Bug 147291 - macOS: Digital Signatures > Start Certificate Manager (OpenPGP) results in error instead of opening GPG Keychain
Summary: macOS: Digital Signatures > Start Certificate Manager (OpenPGP) results in er...
Status: RESOLVED DUPLICATE of bug 159307
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
7.5.2.2 release
Hardware: All macOS (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:24.8.0 target:24.2.1
Keywords:
Depends on:
Blocks: macOS-UI-polish Digital-Signatures
  Show dependency treegraph
 
Reported: 2022-02-08 16:24 UTC by Luc Lalonde
Modified: 2024-02-05 15:56 UTC (History)
7 users (show)

See Also:
Crash report or crash signature:


Attachments
2024-02-03 functional dialog after opening GPG Keychain (66.36 KB, image/png)
2024-02-03 11:58 UTC, steve
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luc Lalonde 2022-02-08 16:24:32 UTC
Running latest Dev version of LibreOffice 7.4Alpha (2022-Feb-08 03:40) on MacOS Monterey version 12.2 and latest GPG Suite 2021.3

I am finally able to sign documents from this version of LibreOffice, but if I click on 'Start Certificate Manager' in the 'Digital Signatures' window, I get this error:

Could not find any certificate manager
Comment 1 Luc Lalonde 2022-02-08 16:32:42 UTC
I've tested this in Windows and Linux and it works as it should.   This bug is only found in the MacOS version of LibreOffice.
Comment 2 steve 2022-02-08 20:34:34 UTC
Repro

1. menubar File > Digital Signatures > Digital Signatures
2. Click "Start Certificate Manager…"

Currently

Could not find any certificate manager.

Expected

If GPG Suite is installed, GPG Keychain is the tool to manage OpenPGP Keys so that should probably be opened.

Setting to NEW as problem is confirmed.

@Luc: Can you describe what happens on Windows | Linux?
Comment 3 Luc Lalonde 2022-02-08 20:41:56 UTC
I'm using KDE with Fedora 35.  So I have Kleopatra installed.

When I click on 'Start Certificate Manager', Kleopatra opens up.

With Windows, you need to install Gpg4Win.   When you click the same button, it opens the Windows version of Kleopatra that comes with Gpg4Win.
Comment 4 Alex Thurgood 2022-02-10 11:10:52 UTC
I can reproduce this with all current versions of LibreOffice, LODev, and Collabora Office.
Comment 5 Alex Thurgood 2022-02-10 11:14:32 UTC
(In reply to Luc Lalonde from comment #0)
> Running latest Dev version of LibreOffice 7.4Alpha (2022-Feb-08 03:40) on
> MacOS Monterey version 12.2 and latest GPG Suite 2021.3
> 
> I am finally able to sign documents from this version of LibreOffice, but if

Isn't this problem linked to bug 125636 though ?

The whole point being that GPG keys are not certificates.
Comment 6 Luc Lalonde 2022-02-10 17:38:03 UTC
(In reply to Alex Thurgood comment #5)

This ticket has nothing to do with that discussion.  The ticket you're refering seems to be a tutorial on the differences between PGP and X.509 and their implementation.

The certificate manager that I'm referring to supports both of these!
Comment 7 steve 2022-02-17 12:26:14 UTC
Luc: If you are referring to GPG Keychain, that only supports OpenPGP keys.
Comment 8 Luc Lalonde 2022-02-17 14:46:57 UTC
Wow, then I stand corrected!   I thought that it shared a code base with Kleopatra.
Comment 9 Andrew Watson 2023-05-02 09:34:21 UTC
Bug still present in:

Version: 7.4.6.2 / LibreOffice Community
Build ID: 5b1f5509c2decdade7fda905e3e1429a67acd63d
CPU threads: 4; OS: Mac OS X 10.14.6; UI render: default; VCL: osx
Locale: en-GB (en_GB.UTF-8); UI: en-GB
Calc: threaded

GPG Suite 2020.2 installed, including GPG Keychain 1.7, and seemingly fully functional.

https://gpgtools.org/releases/gpgsuite/release-notes.html
Comment 10 Andrew Watson 2023-05-02 10:18:58 UTC
Further note: thew "Help" button on the "Digital Signatures" window opens this web page:

file:///Applications/LibreOffice.app/Contents/Resources/help/en-GB/text/shared/01/digitalsignatures.html?System=MAC&DbPAR=WRITER&HID=xmlsec/ui/digitalsignaturesdialog/dialog-action_area1#bm_@@nowidget@@

 ... which includes the text:

--- START QUOTE ---

Start Certificate Manager

Opens the installed certificate manager of your system.

