Add support for digitally signing documents

[mbkma]

inspired by https://gitlab.gnome.org/GNOME/evince/-/merge_requests/488

Testing Digital Signing in Atril

Prerequisites

Install NSS tools (needed to manage the certificate database that poppler uses):

sudo apt install libnss3-tools

1. Create a Self-Signed Test Certificate

Poppler uses the system NSS database at ~/.pki/nssdb. The database already exists; we just need to add a test certificate.

# Generate a private key and self-signed certificate with openssl
openssl req -x509 -newkey rsa:2048 -keyout /tmp/test-key.pem \
    -out /tmp/test-cert.pem -days 365 -nodes \
    -subj "/CN=Test Signer/O=Test Org/C=DE"

# Bundle into PKCS#12 format for import
openssl pkcs12 -export -out /tmp/test-signing.p12 \
    -inkey /tmp/test-key.pem -in /tmp/test-cert.pem \
    -name "Test Signer" -passout pass:test123

2. Import the Certificate into the NSS Database

# Import the PKCS#12 into the user NSS database
pk12util -i /tmp/test-signing.p12 -d sql:$HOME/.pki/nssdb \
    -W test123 -K ""

# Verify it was imported
certutil -L -d sql:$HOME/.pki/nssdb

You should see "Test Signer" in the list.

3. Mark the Certificate as Trusted for Signing

certutil -M -n "Test Signer" -t "u,u,u" -d sql:$HOME/.pki/nssdb

4. Run Atril and Test

# Run the freshly built atril
./build/shell/atril ./atril/test/test-links.pdf

Steps in the UI:

1. Open a PDF document
2. Click File → Digital Signing…
3. The info bar appears: "Draw a rectangle to insert a signature field"
4. Draw a rectangle on the page by clicking and dragging
5. A certificate selection dialog appears — select "Test Signer"
6. Click Select
7. A save dialog appears — choose a filename (e.g. /tmp/signed.pdf)
8. Click Save
9. The signed PDF opens in a new Atril window

Verify the signature was written:

pdfsig /tmp/signed.pdf

Or use a recent version of Okular which has signing support.

[vkareh]

I haven't tested this yet, but it seems like a super useful feature for document attestation without having to rely on Adobe.

From this code it doesn't seem like I can yet validate the signatures, only sign, but that could be a logical next phase.

I pointed out in the review a lack of GError propagation - this is probably quite important in terms of making sure any issues during signing are surfaced through the UI, especially since it cannot yet validate signatures in Atril, so the user may think they have signed but cannot verify unless they use a different PDF viewer with support for that.

[vkareh]

This needs to be freed somewhere.

[vkareh]

Should this propagate a GError? Without checking that error == NULL in ev_document_signatures_sign, it will end up calling on_document_signed and assume it succeeded...

[vkareh]

If user cancels the dialog, this would return an empty string rather than NULL

[vkareh]

I'm not sure I understand this...

[mbkma]

This enforces library users to only include libdocument/atril-document.h. It is in all libdocument header files.

[L-U-T-i]

I've built the latest atril git snapshot 39f1f91 with this patch applied. I get File → Digital Signing, but it is greyed out.

I've already had $HOME/.pki/nssdb before (with also my personal certificate, with which I can sign PDF in Adobe Reader). Just to make sure, I've generated and added "Test Signer" certificate as instructed above. "Digital Signing" menu entry is still greyed out.

I've also opened already signed PDF file to try signature verification part, but "Digital Signing" menu entry is greyed out as well.

System is Rocky Linux 9.7.

What might be the reason?

[mbkma]

I've built the latest atril git snapshot 39f1f91 with this patch applied. I get File → Digital Signing, but it is greyed out.

I've already had $HOME/.pki/nssdb before (with also my personal certificate, with which I can sign PDF in Adobe Reader). Just to make sure, I've generated and added "Test Signer" certificate as instructed above. "Digital Signing" menu entry is still greyed out.

I've also opened already signed PDF file to try signature verification part, but "Digital Signing" menu entry is greyed out as well.

System is Rocky Linux 9.7.

What might be the reason?

it could be that in Rocky Linux pobbler (atrils pdf backend) is build without nss. To check you can do ldd /usr/lib64/libpoppler.so | grep nss or wherever you pobbler .so file is located.

