Description: An admin can lock the list of trusted authors / signatures by finalizing that configuration attribute like: <node oor:name="Security"> <node oor:name="Scripting"> <node oor:name="TrustedAuthors" oor:finalized="true"> <node oor:name="a0" oor:op="replace"> <prop oor:name="RawData" oor:op="fuse"><value>[base64 encoded DER x509 cert}</value></prop> <prop oor:name="SubjectName" oor:op="fuse"><value>test key - only signing <libreoffice@lists.freedesktop.org></value></prop> <prop oor:name="SerialNumber" oor:op="fuse"><value></value></prop> </node> </node> <prop oor:name="MacroSecurityLevel" oor:finalized="true"><value>2</value></prop> </node> </node> This disables the modification of that list in the macro security dialog (Tools -> Options -> LibreOffice -> Security -> Macro security) and forces *High* macro security. Still, at the macro security level *High*, the user is asked when opening a document with an unknown signature, if the signature should be added to the list of trusted signatures. But since the signature list is locked, nothing will actually be added. The result is some kind of "temporary trusted" certificate, until LO is restarted. This seems at least inconsequential. From my POV it's a bug and not a feature, because an admin already locked the list of trusted signatures. Eventually that dialog would want a checkbox with a different text to explicitly allow a temporary trusted signature, with an additional option to explicitly enable that feature, if someone really wants this in general. Steps to Reproduce: 1. Install the attached sample config extension 2. Check the Macro security settings to be level *High* (with a lock) and the LO trusted signatures to contain the LO unit test signature and isn't editable (the lock icon needs a fix here) 3. Open the attached document Actual Results: The user is asked to add the unknown signature to the trusted signature list. Expected Results: The document is opened without enabled macros. Eventually LO even displays some message box informing the user about the untrusted signature and the therefore disabled macros. Reproducible: Always User Profile Reset: No Additional Info:
Created attachment 156461 [details] Macro locking extension with LO unit test cert
As a failure test document, you can use the one attached to bug 42316: attachment 52829 [details].
There is now https://gerrit.libreoffice.org/84887. It fixes a whole bunch of problems I stumbled over and most had to fix, while I actually just wanted to fix the locked "trusted authors" handling. I think I'll at least split the UI and certificate exception handling from the "hard" functional change later.
Created attachment 156482 [details] Macro "trusted cert" list only locking extension with LO unit test cert While working on the proposed patch, I just realized, that the current patch will also prevent the user interaction in the macro security level (MSL) *Medium*, which is (obviously) wrong. Consequently this will need a change of the Macro warning dialog to hide the "Add to trusted sources" check box, if the list of trusted certificates is read-only. To make testing easier, I updated the extension, so it won't lock or override the MSL anymore and just lock the list of trusted authors.
Jan-Marek Glogowski committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/71c6f438cecc3ce5e8060efe1df840652885701c tdf#129311 don't allow temporary trusted certs It will be available in 6.5.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Jan-Marek Glogowski committed a patch related to this issue. It has been pushed to "libreoffice-6-4": https://git.libreoffice.org/core/commit/9cdb97cd93e60a0faf0a531949d94cff79e1aab9 tdf#129311 don't allow temporary trusted certs It will be available in 6.4.0.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
(In reply to Commit Notification from comment #6) > The document is opened without enabled macros. Eventually LO even displays > some message box informing the user about the untrusted signature and the > therefore disabled macros. > Affected users are encouraged to test the fix and report feedback. checked with: Version: 6.5.0.0.alpha0+ (x64) Build ID: 4b7b6993134a48c850608c758f7b7283bed27fec CPU threads: 4; OS: Windows 10.0 Build 18363; UI render: default; VCL: win; Locale: de-DE (de_DE); UI-Language: en-US Calc: threaded I was not able to make it work with the attached *.oxt (certificate did not appear in "Trusted Sources") but using an own certificate worked for me: 1. With macro Security "High" and MacroSecurityLevel finalized="true" a) Macro enabled: - opened signed document/template Document changes will not affect macro signing as long as macro itself is not changed. The signature of a modified macros is lost when you save the document. b) Macro disabled: - opened unsigned document - opened signed document (signed with an unknown certificate) *) 2. With macro Security "Medium" a) Macro enabled: - opened signed document/template b) User is able to enabled/disable macro: - opened unsigned document - opened signed document (signed with an unknown certificate) *) *) With MacroSecurityLevel finalized="false" user is able to add the unknown certificate to the "Trusted Source" list.