Issue 44682 - Removing signature and resigning with another causes havoc
Summary: Removing signature and resigning with another causes havoc
Status: CLOSED IRREPRODUCIBLE
Alias: None
Product: General
Classification: Code
Component: code (show other issues)
Version: 680m82
Hardware: All Windows XP
: P3 Trivial (vote)
Target Milestone: ---
Assignee: frank
QA Contact: issues@framework
URL:
Keywords: needmoreinfo
Depends on:
Blocks:
 
Reported: 2005-03-10 08:06 UTC by stp
Modified: 2005-04-05 15:09 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description stp 2005-03-10 08:06:32 UTC 
Steps:
Signed a document with a certificate stored on my smartcard
Saved without problems
Removed smartcard
Reopened document
Met warning that the signature in the document might be invalid
Open "Digital signatures" dialog and removed signatur from document
Inserted smartcard
Added signature again
Now I can't save the document with or withour signature without getting the
warning "Saving will remove all existing signatures.\nDo you want to continue
saving the document?"
Comment 1 stp 2005-03-10 08:28:30 UTC 
Correction: I can save the document without signature without getting the
warning. However, if I add a signature again the warning "Saving will remove all
existing signatures.\nDo you want to continue saving the document?" shows even
though I have already removed all signatures and saved the document.
Comment 2 Olaf Felka 2005-03-10 09:09:52 UTC 
of @ fst: Please have a look.
Comment 3 frank 2005-03-10 11:47:29 UTC 
Hi,

could not reproduce this Issue.

Saving a signed document will always remove added signatures, as no one knows
about the content of the file itself. So signing documents is a two step
operation. First save the document second sign it. This step is to build a
control sum on the document content based on the hash values from the cert.

The broken sig seems to be a problem with embedded OLE objects. See Issue 36682.

Solves this information your problem ?

Frank
Comment 4 stp 2005-03-10 15:56:01 UTC 
Hi,

> Saving a signed document will always remove added signatures, as no one knows 
> about the content of the file itself. So signing documents is a two step
> operation. First save the document second sign it. This step is to build a
> control sum on the document content based on the hash values from the cert.

OK. I thought since I signed the document I could keep editing in the same
Writer session without manually re-adding the signature. Is this a valid feature
request or in conflict with standards?

Regarding the warning I can write "test" to a blank text document, sign it,
close Writer, reopen and get the warning that this certificate should not be
trusted. Does OOo include a list of trusted root certificates?

Søren
Comment 5 frank 2005-03-13 22:03:02 UTC 
Hi,

we've decided to work in a different way compared to MS. If you save an empty
document, sign it and type some text into it, showing this one to your boss and
saying you've signed it and the doc is ready to be send, how should your boss
know that this doc is really on your harddisk and not the empty one just saved
at beginning of the process ?  

So every action changing the content of the file will remove any existing
signature. Also every save will do so.

Have a look at the Spec. about digital signatures here :

http://specs.openoffice.org/appwide/security/Electronic_Signatures_and_Security.sxw

Regarding the root certificates, we are using the MS Crypto Engine on Windows
and Mozillas on Solaris and Linux. So if a root cert is known by these engines
we know it also.

Frank
Comment 6 stp 2005-03-23 13:38:29 UTC 
OK I agree. 

I can't reproduce the warning that the certificate should not be trusted.

Therefore, resolving as WFM.
Comment 7 frank 2005-04-05 15:09:06 UTC 
and closing by request