign with it. 
I couldn't get it in LO in Windows 8.1. I used right-click .cer or .crt and Install, manually select cert store, it is seen with CertMgr.msc (personal) or certlm.msc (computer). But not in LO. 
If you can, please test bug 113560.

> I still can't sign an existing pdf (I get error messages like
> something-or-other.tmp does not exist.)
That's bug 130354 from LO 6.4.

> And LO still doesn't see *any* certificates stored in Kleopatra, so I can't
> use gpg keys.
> number of certificates, my own is a certified, valid OpenPGP certificate.
PDF sign works with X509 and not with GPG/OpenPGP. Bug 113278 and Bug 115884. 
But I confirm that, if Kleopatra is installed with GPG4Win, LO 6.3 starts Kleopatra with Start Cetificate Manager .. but it doesn't show all X.509 certificates. I mentioned that in bug 113560. But some people saw it although could't sign. So it should be clear what's the filter. 

(In reply to Dvorak David from comment #5)
> I can confirm it - in Linux LO don't detect personal certificate. 
That's another issue. Please search and report for Linux if not already in bugs. 

> In all cases there is the same result => don't see personal certificate. It
> doesn't matter if personal certificate is installed in Thunderbird or
> Firefox. LO correctly detect path from
> "Tools=>options=>security=>certificate path", but window in dialogue for
> select certificate is empty.
Tools => Options => Security => Certificate Path doesn't exist in Windows. I guess Linux only, should be in Help. 

Comment 8 and comment 9 need to be tested more and be part of Help.
Comment 13 Péter Tarján 2020-05-30 08:17:47 UTC Comment hidden (obsolete)
Comment 14 Timur 2020-06-04 07:17:14 UTC Comment hidden (obsolete)
Comment 15 Miklos Vajna 2020-06-04 07:28:39 UTC Comment hidden (obsolete)
Comment 16 Samuel Mehrbrodt (allotropia) 2020-06-04 07:33:04 UTC
(In reply to Miklos Vajna from comment #15)
> As far as I know x509 certs work everywhere (signing of odf, ooxml, pdf) and
> gpg signing works with odf. But wait for Samuel to confirm the gpg bits, I
> didn't work on that piece.

Correct, GPG signing only works in ODF documents.
Comment 17 Timur 2020-06-10 09:33:37 UTC
I retested in Windows 7 and: LO uses Windows certificates system store (which makes sense) to sign ODF (X.509 and GPG/OpenPGP) and PDF (just X.509).
But with Start Certificate Manager it starts Kleopatra (which then doesn't make sense).
 
To add CaCert to Windows store I had to use .p12 (with personal key) exported from Firefox, .cer and .crt downloaded from cacert.org wouldn't do. 

I guess that should explain the situation in Windows, Linux is explained by Meskó, bug remains for Documentation.
Comment 18 Alex Thurgood 2020-06-12 15:10:19 UTC
How about the situation for macOS ?

See for example, bug 115538 ?
Comment 19 László Meskó 2020-12-04 17:34:11 UTC
I've retested on Linux and LO 7.0.3.1:
The setting in Tools=>options=>security=>certificate path now works correctly, and you can select between the certificate directories.

The Start Certificate Manager button however still incorrectly starts Seahorse (or Kleopatra) on Linux. The button instead should start Thunderbird or Firefox based on the selected certificate directory if the default profile's store is used. Otherwise a message could ask the user to start manually the correct program to open the (previously) selected certificate store directory. (For example a Thunderbird nightly profile should not automatically opened with the "normal" Thunderbird by LibreOffice.)