Running latest Dev version of LibreOffice 7.4Alpha (2022-Feb-08 03:40) on MacOS Monterey version 12.2 and latest GPG Suite 2021.3 I am finally able to sign documents from this version of LibreOffice, but if I click on 'Start Certificate Manager' in the 'Digital Signatures' window, I get this error: Could not find any certificate manager
I've tested this in Windows and Linux and it works as it should. This bug is only found in the MacOS version of LibreOffice.
Repro 1. menubar File > Digital Signatures > Digital Signatures 2. Click "Start Certificate Manager…" Currently Could not find any certificate manager. Expected If GPG Suite is installed, GPG Keychain is the tool to manage OpenPGP Keys so that should probably be opened. Setting to NEW as problem is confirmed. @Luc: Can you describe what happens on Windows | Linux?
I'm using KDE with Fedora 35. So I have Kleopatra installed. When I click on 'Start Certificate Manager', Kleopatra opens up. With Windows, you need to install Gpg4Win. When you click the same button, it opens the Windows version of Kleopatra that comes with Gpg4Win.
I can reproduce this with all current versions of LibreOffice, LODev, and Collabora Office.
(In reply to Luc Lalonde from comment #0) > Running latest Dev version of LibreOffice 7.4Alpha (2022-Feb-08 03:40) on > MacOS Monterey version 12.2 and latest GPG Suite 2021.3 > > I am finally able to sign documents from this version of LibreOffice, but if Isn't this problem linked to bug 125636 though ? The whole point being that GPG keys are not certificates.
(In reply to Alex Thurgood comment #5) This ticket has nothing to do with that discussion. The ticket you're refering seems to be a tutorial on the differences between PGP and X.509 and their implementation. The certificate manager that I'm referring to supports both of these!
Luc: If you are referring to GPG Keychain, that only supports OpenPGP keys.
Wow, then I stand corrected! I thought that it shared a code base with Kleopatra.
Bug still present in: Version: 7.4.6.2 / LibreOffice Community Build ID: 5b1f5509c2decdade7fda905e3e1429a67acd63d CPU threads: 4; OS: Mac OS X 10.14.6; UI render: default; VCL: osx Locale: en-GB (en_GB.UTF-8); UI: en-GB Calc: threaded GPG Suite 2020.2 installed, including GPG Keychain 1.7, and seemingly fully functional. https://gpgtools.org/releases/gpgsuite/release-notes.html
Further note: thew "Help" button on the "Digital Signatures" window opens this web page: file:///Applications/LibreOffice.app/Contents/Resources/help/en-GB/text/shared/01/digitalsignatures.html?System=MAC&DbPAR=WRITER&HID=xmlsec/ui/digitalsignaturesdialog/dialog-action_area1#bm_@@nowidget@@ ... which includes the text: --- START QUOTE --- Start Certificate Manager Opens the installed certificate manager of your system. On macOS, the default certificate manager is Keychain Access. --- END QUOTE --- AFAIK MacOS's "Keychain Access" can store X.509 certificates, but not GPG keys. GPG Keychain can store GPG keys, but not X.509 certificates. It look as though LO on other platforms supports signing ODT documents with either X.509 certificates or GPG keys (?), so it would seem that for full interoperability, ODT document signing on MacOS has to interface to two separete two key/certificate management systems (??).
Still not working for me LibreOffice 7.5.2.2 GPG Keychain 1.12 Start certificate Manager button is till dead.
I tried using with a certificate, stored in the Keychain Access. But also here, pressing the "Start Certificate Manager" button in this case does not open Keychain Access, but replies, that no certificate manager is found (which is funny, as Keychain Access is part of macOS). Also, LO help states that default certificate manager on macOS is Keychain Access, so LO should be able to automatically start it. It seems signing documents on macOS is flawed, not operational. Should I open a new bug for this or leave my report here?
Some info on bug 142279. In a nutshell: some certificate manager are hard-coded and clicking the button is supposed to run these tools. Which depends on the OS but macOS has not been considered yet. Apple's keychain tool probably does not work with GPG / WoT but similarly to Windows with issued certificates. In that's true the keychain tool is worthless (see also bug 133941 for the situation on Windows).