On macOS, the default certificate manager is Keychain Access.

--- END QUOTE ---

AFAIK MacOS's "Keychain Access" can store X.509 certificates, but not GPG keys. GPG Keychain can store GPG keys, but not X.509 certificates. It look as though LO on other platforms supports signing ODT documents with either X.509 certificates or GPG keys (?), so it would seem that for full interoperability, ODT document signing on MacOS has to interface to two separete two key/certificate management systems (??).
Comment 11 Luc Lalonde 2023-05-02 11:33:03 UTC
Still not working for me

LibreOffice 7.5.2.2
GPG Keychain 1.12

Start certificate Manager button is till dead.
Comment 12 Martin Srebotnjak 2023-05-09 08:14:17 UTC
I tried using with a certificate, stored in the Keychain Access.

But also here, pressing the "Start Certificate Manager" button in this case does not open Keychain Access, but replies, that no certificate manager is found (which is funny, as Keychain Access is part of macOS).

Also, LO help states that default certificate manager on macOS is Keychain Access, so LO should be able to automatically start it.

It seems signing documents on macOS is flawed, not operational.

Should I open a new bug for this or leave my report here?
Comment 13 Heiko Tietze 2023-06-13 10:01:53 UTC
Some info on bug 142279. In a nutshell: some certificate manager are hard-coded and clicking the button is supposed to run these tools. Which depends on the OS but macOS has not been considered yet.

Apple's keychain tool probably does not work with GPG / WoT but similarly to Windows with issued certificates. In that's true the keychain tool is worthless (see also bug 133941 for the situation on Windows).
Comment 14 Alex Thurgood 2023-06-13 15:01:51 UTC
(In reply to Heiko Tietze from comment #13)
> Some info on bug 142279. In a nutshell: some certificate manager are
> hard-coded and clicking the button is supposed to run these tools. Which
> depends on the OS but macOS has not been considered yet.
> 

Which is a very sad state of affairs given that we've been touting digital signatures in our marketing hype since...


> Apple's keychain tool probably does not work with GPG / WoT but similarly to
> Windows with issued certificates. In that's true the keychain tool is
> worthless (see also bug 133941 for the situation on Windows).

FWIW, my CertEurope USB eIDAS key relies on a third party app called TKM (Trusted Key Manager) to register the hardware key with the OS. The key isn't automatically registered with Apple Keychain. I would have to export the CER from the TKM app and then import it into the Keychain.app.

This type of USB hardware key  is used by the bar association of France for filing court documents. 

It is also one of the allowed hardware signing/authentication/non-repudiation keys used for filing documents with the Unified Patent Court.

LibreOffice won't find the cert outside of the Mozilla Firefox profile. For example, if I put a copy of the cert in a folder in my home directory and point LibreOffice manually to that folder, it can't find the key.

This means that the CER has to be referenced within the Firefox session by creating a software security device containing the path to the DYLIB and then loading that software security device into the Firefox session.

This IMHO is the biggest problem with cert management within LO at the moment, to the extent that it relies on Mozilla profiles (Firefox or Thunderbird) to be called when needed.
Comment 15 Patrick Luby 2024-01-25 12:50:53 UTC
In tdf#159307, I am adding the following to the "default list" of certificate manager applications on macOS. Are there other common applications that I should add to the list?:

  /Applications/GPG Keychain.app
  ...insert other common applications here...
  ...existing list of Linux command line programs here...
  /Applications/Utilities/Keychain Access.app

I also see that in LibreOffice 24.2, you can set a custom application in LibreOffice > Security > Certificate Manager in LibreOffice's Options dialog so I am also fixing a few bugs related to that new setting.

