openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: [RELEASE]: RC3 available
Date Wed, 16 Apr 2014 15:58:09 GMT
On Wed, Apr 16, 2014 at 11:31 AM, imacat <imacat@mail.imacat.idv.tw> wrote:
> On 2014/04/16 21:28, Jürgen Schmidt said:
>> On 4/15/14 4:14 PM, imacat wrote:
>>> On 2014/04/14 16:21, Jürgen Schmidt said:
>>>> the RC3 build (rev. 1586584) is uploading and most of the files
>>>> are already available. Only 32 bit language packs for Linux are
>>>> currently missing.
>>>>
>>>> I plan to start a vote later today but would like to invite
>>>> everybody to test the new build already ...
>>>>
>>>> https://cwiki.apache.org/confluence/display/OOOUSERS/Development+Snapshot+Builds
>>> I found that I cannot digitally sign my documents with 4.1 as 4.0
>>> anymore.  Is it a planned change, or a bug?
>>
>> can you provide more information how exactly you did it in 4.0? I am
>> not very familiar with document signing and haven't signed a document
>> before. The information I found is not clear to me and the behaviour
>> is always the same in 4.0, 4.0.1 and 4.1 at least on Mac. I have a
>> self signed cert created ...
>
>     On Linux, OpenOffice document signature is done via the Mozilla
> firefox certificate store.  On Windows, it is done via the Windows
> certificate store.
>
>     I suppose the procedure is as follows:
>
> 1. Get/create a personal X.509 key/certificate with e-mail as the common
> name.  Self-signed personal key/certificates should be OK.
>
> 2. Import it into the Mozilla firefox certificate store or Windows
> certificate store.
>
> 3. Close OpenOffice, including the quick run icon, if it is currently
> running.  Restart it.
>
> 4. Save some document with something.
>
> 5. Sign the document from [File]=>[Digital Signature].
>
>     Before 4.0, the personal key/certificate in the Mozilla certificate
> store will be shown in [File]=>[Digital Signature].  On 4.1, this is
> missing.
>
>     Digital signature is an important part to OpenOffice macro security
> and document integrity.  If this is unintended, we will have to do
> something to fix it.
>

So what happens to a document that was signed with AOO 4.0.1?  Can you
read it in AOO 4.1?  Can you verify the signature?  Same for a signed
macro?

I think it is important to know whether AOO 4.1 "fails safe" with
signed macros if it is unable to verify the signature.  If a user has
set security to allow only execution of signed macros and AOO 4.1
permits them to be executed without being able to verify the
signature, then we have a much more serious problem.  I'm not saying
that this problem exists, but we should check carefully to make sure
it is not a  problem.

-Rob


>>
>> Does anybody know more about document signing and how it is intended
>> to work?
>>
>> Juergen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
>> For additional commands, e-mail: dev-help@openoffice.apache.org
>>
>
>
> --
> Best regards,
> imacat ^_*' <imacat@mail.imacat.idv.tw>
> PGP Key http://www.imacat.idv.tw/me/pgpkey.asc
>
> <<Woman's Voice>> News: http://www.wov.idv.tw/
> Tavern IMACAT's http://www.imacat.idv.tw/
> Woman in FOSS in Taiwan http://wofoss.blogspot.com/
> OpenOffice http://www.openoffice.org/
> EducOO/OOo4Kids Taiwan http://www.educoo.tw/
> Greenfoot Taiwan http://greenfoot.westart.tw/
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message