(In reply to Heiko Tietze from comment #13) > Some info on bug 142279. In a nutshell: some certificate manager are > hard-coded and clicking the button is supposed to run these tools. Which > depends on the OS but macOS has not been considered yet. > Which is a very sad state of affairs given that we've been touting digital signatures in our marketing hype since... > Apple's keychain tool probably does not work with GPG / WoT but similarly to > Windows with issued certificates. In that's true the keychain tool is > worthless (see also bug 133941 for the situation on Windows). FWIW, my CertEurope USB eIDAS key relies on a third party app called TKM (Trusted Key Manager) to register the hardware key with the OS. The key isn't automatically registered with Apple Keychain. I would have to export the CER from the TKM app and then import it into the Keychain.app. This type of USB hardware key is used by the bar association of France for filing court documents. It is also one of the allowed hardware signing/authentication/non-repudiation keys used for filing documents with the Unified Patent Court. LibreOffice won't find the cert outside of the Mozilla Firefox profile. For example, if I put a copy of the cert in a folder in my home directory and point LibreOffice manually to that folder, it can't find the key. This means that the CER has to be referenced within the Firefox session by creating a software security device containing the path to the DYLIB and then loading that software security device into the Firefox session. This IMHO is the biggest problem with cert management within LO at the moment, to the extent that it relies on Mozilla profiles (Firefox or Thunderbird) to be called when needed.
In tdf#159307, I am adding the following to the "default list" of certificate manager applications on macOS. Are there other common applications that I should add to the list?: /Applications/GPG Keychain.app ...insert other common applications here... ...existing list of Linux command line programs here... /Applications/Utilities/Keychain Access.app I also see that in LibreOffice 24.2, you can set a custom application in LibreOffice > Security > Certificate Manager in LibreOffice's Options dialog so I am also fixing a few bugs related to that new setting. Current status of my work in process is here: https://gerrit.libreoffice.org/c/core/+/162485
(In reply to Patrick Luby from comment #15) > In tdf#159307, I am adding the following to the "default list" of > certificate manager applications on macOS. Are there other common > applications that I should add to the list?: > I don't know how common the following are, but I have to use them for my work: SCInterface Manager and SmartCard tools (www.cryptovision.com) Trusted Key Manager 1.7.3 (OCDrive 2019) - CertEurope
(In reply to Alex Thurgood from comment #16) > I don't know how common the following are, but I have to use them for my > work: > > SCInterface Manager and SmartCard tools (www.cryptovision.com) > > Trusted Key Manager 1.7.3 (OCDrive 2019) - CertEurope I think we can add them. I have time tomorrow to work on tdf#159307 so can you download tomorrow's (01 February 2024) nightly build and test each in the Options dialog's LibreOffice > Security > Certificate Manager via the Browse button. After setting each one, does the Start Certificate Manager button launch the application? If yes, can you copy the path that is in the Options dialog (the Open dialog may return a path slightly different than in Finder in some cases)?
(In reply to Patrick Luby from comment #17) > (In reply to Alex Thurgood from comment #16) > I think we can add them. I have time tomorrow to work on tdf#159307 so can > you download tomorrow's (01 February 2024) nightly build and test each in > the Options dialog's LibreOffice > Security > Certificate Manager via the > Browse button. > > After setting each one, does the Start Certificate Manager button launch the > application? If yes, can you copy the path that is in the Options dialog > (the Open dialog may return a path slightly different than in Finder in some > cases)? I'll have a look tomorrow and report back, as I was otherwise engaged today.
(In reply to Patrick Luby from comment #17) > I think we can add them. I have time tomorrow to work on tdf#159307 so can > you download tomorrow's (01 February 2024) nightly build and test each in > the Options dialog's LibreOffice > Security > Certificate Manager via the > Browse button. > > After setting each one, does the Start Certificate Manager button launch the > application? If yes, can you copy the path that is in the Options dialog > (the Open dialog may return a path slightly different than in Finder in some > cases)? After adding the scManager.app, I see the following path in the Certificate Manager path field: /Applications/SCinterface/scManager.app/ With an open test document in Writer, calling the digital signature dialog and clicking on the Certificate Manager button successfully opens the scManager app. Similarly, after adding the 'Trusted Key Manager.app', I see the following path: /Applications/Trusted Key Manager.app/ and the app duly opens when clicking on the Certificate Manager button.