Current status of my work in process is here:

https://gerrit.libreoffice.org/c/core/+/162485
Comment 16 Alex Thurgood 2024-01-30 10:51:13 UTC
(In reply to Patrick Luby from comment #15)
> In tdf#159307, I am adding the following to the "default list" of
> certificate manager applications on macOS. Are there other common
> applications that I should add to the list?:
> 

I don't know how common the following are, but I have to use them for my work:

SCInterface Manager and SmartCard tools (www.cryptovision.com)

Trusted Key Manager 1.7.3 (OCDrive 2019) - CertEurope
Comment 17 Patrick Luby 2024-02-01 00:03:03 UTC
(In reply to Alex Thurgood from comment #16)
> I don't know how common the following are, but I have to use them for my
> work:
> 
> SCInterface Manager and SmartCard tools (www.cryptovision.com)
> 
> Trusted Key Manager 1.7.3 (OCDrive 2019) - CertEurope

I think we can add them. I have time tomorrow to work on tdf#159307 so can you download tomorrow's (01 February 2024) nightly build and test each in the Options dialog's LibreOffice > Security > Certificate Manager via the Browse button.

After setting each one, does the Start Certificate Manager button launch the application? If yes, can you copy the path that is in the Options dialog (the Open dialog may return a path slightly different than in Finder in some cases)?
Comment 18 Alex Thurgood 2024-02-01 18:18:48 UTC
(In reply to Patrick Luby from comment #17)
> (In reply to Alex Thurgood from comment #16)

> I think we can add them. I have time tomorrow to work on tdf#159307 so can
> you download tomorrow's (01 February 2024) nightly build and test each in
> the Options dialog's LibreOffice > Security > Certificate Manager via the
> Browse button.
> 
> After setting each one, does the Start Certificate Manager button launch the
> application? If yes, can you copy the path that is in the Options dialog
> (the Open dialog may return a path slightly different than in Finder in some
> cases)?

I'll have a look tomorrow and report back, as I was otherwise engaged today.
Comment 19 Alex Thurgood 2024-02-02 16:12:43 UTC
(In reply to Patrick Luby from comment #17)

 
> I think we can add them. I have time tomorrow to work on tdf#159307 so can
> you download tomorrow's (01 February 2024) nightly build and test each in
> the Options dialog's LibreOffice > Security > Certificate Manager via the
> Browse button.

> 
> After setting each one, does the Start Certificate Manager button launch the
> application? If yes, can you copy the path that is in the Options dialog
> (the Open dialog may return a path slightly different than in Finder in some
> cases)?

After adding the scManager.app, I see the following path in the Certificate Manager path field:

/Applications/SCinterface/scManager.app/

With an open test document in Writer, calling the digital signature dialog and clicking on the Certificate Manager button successfully opens the scManager app.

 
Similarly, after adding the 'Trusted Key Manager.app', I see the following path:

/Applications/Trusted Key Manager.app/

and the app duly opens when clicking on the Certificate Manager button.
Comment 20 Patrick Luby 2024-02-02 17:43:54 UTC
(In reply to Alex Thurgood from comment #19)
> After adding the scManager.app, I see the following path in the Certificate
> Manager path field:
> 
> /Applications/SCinterface/scManager.app/
> 
> With an open test document in Writer, calling the digital signature dialog
> and clicking on the Certificate Manager button successfully opens the
> scManager app.
> 
>  
> Similarly, after adding the 'Trusted Key Manager.app', I see the following
> path:
> 
> /Applications/Trusted Key Manager.app/
> 
> and the app duly opens when clicking on the Certificate Manager button.

So which application is used by more people? My guess is that GPGTools is the most common and macOS' Keychain Access application is the least common so these two would go in the middle. I just don't have any sense which is more common.
Comment 21 Alex Thurgood 2024-02-02 20:46:51 UTC
(In reply to Patrick Luby from comment #20)

> So which application is used by more people? My guess is that GPGTools is
> the most common and macOS' Keychain Access application is the least common
> so these two would go in the middle. I just don't have any sense which is
> more common.

