How do I digitally sign a PDF with a S/MIME certificate?

pdf certificates signature

I have already acquired a S/MIME certificate (a .p12 file) issued by an authority. Using it in Writer, I can digitally sign documents by following this procedure : How do I make a digital certificate available to LibreOffice Writer for digital signatures?

Can I do the same for PDF files? If yes, what method do you suggest me? I would prefer a solution that relies on Free Software.


Solution 1:

Your only option is Portable Signer. Download it and run the jar. It requires a private key in a p12 file though (not compatible with SmartCard).

You might expect Ubuntu document signing tools like qdigidoc or gpg would do, but no, they don't play with PDF signatures.

You might then expect Ubuntu PDF manipulation tools like qpdf, which provides encryption, or pdftk, which provides watermarking, to provide signing features too, but, no, they don't.

The total list of opensource tools available for your purpose is: http://wiki.cacert.org/PdfSigning

Unfortunately, none of the tools is currently maintained and none can be found in Ubuntu packages. Portable Signer is the most well maintained of all.

  • Portable Signer hasn't been updated since 2014 - this is the most well maintained among all.
  • jSignPdf hasn't been updated since 2013.
  • jPdfSign hasn't been updated since 2006.
  • CACert's PdfSigner uses outdated iText tool.
  • OpenSignature hasn't been updated since 2008.
  • Footprint's link is broken.
  • jPDFSecure (commercial) – updated in 2017 but it is a Java library not a user tool.

Solution 2:

I found that you can use gpg to sign a PDF in a way that it still opens up in a viewer.

gpg --clearsign --output=signed.pdf input.pdf

Above would yield .asc file which is basically concatenation of input||signature but file extension is forced into .pdf making it to open in viewer, produce thumbnails, etc.

enter image description here

You can verify signature using gpg again.

$ gpg --verify signed.pdf 
gpg: Podpisano nie, 12 kwi 2015, 19:07:15 CEST z użyciem RSA kluczem
gpg: Poprawny podpis od "Arkadiusz Bulski <[email protected]>"

Be warned that some pdfs dont work well with signing this way, such as optimised pdfs. You should check the results yourself.

Solution 3:

If you have the certificate available in Writer and if using its Export to PDF function, you can also digitally sign the resulting PDF from the last tab of the dialog right before the export.

As far as I can tell, Acrobat Reader for Android says the document is protected, for what it's worth.

Update '17: Since last December you can sign PDF files with LibreOffice by going File → Digital signatures → Sign Existing PDF.

That will open Draw which is capable of signing the PDF.

Solution 4:

Good news! KDE's PDF viewer Okular (with backend Poppler) now supports embedded digital signatures in PDFs, similar to how Adobe Reader does it. Details are found in a post by TU Dresden, who has sponsored the implementation of this feature.

The feature is expected to appear in releases from April 2021 (Okular v21.04, Poppler v21.01). As of December 2020, it is already possible to compile the current development version of Okular and the Poppler PDF library locally to obtain the feature. Instructions and a build script are provided with the TU Dresden post.

I have completed the installation using the instructions in the script (watch out for truncated lines in the online-preview!) on KDE Neon 5.20 (based on Ubuntu 20.04 LTS) using Poppler as of Commit 407293bf and Okular as of Commit 110ccd61 (future versions should of course continue to work, so this is just for full reproducibility). I have installed under /usr/local/ and created a start script okular-sign with the variable definitions as in the TU Dresden manual. The new version of Okular identifies as "Version 21.03.70". As typical for KDE, this "local" version of Okular does interfere with the official one from the distribution, which is partly changed to the new version even when starting the old binary (presumably this is due to KDE's system-wide registration of "parts" or some such component). I hope that it will be possible to revert to an official version when signing support is released in my distribution's packages.

After successful installation, I could create a digital signature as advertised in the post:

  • Open a PDF
  • Click 'Digitally sign' in the 'Tools' menu. Alternatively add the "Digitally sign" icon in your preferred tool bar and click it.
  • Draw a rectangle where you want to have the visible hint for the electronic signature.
  • A dialogue will ask for the private key to use, in case there are multiple. Select the one you want to use.
  • Enter the passphrase of your key.

One is prompted to save the signed PDF under a new file name after that.

Related

libssl.so.10: cannot open shared object file: No such file or directory
update-alternatives --install says it needs link name path priority?
Best way to read a config file in bash
How can I show the week numbers in the calendar shown at the top in GNOME Shell?
Add environment variable to .bashrc through script
How to hide top bar in Ubuntu 18.04?
How do I install gcc 4.7?
Minify tool that can be executed through terminal
Set default group for user when they create new files?
Is it possible to restore only one directory with the backup utility?
How do I create and tune an ext4 partition from the command-line?
PulseAudio fails to set card profile to 'a2dp_sink'. How can I see the logs and figure out whats wrong?