(In reply to Alex Thurgood from comment #19) > After adding the scManager.app, I see the following path in the Certificate > Manager path field: > > /Applications/SCinterface/scManager.app/ > > With an open test document in Writer, calling the digital signature dialog > and clicking on the Certificate Manager button successfully opens the > scManager app. > > > Similarly, after adding the 'Trusted Key Manager.app', I see the following > path: > > /Applications/Trusted Key Manager.app/ > > and the app duly opens when clicking on the Certificate Manager button. So which application is used by more people? My guess is that GPGTools is the most common and macOS' Keychain Access application is the least common so these two would go in the middle. I just don't have any sense which is more common.
(In reply to Patrick Luby from comment #20) > So which application is used by more people? My guess is that GPGTools is > the most common and macOS' Keychain Access application is the least common > so these two would go in the middle. I just don't have any sense which is > more common. I actually have no idea, but would hasard a guess that scManager isn't the most commonly used app out there, and the TKM whilst apparently specific to CertEurope is fairly widely used by the French barrister profession for court submissions, and, so I'm led to believe, by other organisations within the EU (although I have no actual evidence of that).
(In reply to Alex Thurgood from comment #21) > I actually have no idea, but would hasard a guess that scManager isn't the > most commonly used app out there, and the TKM whilst apparently specific to > CertEurope is fairly widely used by the French barrister profession for > court submissions, and, so I'm led to believe, by other organisations within > the EU (although I have no actual evidence of that). OK. Let's put TKM first and scManager second and see how that goes.
Below version works as expected: File > Digital Signatures > Digital Signatures > Start Certificate Manager… does open GPG Keychain and shows a dialog stating: You have opened the certificate manager at /Applications/GPG Keychain.app Some thoughts about the success dialog and wording: - Wondering if "%/app_name_here_without_suffix has been opened." is sufficient as dialog after opening the certificate manager - is that confirmation dialog needed at all? If the certificate manager does open, it opens on top level over other open windows so it is hard to miss - is the path really relevant in this dialog? Also all apps use suffix "app" so there isn't any point in showing the suffix. Version: 24.8.0.0.alpha0+ (X86_64) / LibreOffice Community Build ID: 3d5c0a94539d2196c7d0dd9f52660ba9e58d31b8 CPU threads: 8; OS: macOS 13.6.4; UI render: Skia/Metal; VCL: osx Locale: en-US (en_DE.UTF-8); UI: en-US Calc: threaded
Created attachment 192368 [details] 2024-02-03 functional dialog after opening GPG Keychain
(In reply to steve from comment #23) > Below version works as expected: File > Digital Signatures > Digital > Signatures > Start Certificate Manager… does open GPG Keychain and shows a > dialog stating: You have opened the certificate manager at /Applications/GPG > Keychain.app > > Some thoughts about the success dialog and wording: > > - Wondering if "%/app_name_here_without_suffix has been opened." is > sufficient as dialog after opening the certificate manager > - is that confirmation dialog needed at all? If the certificate manager does > open, it opens on top level over other open windows so it is hard to miss +1 I wonder the same. In my opinion, this dialog window with this information is completely unnecessary and redundant; the information provided arises automatically from the action that is currently taking place, especially since it was explicitly initiated by the user. Why then parallel an extra confirmation through such a dialog window, which is also covered while the action initiated by the user is successfully taking place and the result is presented prominently? > - is the path really relevant in this dialog? +1 > Also all apps use suffix "app" so there isn't any point in showing the suffix. +1 Version: 24.8.0.0.alpha0+ (AARCH64) / LibreOffice Community Build ID: 3fc0eb2bc8b439bda286e0c87a9814d90cc9d9d5 CPU threads: 10; OS: macOS 14.3; UI render: Skia/Metal; VCL: osx Locale: de-DE (de_DE.UTF-8); UI: de-DE Calc: threaded
Two things I forgot: 1. I think https://bugs.documentfoundation.org/show_bug.cgi?id=159307 is a dupe of this bug here, correct? 2. Patrick, if you think the changed dialog should go into a separate bug, just let us know so that can be filed.
Patrick Luby committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/538f7b45c0c2c08124e9ea51a0947504f142a4f1 tdf#147291 add more default certificate manager application for macOS It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Resolved/Fixed, Patrick?
Marking as duplicate of tdf#159307. *** This bug has been marked as a duplicate of bug 159307 ***
Patrick Luby committed a patch related to this issue. It has been pushed to "libreoffice-24-2": https://git.libreoffice.org/core/commit/aebea827555c29b30eded9a4e158b58c063613dc tdf#147291 add more default certificate manager application for macOS It will be available in 24.2.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.