[L-U-T-i]

In RHEL / Fedora, libpoppler.so is a part of devel package (which is normally not needed / installed in user desktops), I guess. I've therfore checked:

# locate libpoppler.so
/usr/lib/libpoppler.so.106
/usr/lib/libpoppler.so.106.0.0
/usr/lib64/libpoppler.so.106
/usr/lib64/libpoppler.so.106.0.0

and I get:

# ldd /usr/lib64/libpoppler.so.106 | grep nss
	libnss3.so => /lib64/libnss3.so (0x00007fe6bc2f4000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007fe6bc22a000)

is this OK?

[mbkma]

yes, but maybe you have an older pobbler version? when you setup the build in atril ./autogen.sh or meson setup build it tells you the exact version. In my case:

run-time dependency poppler-glib found: YES 24.02.0

You need to have at least version 22.2.0

[L-U-T-i]

I've checked my build log, there is no such line containing "run-time dependency poppler-glib found: YES <version>" (there is no line containing poppler in autogen.sh part), only "checking for POPPLER... yes" (in ./configure part).

But yes, poppler is version 21.01.0 only in Rocky 9.7 at the moment.

Thank you for an explanation / support.

[L-U-T-i]

I've backported Rocky 10.1 poppler 24.02.0 to Rocky Linux 9.7, and then atril with this poppler-glib-devel ver. 24.

I've been asked for a nss password, selected a certificate and get "Digital Signing" now. I've also successfully signed a PDF document (at about normal size rectangle I've been warned about it being too small, and made a huge rectangle after, what looks quite silly now...). I don't get any option to verify a signature though (after reopening this signed document, I got a warning that document is signed, but the signature can not be verified...).

[L-U-T-i]

I've noticed NSS password is now required whenever I open any PDF. It is quite annoying, as I expect to sign only about 1/1000 of all PDFs opened. Maybe it would be better if NSS password is required only after Digital Signature action (sign or verify) is initiated?

[lukefromdc]

This would be unacceptable to those who never sign or interact with signed documents unless a null passphrase can be set and the interface bypassed.

[L-U-T-i]

I'm not sure a null passphrase is an option. Considering I've already had the NSS database in my home directory (before testing that), with my government issued certificate already in it, I guess it is used by some other applications (I'd say Firefox is the first candidate, or some of the dedicated signing applications I have) and there shall be some security to protect such certificates.

Plus, it would be a bit strange to request from atril users to first set a null NSS passphrase before they can normally use atril as by now, or?

[lukefromdc]

Then we just have to ensure that this does not ask for a passphrase on encountering an unsigned document, or leave this out until someone comes up with a fix.

[L-U-T-i]

I've been asked for a passphrase also while opening an already signed document...

[mbkma]

no worries, I will fix this issue before this PR gets merged :)

[mbkma]

Now, the NSS database password prompt appears only when it is actually required:

1. when opening a PDF that contains a signature (for verification), and
2. when signing a document.

If libsecret is available, the password is cached in the GNOME Keyring. This means you only need to enter your password once, the first time the NSS database is unlocked.

[L-U-T-i]

It works as expected now, thank you.

It is also possible to draw a small rectangle now. But, if it is too small for the preselected font size, some text is simply cropped (on the right and / or at the bottom). I'm not sure it is OK like that - it would probably be better to reduce the font size (as long as the text can still be anyhow readable) or to refuse signing (request to draw a wider / taller rectangle)?

And, a nice addition, if it would not be too complicated to implement - an old Adobe Reader 11 has the ability to add a drawing (scanned hand written signature) to a digital signature (it is positioned on the left side, and signature text / details right to it). Looks really cool.

Adobe Reader mentioned also adds an Adobe logo as a watermark / background below the signature text, and it looks quite fancy. Atril logo (the one as on Atril icon) watermark would probably make such a signature look really professional... ;-)

[mbkma]

It works as expected now, thank you.

It is also possible to draw a small rectangle now. But, if it is too small for the preselected font size, some text is simply cropped (on the right and / or at the bottom). I'm not sure it is OK like that - it would probably be better to reduce the font size (as long as the text can still be anyhow readable) or to refuse signing (request to draw a wider / taller rectangle)?

And, a nice addition, if it would not be too complicated to implement - an old Adobe Reader 11 has the ability to add a drawing (scanned hand written signature) to a digital signature (it is positioned on the left side, and signature text / details right to it). Looks really cool.

Adobe Reader mentioned also adds an Adobe logo as a watermark / background below the signature text, and it looks quite fancy. Atril logo (the one as on Atril icon) watermark would probably make such a signature look really professional... ;-)

cool :) yeah this are features I want to look into in the future, but to not further complicate this PR, I would add those features in other PRs later on