Linux check pdf signature

A digital signature certifies and timestamps a document. If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper-resistant. The GnuPG source distribution, for example, is signed so that users can verify that the source code has not been modified since it was packaged.

Creating and verifying signatures uses the public/private keypair in an operation different from encryption and decryption. A signature is created using the private key of the signer. The signature is verified using the corresponding public key. For example, Alice would use her own private key to digitally sign her latest submission to the Journal of Inorganic Chemistry. The associate editor handling her submission would use Alice’s public key to check the signature to verify that the submission indeed came from Alice and that it had not been modified since Alice sent it. A consequence of using digital signatures is that it is difficult to deny that you made a digital signature since that would imply your private key had been compromised.

alice% gpg —output doc.sig —sign doc You need a passphrase to unlock the private key for user: «Alice (Judge) » 1024-bit DSA key, ID BB7576AC, created 1999-06-04 Enter passphrase:

The document is compressed before signed, and the output is in binary format.

Given a signed document, you can either check the signature or check the signature and recover the original document. To check the signature use the —verify option. To verify the signature and extract the document use the —decrypt option. The signed document to verify and recover is input and the recovered document is output.

blake% gpg —output doc —decrypt doc.sig gpg: Signature made Fri Jun 4 12:02:38 1999 CDT using DSA key ID BB7576AC gpg: Good signature from «Alice (Judge) «

A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it. The option —clearsign causes the document to be wrapped in an ASCII-armored signature but otherwise does not modify the document.

A signed document has limited usefulness. Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature. A detached signature is created using the —detach-sig option.

alice% gpg —output doc.sig —detach-sig doc You need a passphrase to unlock the secret key for user: «Alice (Judge) » 1024-bit DSA key, ID BB7576AC, created 1999-06-04 Enter passphrase:

Both the document and detached signature are needed to verify the signature. The —verify option can be to check the signature.

Источник

How To Verify Files and Signatures with PGP In Linux?

GnuPG is an opensource and popular alternative to the PGP. PGP provides encryption-related function. PGP provides a hash function like standard Linux packages. We will look ow to verify files downloaded from the internet with their PGP signatures to verify.

Find PGP Information

In this example, we will use the Apache source code. Apache PGP signature can be found and downloaded like below.

Find PGP Information

We can see that the signature file have asc extension with the same name with the compressed source code file.

Download Apache Source

We will download Apache source code related with previously downloaded PGP signature.

Download Apache Source

Verify Source Code

We will verify downloaded Apache source code with PGP by providing the signature file. We will just provide the asc file which will match the source file in the same directory.

Verify Source Code

There is a problem Can’t check signature: No Public key error. This is because we havent added the Public key of the Apache from a server.

Add Public Key Server

We will add the public key server to check our signature file. We will use —keyserver option in order to specify the GPG key server which can be an IP address or hostname. Then we will use the —recv-key option and provide the ID of the RSA key which is provided with the asc file.

Add Public Key Server

We have successfully received a public key from the server. We can see there is some information about the imported key.

Some name and web address about the key is provided.
`Total number processed` shows total keys processes which is 1 in this example.
`Imported` is imported key count which is 1 in this example.

Check Again Signature File

We will check the signature file again. I hope it works.

Check Again Signature File

We can see that the signed data is determined. Also, the RSA key is printed to the screen. The signer information also provided which is Daniel Ruggeri .

Источник

How to verify a digital signature on a PDF on Linux?

I am a Linux desktop user.

Someone sends me a PDF file which is digitally signed. It is supposed to be signed using some kind of government / regulated body / official institution issued certificate.

Is there a way that I, as a typical end-user, could determine whether the signature is valid?

I know Windows Acrobat Reader works to some extend, though even there it’s not really clear about the validity of a signature as opposed to the fact that it’s there and seems to be from XYZ.

2 Answers 2

I spent few hours experimenting with that and found that:

1) pdfsig command from poppler-utils package is able to validate PDF signature. Usage is simple:

But for me it works only for visible signatures (version 0.62.0 on Fedora 28). For invisible signatures it shows:

File ‘signed.pdf’ does not contain any signatures

2) Master PDF Editor is a GUI tool which shows and validates signatures as shown on the picture below and it is enough to have free version.

3) LibreOffice Draw is able to show and validate signature using File -> Electronic signatures -> Electronic signatures. But in my case it again shows only visible signatures.

Источник

How to check if a PDF has any kind of digital signature

I need to understand if a PDF has any kind of digital signature. I have to manage huge PDFs, e.g. 500MB each, so I just need to find a way to separate non-signed from signed (so I can send just signed PDFs to a method that manages them). Any procedure found until now involves attempt to extract certificate via e.g. Bouncycastle libs (in my case, for Java): if it is present, pdf is signed, if it not present or a exception is raised, is it not (sic!). But this is obviously time/memory consuming, other than an example of resource-wastings implementation.

