With the 64-Bit Version of LibreOffice (reproduced with 64-Bit LO 188.8.131.52) it is not possitble to digitally sign documents.
Workflow (see attached Screenshots Step-[n]):
1. trying to sign the document, the "Digital Signatures" dialog comes up (see Step-1.jpg)
2. pressing "sign document" button (see Step-1.jpg)
3. the "choose certificate" dialog comes up with (correct) all availible certificates (see Step-2.jpg)
4. choosing a certificate (e.g. the first one, see Step-2.jpg) and pressing ok.
5. the Windows CryptoAPI Dialog comes up (correct), see Step-3.jpg
6. After confirming access to the certificate storage (with ok button) just nothing happens
--- this is the bug ---
7. There is still the open "Digital Signatures" dialog (see Step-1.jpg) with no signature inside.
In the 32-Bit Version of Libre Office this works fine, the document is signed and in "7." you can see an entry with the choosen certificate Signature in Step-1.jpg
Created attachment 119447 [details]
Step-1.jpg, dialog for [Step #1], see description
Created attachment 119448 [details]
Step-2.jpg, dialog for [Step #2], see description
Created attachment 119449 [details]
Step-3.jpg, dialog for [Step #3], see description
It is enough to mention the bitness in the description or summary like you now have.
Reverting version change. It is earliest affected.
Reproduce in LibreOffice 184.108.40.206.
Version: 220.127.116.11 (x64)
Build ID: f99d75f39f1c57ebdd7ffc5f42867c12031db97a
CPU Threads: 8; OS Version: Windows 6.1; UI Render: default;
Locale: zh-CN (zh_CN)
And when using 64bit LibreOffice open a file has Signatured it shows:
The digitally signed document content and/or macros do not match the current document signature.
This could be the result of document manipulation or of structural document damage due to data transmission.
We recommend that you do not trust the content of the current document.
Execution of macros is disabled for this document.
Build ID: 3c2231d4aa4c68281f28ad35a100c092cff84f5d
CPU Threads: 8; OS Version: Windows 6.2; UI Render: default;
Locale: zh-CN (zh_CN); Calc: single
Now, LibreOffice 5.2.0 and 5.2.2 32bit cannot sign documnet either.
LibreOffice 5.2 is EOL now.
Does the bug still exist in 5.3 or 5.4?
*** Bug 102276 has been marked as a duplicate of this bug. ***
(In reply to Samuel Mehrbrodt (CIB) from comment #8)
> LibreOffice 5.2 is EOL now.
> Does the bug still exist in 5.3 or 5.4?
I can use digital signatures on Windows 10 64 bits with LibreOffice 18.104.22.168
So resolve as WorksForMe.
Oliver, if you still have problems in the new versions, feel free to reopen with details as much as possible :)
Digital signing doesn't work in 64 bit LibreOffice 22.214.171.124. Behaviour is as described by Oliver.
Digital signing doesn't work in 64 bit LibreOffice 126.96.36.199 in Windows 10. Behaviour is as described by Oliver.
Digital signature is not working in 64 bit LibreOffice 6.2.x and 6.3 for Windows 10 x64.
Behaviour is similary as described by Oliver, but i was using a hardware digital signature (eToken):
1)The "Digital Signatures" dialog comes up.
2)The "choose certificate" windows opens up with all availible certificates.
3)I choose a certificate and press "Sign" button.
4)At this point, with a "hardware signature" (eToken), a dialog window should pop up asking for the digital signature password... that is just not happening.
5)The "Digital Signatures" window comes up again without the signature.
Note: Digital signature is working fine at LibreOffice 6.1.6 x64 version, wich actually i have installed and working good.
Martin: it would be great, if you could bibisect the bug: https://wiki.documentfoundation.org/QA/Bibisect/Windows
General instructions: https://wiki.documentfoundation.org/QA/Bibisect
After installing cygwin, the command to clone the repo you need:
git clone https://git.libreoffice.org/bibisect-win32-6.2
Issue exists as described by Martin
Windows 8.1 pro x64
In the older version Loffice 188.8.131.52
the digital signature is working.
However for that version another bug exists
In the older version Loffice 5.4.3
the bug does not appear.
