Description: Kleopatra and Firefox shows my certificates. LibreOffice's Digital Signatures - Sign Document dialog windows is empty. Steps to Reproduce: 1. File | Digital Signatures | Digital Signatures 2. Sign Document Actual Results: The "select certificate" dialog window comes up empty. Expected Results: The "select certificate" dialog window should show certificates. Reproducible: Always User Profile Reset: Yes OpenGL enabled: Yes Additional Info:
Created attachment 151847 [details] Select certificate window empty
Please give all the details: Which certificates do you have? What is Kleopatra version, is is standalone or bundled software? Are you testing with ODT?
I have Kleopatra Version 3.1.7-gpg4win-3.1.7 standalone. Yes, I am testing with ODT. About the certificates: not sure what you are asking. Kleopatra shows a number of certificates, my own is a certified, valid OpenPGP certificate. If you any other info, I'd be happy to provide it.
[Automated Action] NeedInfo-To-Unconfirmed
I can confirm it - in Linux LO don't detect personal certificate. Tested it with: - Ubuntu 14.04_amd64 with LO 6.1.5.2 - Ubuntu 16.04.6_amd64 with LO 6.2.8.2 - Ubuntu 18.04.3_amd64 with LO 6.3.3.2 - in all cases with format of certificate .pfx and .p12 - in all cases with certificate installed in Thunderbird and FF and switching between path in LO=>Tools=>options=>security=>certificate path. In all cases there is the same result => don't see personal certificate. It doesn't matter if personal certificate is installed in Thunderbird or Firefox. LO correctly detect path from "Tools=>options=>security=>certificate path", but window in dialogue for select certificate is empty. Another, in Windows7 with LO 6.2 working it correctly, Bug is only in Linux version.
> Another, in Windows7 with LO 6.2 working it correctly, Bug is only in Linux > version. Is that 32 or 64 bit Windows7 and LO? My problem is on Windows7 64 bit. Not sure if that's relevant, though.
In configuration Win7_64 + LO 6.2 or LO 6.3 is digital signature working correctly.
On Linux a workaround is to set the environment variable to the Firefox or Thunderbird profile folder: MOZILLA_CERTIFICATE_FOLDER=sql:/home/lml/.thunderbird/something.default The difference from the detected values shown in the Tools=>options=>security=>certificate path dialog is the "sql:". It seems LO does not use the (otherwise correctly determined) certificate path. And the combo box in certificate path dialog suggests that you can select between thunderbird/firefox/manual I suggest to improve LO help: - Help should express more clearly that on Linux the keystore is in Firefox/Thunderbird and nothing to do with the certificate manager (Seahorse, Kleopatra etc) even if it can be started whith the "Start certificate manager" button - Mention about the "sql:" (and maybe other) prefix
And the combo box in certificate path dialog suggests that you can select between thunderbird/firefox/manual but openoffice documentation states it is a fixed order: https://wiki.openoffice.org/wiki/How_to_use_digital_Signatures
I also confirm the bug on Ubuntu 19.10_amd64 with LO 6.3.3.2 using .p12 certificate (imported into Thunderbird).
Further details and partial workaround for Windows7 64bit I followed the very detailed recipe on this page: https://askubuntu.com/questions/122058/how-do-i-make-a-digital-certificate-available-to-libreoffice-writer-for-digital It didn't work for me, LO still can't see any certificates in Kleopatra. (I use Thunderbird too.) I could, however, add my CACert X509 certificate to the windows certificate store from Control Panel's Credential Manager, and then it shows up in the "Select certificate" window and I can actually sign with it. I still can't sign an existing pdf (I get error messages like something-or-other.tmp does not exist.) And LO still doesn't see *any* certificates stored in Kleopatra, so I can't use gpg keys.
There are more issues here. (In reply to Péter Tarján from comment #0) > Kleopatra and Firefox show my certificates. LibreOffice's Digital > Signatures - Sign Document dialog windows is empty. Kleopatra and Firefox keep it's own certificate store. LO in Windows uses GPG4win and Kleopatra as seen in bug 116085. I guess LO should also use Windows system store but seems it doesn't. For Linux I read on web that we must have LibreOffice, GnuPG, and Seahorse installed. But what about Kleopatra. Documentation is not OK, https://help.libreoffice.org/7.0/en-US/text/shared/01/digitalsignatures.html doesn't mention Cetificate Manager at all. So I confirm this bug as Documentation, all should be in Help. And other issues to be seen after bug 130354. (In reply to Péter Tarján from comment #11) > I could, however, add my CACert X509 certificate to the windows certificate > store from Control Panel's Credential Manager, and then it shows up in the > "Select certificate" window and I can actually sign with it. I couldn't get it in LO in Windows 8.1. I used right-click .cer or .crt and Install, manually select cert store, it is seen with CertMgr.msc (personal) or certlm.msc (computer). But not in LO. If you can, please test bug 113560. > I still can't sign an existing pdf (I get error messages like > something-or-other.tmp does not exist.) That's bug 130354 from LO 6.4. > And LO still doesn't see *any* certificates stored in Kleopatra, so I can't > use gpg keys. > number of certificates, my own is a certified, valid OpenPGP certificate. PDF sign works with X509 and not with GPG/OpenPGP. Bug 113278 and Bug 115884. But I confirm that, if Kleopatra is installed with GPG4Win, LO 6.3 starts Kleopatra with Start Cetificate Manager .. but it doesn't show all X.509 certificates. I mentioned that in bug 113560. But some people saw it although could't sign. So it should be clear what's the filter. (In reply to Dvorak David from comment #5) > I can confirm it - in Linux LO don't detect personal certificate. That's another issue. Please search and report for Linux if not already in bugs. > In all cases there is the same result => don't see personal certificate. It > doesn't matter if personal certificate is installed in Thunderbird or > Firefox. LO correctly detect path from > "Tools=>options=>security=>certificate path", but window in dialogue for > select certificate is empty. Tools => Options => Security => Certificate Path doesn't exist in Windows. I guess Linux only, should be in Help. Comment 8 and comment 9 need to be tested more and be part of Help.