Is there any quick language-independent way, e.g. opening PDF file, and reading first bytes and finding an info telling that file is signed? Alternatively, is there any reference manual telling in detail how is made internally a PDF?

Thank you in advance

3 Answers 3

You are going to want to use a PDF Library rather than trying to implement this all yourself, otherwise you will get bogged down with handling the variations of Linearized documents, Filters, Incremental updates, object streams, cross-reference streams, and more.

With regards to reference material; per my cursory search, it looks like Adobe is no longer providing its version of the ISO 32000:2008 specification to any and all, though that specification is mainly a translation of the PDF v1.7 Reference manual to ISO-conforming language.

So assuming the PDF v1.7 Reference, the most relevant sections are going to be 8.7 (Digital Signatures), 3.6.1 (Document Catalog), and 8.6 (Interactive Forms).

The basic process is going to be:

Read the Document Catalog for ‘Perms’ and ‘AcroForm’ entries.
Read the ‘Perms’ dictionary for ‘DocMDP’,’UR’, or ‘UR3’ entries. If these entries exist, In all likelyhood, you have either a certified document or a Reader-enabled document.
Read the ‘AcroForm’ entry; (make sure that you do not have an ‘XFA’ entry, because in the words of Fraizer from Porgy and Bess: Dat’s a complication!). You basically want to first check if there is an (optional) ‘SigFlags’ entry, in which case a non-zero value would indicate that there is a signature in the Fields Array. Otherwise, you need to walk each entry of the ‘Fields’ Array looking for a field dictionary with an ‘FT’ (Field Type) entry set to ‘Sig’ (signature), with a ‘V’ (Value) entry that is not null.

Using a PDF library that can use the document’s cross-reference table to navigate you to the right indirect objects should be faster and less resource-intensive than a brute-force search of the document for a certificate.

Источник

How would I validate digital signature for PDFs in linux?

Adobe Reader, which I use on MS Windows, has the ability to validate the digital signature (created with an X.509 certificate) in a PDF file.

I’d like to do such verification on Linux desktops. I’ve tried Evince and Okular, the most recommended PDF readers, but they can’t do that. On the other hand, Adobe Reader is not available for Linux (see https://get.adobe.com/reader/otherversions/). PDF readers that are built-in in current versions of Firefox and Chrome neither can verify the signatures.

I’m fine with using a gui, command line tool or a firefox/chrome extension to do this.

5 Answers 5

Poppler (poppler-utils) contains pdfsig , which verifies the signature against the stored known certificates.

It’s not yet super advanced (no export), but a great step ahead.

UPDATE: The original bug number is 16770 and it was pushed into production on 2016-03-01; it was included first in v0.42.

Libreoffice Draw is able to read PDFs and allows one to verify document’s certificate and signature ( File -> Digital Signatures -> Digital Signatures… ).

Also, when the PDF has been loaded, there is a warning message if the certificate could not be validated, yet the signature was OK.

I’ve tested it using 6.0.4.2, but according to crowdfunding page related to PDF signatures in LibreOffice it probably was possible back in 2015, in versions 4.4 or 4.5.

Try our software PDF Studio Viewer, a PDF Reader for Linux that supports rendering and validating digital signatures. I am a developer for this software.

Disclosure: I am a developer at Qoppa

LibreOffice Draw
Okular since KDE Applications 19.04.0
Evince does not support that, but there is an unofficial patch
pdfsig (from poppler-utils , req. the root cert. installed in your Firefox profile dir)

The following steps show how to download the Aadhaar Card and convert it to a nice PDF:

Goto https://eaadhaar.uidai.gov.in/eaadhaar/ and fill this ugly looking form.
Enter the code from the SMS to download and save the file. I assume you saved it as “aadhaar-unverified.pdf”.
Install acrobat reader and javascript plugins from the deb-multimedia.org repository: apt-get install acroread acroread-plugins acroread-escript
Open the file with acroread, the password is the ZIP of the city.
Click on the question mark, a window with title “Signature Validation Status” opens.
Click “Signature Properties” to open the window with the same title.
Click “Show Certificate” to open the certificate window. Choose the “Trust” tab.
Click “Add to Trusted Identities”.
Click “OK” to close the certificate window.
Click “Validate Signature”.
Click “Close” to close the Signature Properties window.
Print the page into the file “aadhaar-verified.ps”.
Convert the postscript file to pdf. The following command is one line. The “sed” removes a stupid “copy protection” from the postscript file and ps2pdf then creates the PDF file. sed «/mark currentfile eexec/,/cleartomark/ d» aadhaar-verified.ps | ps2pdf — aadhaar-verified.pdf
Now print the copy of your E-Aadhaar Card on paper and make backups of your PDF file.

Now you have a nice verified PDF which you can print without any problems. Wasn’t that simple, eh?

Источник