If anyone knows a version 6.xx that is ok let us know in the comments.
We managed to reproduce this issue with 5.4 and newer versions.
5.3 and older (tested: 5.0-5.3, 4.2, 3.5) did work using an X509 certificate to sign odt files on Win 8.1 and 32 bit release versions via SI-GUI.
bibisect-win32-5.4 shows it begun at:
author Miklos Vajna <firstname.lastname@example.org> 2017-05-17 09:13:09 +0200
committer Miklos Vajna <email@example.com> 2017-05-17 10:20:50 +0200
xmlsecurity: use xmlsec API instead of patching out cert verification
This flag does exactly what we need since xmlsec-1.2.24.
Adding CC to: Miklos Vajna
Also a debug build gives this console output when trying to sign a document:
warn:xmlsecurity.xmlsec:17676:14848:xmlsecurity/source/xmlsec/errorcallback.cxx:52: ..\src\xmldsig.c:793: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL' A művelet sikeresen befejeződött.
warn:xmlsecurity.xmlsec:17676:14848:xmlsecurity/source/xmlsec/errorcallback.cxx:52: ..\src\xmldsig.c:508: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' ' A művelet sikeresen befejeződött.
warn:xmlsecurity.xmlsec:17676:14848:xmlsecurity/source/xmlsec/errorcallback.cxx:52: ..\src\xmldsig.c:291: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' ' A művelet sikeresen befejeződött.
('A művelet sikeresen befejeződött.' = Operation completed successfully)
Could you please attach some test certificate that triggers this problem? I used the xmlsecurity/qa/create-certs/ script last time to create a self-signed cert for testing purposes, and it was OK, even after the above change.
There is some nastiness going on here and I really hate it.
"JL: OpenOffice.org implements its own certificate verification routine.
-+ The goal is to separate validation of the signature
-+ and the certificate. For example, OOo could show that the document signature is valid,
-+ but the certificate could not be verified. If we do not prevent the verification of
-+ the certificate by libxmlsec and the verification fails, then the XML signature will not be
-+ verified. This would happen, for example, if the root certificate is not installed. "
I don't really get it so I installed Apache openoffice 4.1.7 as well.
I sign a document with Libreoffice 184.108.40.206 that still works for me.
First test, I sign with Loffice and then I open the file from apacheOO.
Apache says the certificate is ok, but the signature is invalid.
Libreoffice says it is ok and the type of signature is XAdES
Second test I sign with Apache and then I open with LIbre
Libreoffice says everything ok and the type of sign is XML-DSig
Certificate is valid and signature is valid
AOO has some ancient libxmlsec, so you need to use crypto algos which are considered unsafe today to please it. If you create a new signature in LO, you'll get SHA-256 for hashing, but AOO only supports MD5 and SHA1. I would say this is their problem, not ours.
I use safenet etoken 5100 and SafeNet Authentication Client
Who decides for the crypto algorithm, is it Libreoffice of the Safenet Client?
LO asks for the algo of the signing certificate, we handle RSA and ECDSA there. Then we create a signature using the same algo, we don't really have an other choice I think.
I checked my signed libreoffice *.odt and it says
PKCS #1 SHA-1 With RSA Encryption
So it is not SHA-256.
How come there is the issue with apacheOO ?
"AOO has some ancient libxmlsec, so you need to use crypto algos which are considered unsafe today to please it. If you create a new signature in LO, you'll get SHA-256 for hashing, but AOO only supports MD5 and SHA1. I would say this is their problem, not ours."
Perhaps I misremember, best to look at the code. :-)
What I remembered is that we always create SHA-256 hashes, we just roundtrip SHA-1 for existing signatures.
Anyhow, please don't misuse this bug. This bug tracks the problem of not being able to create signatures at all for specific certificates, on Windows.
Your problem is about an AOO vs LO compatibility; please file a separate issue and then it can be triaged to see if that's a regression, etc. Thanks.
Yes this bug is about that. It would be useful if we had a test build of Libreoffice 6.XX version with the problematic patch reverted so that we could test it the bug is not present.
"Anyhow, please don't misuse this bug. This bug tracks the problem of not being able to create signatures at all for specific certificates, on Windows."