Thanks for your insights, Timur. > There are more issues here. > (In reply to Péter Tarján from comment #11) > > I could, however, add my CACert X509 certificate to the windows certificate > > store from Control Panel's Credential Manager, and then it shows up in the > > "Select certificate" window and I can actually sign with it. > I couldn't get it in LO in Windows 8.1. I used right-click .cer or .crt and > Install, manually select cert store, it is seen with CertMgr.msc (personal) > or certlm.msc (computer). But not in LO. > If you can, please test bug 113560. I tried it unsuccessfully. I get the error from bug 130354. > > I still can't sign an existing pdf (I get error messages like > > something-or-other.tmp does not exist.) > That's bug 130354 from LO 6.4. Indeed, that's what I get. > > And LO still doesn't see *any* certificates stored in Kleopatra, so I can't > > use gpg keys. > > number of certificates, my own is a certified, valid OpenPGP certificate. > PDF sign works with X509 and not with GPG/OpenPGP. Bug 113278 and Bug > 115884. > But I confirm that, if Kleopatra is installed with GPG4Win, LO 6.3 starts > Kleopatra with Start Cetificate Manager .. but it doesn't show all X.509 > certificates. I mentioned that in bug 113560. But some people saw it > although could't sign. So it should be clear what's the filter. The thing is, Kleopatra as a standalone program allows me to gpg-sign a pdf.
Hi Miklos, Samuel. Can you help here by explaining types of certificates that work?
As far as I know x509 certs work everywhere (signing of odf, ooxml, pdf) and gpg signing works with odf. But wait for Samuel to confirm the gpg bits, I didn't work on that piece.
(In reply to Miklos Vajna from comment #15) > As far as I know x509 certs work everywhere (signing of odf, ooxml, pdf) and > gpg signing works with odf. But wait for Samuel to confirm the gpg bits, I > didn't work on that piece. Correct, GPG signing only works in ODF documents.
I retested in Windows 7 and: LO uses Windows certificates system store (which makes sense) to sign ODF (X.509 and GPG/OpenPGP) and PDF (just X.509). But with Start Certificate Manager it starts Kleopatra (which then doesn't make sense). To add CaCert to Windows store I had to use .p12 (with personal key) exported from Firefox, .cer and .crt downloaded from cacert.org wouldn't do. I guess that should explain the situation in Windows, Linux is explained by Meskó, bug remains for Documentation.
How about the situation for macOS ? See for example, bug 115538 ?
I've retested on Linux and LO 7.0.3.1: The setting in Tools=>options=>security=>certificate path now works correctly, and you can select between the certificate directories. The Start Certificate Manager button however still incorrectly starts Seahorse (or Kleopatra) on Linux. The button instead should start Thunderbird or Firefox based on the selected certificate directory if the default profile's store is used. Otherwise a message could ask the user to start manually the correct program to open the (previously) selected certificate store directory. (For example a Thunderbird nightly profile should not automatically opened with the "normal" Thunderbird by LibreOffice.)
This bug is for Documentation. Bug 133941 is Windows for Start Certifcate Manager. Since Linux is explained in comment 19, I set New to Linux bug 142279.
*** Bug 142562 has been marked as a duplicate of this bug. ***
*** Bug 137645 has been marked as a duplicate of this bug. ***
Olivier Hallot committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/help/commit/0730e0e4e05095fba949378e2cc489f31784c7e4 tdf#125636 (part) GPG siging works only for ODF
Olivier Hallot committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/help/commit/b5735b8715ec8e86033fa9bf826829235bd69018 tdf#125636 (part) Include Help for "Start Certificate Manager"
Verified as fixed in: https://help.libreoffice.org/7.4/en-GB/text/shared/01/digitalsignatures.html?System=WIN&DbPAR=WRITER&HID=xmlsec