I actually have no idea, but would hasard a guess that scManager isn't the most commonly used app out there, and the TKM whilst apparently specific to CertEurope is fairly widely used by the French barrister profession for court submissions, and, so I'm led to believe, by other organisations within the EU (although I have no actual evidence of that).
Comment 22 Patrick Luby 2024-02-02 21:14:33 UTC
(In reply to Alex Thurgood from comment #21)
> I actually have no idea, but would hasard a guess that scManager isn't the
> most commonly used app out there, and the TKM whilst apparently specific to
> CertEurope is fairly widely used by the French barrister profession for
> court submissions, and, so I'm led to believe, by other organisations within
> the EU (although I have no actual evidence of that).

OK. Let's put TKM first and scManager second and see how that goes.
Comment 23 steve 2024-02-03 11:56:23 UTC
Below version works as expected: File > Digital Signatures > Digital Signatures > Start Certificate Manager… does open GPG Keychain and shows a dialog stating: You have opened the certificate manager at /Applications/GPG Keychain.app

Some thoughts about the success dialog and wording:

- Wondering if "%/app_name_here_without_suffix has been opened." is sufficient as dialog after opening the certificate manager
- is that confirmation dialog needed at all? If the certificate manager does open, it opens on top level over other open windows so it is hard to miss
- is the path really relevant in this dialog? Also all apps use suffix "app" so there isn't any point in showing the suffix.

Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 3d5c0a94539d2196c7d0dd9f52660ba9e58d31b8
CPU threads: 8; OS: macOS 13.6.4; UI render: Skia/Metal; VCL: osx
Locale: en-US (en_DE.UTF-8); UI: en-US
Calc: threaded
Comment 24 steve 2024-02-03 11:58:22 UTC
Created attachment 192368 [details]
2024-02-03 functional dialog after opening GPG Keychain
Comment 25 Sierk Bornemann 2024-02-03 12:10:57 UTC
(In reply to steve from comment #23)
> Below version works as expected: File > Digital Signatures > Digital
> Signatures > Start Certificate Manager… does open GPG Keychain and shows a
> dialog stating: You have opened the certificate manager at /Applications/GPG
> Keychain.app
> 
> Some thoughts about the success dialog and wording:
> 
> - Wondering if "%/app_name_here_without_suffix has been opened." is
> sufficient as dialog after opening the certificate manager
> - is that confirmation dialog needed at all? If the certificate manager does
> open, it opens on top level over other open windows so it is hard to miss


+1

I wonder the same. In my opinion, this dialog window with this information is completely unnecessary and redundant; the information provided arises automatically from the action that is currently taking place, especially since it was explicitly initiated by the user. Why then parallel an extra confirmation through such a dialog window, which is also covered while the action initiated by the user is successfully taking place and the result is presented prominently?

> - is the path really relevant in this dialog?

+1

> Also all apps use suffix "app" so there isn't any point in showing the suffix.

+1

Version: 24.8.0.0.alpha0+ (AARCH64) / LibreOffice Community
Build ID: 3fc0eb2bc8b439bda286e0c87a9814d90cc9d9d5
CPU threads: 10; OS: macOS 14.3; UI render: Skia/Metal; VCL: osx
Locale: de-DE (de_DE.UTF-8); UI: de-DE
Calc: threaded
Comment 26 steve 2024-02-03 12:17:16 UTC
Two things I forgot:

1. I think https://bugs.documentfoundation.org/show_bug.cgi?id=159307 is a dupe of this bug here, correct?
2. Patrick, if you think the changed dialog should go into a separate bug, just let us know so that can be filed.
Comment 27 Commit Notification 2024-02-05 08:04:54 UTC
Patrick Luby committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/538f7b45c0c2c08124e9ea51a0947504f142a4f1

tdf#147291 add more default certificate manager application for macOS

It will be available in 24.8.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 28 Heiko Tietze 2024-02-05 11:18:38 UTC
Resolved/Fixed, Patrick?
Comment 29 Patrick Luby 2024-02-05 13:26:42 UTC
Marking as duplicate of tdf#159307.

*** This bug has been marked as a duplicate of bug 159307 ***
Comment 30 Commit Notification 2024-02-05 15:56:09 UTC
Patrick Luby committed a patch related to this issue.
It has been pushed to "libreoffice-24-2":

https://git.libreoffice.org/core/commit/aebea827555c29b30eded9a4e158b58c063613dc

tdf#147291 add more default certificate manager application for macOS

It will be available in 24.2.1.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.