Apache OpenOffice (AOO) Bugzilla – Issue 101150
The encrypted signature of manifest.xml should be stored in encrypted documents.
Last modified: 2017-05-20 10:48:05 UTC
As we have discussed on the last meeting it looks to make sense to protect the manifest.xml in encrypted documents from changes. The idea was to create a signature stream of the manifest.xml and encrypt it with the document password. In this way the manifest.xml can no more be changed ( without password ) in a protected document without OOo detecting it on opening. mav->mib: As I understand this change does not conflict with the ODF specification. For the files that do not have such a protection a warning/error would be shown, but it still would be possible to open them. Am I right with my understanding?
This is of course no defect.
I guess the warning thing needs to be discussed a little bit deeper. Since we try to better protect newly created documents, we must figure out how to handle old/existing documents, and documents written with other applications. Since we talk about encrypted documents, I guess we wouldn't again stumble in some security issues, like with digital signatures and old documents. TBD with UX...
The handling of the old documents is still not clear. So it was decided not to implement the feature for 3.2. Changing the Target accordingly.
Reset assigne to the default "issues@openoffice.apache.org".