Bug 58476

Summary: Adding a signature to a document already signed by MS Word invalidates the MS Word signature
Product: LibreOffice Reporter: Chris Rae [MSFT] <chris.rae>
Component: frameworkAssignee: Not Assigned <libreoffice-bugs>
Status: NEW --- QA Contact: Florian Reisinger <reisi007>
Severity: normal    
Priority: medium CC: chris.rae
Version: 3.6.1.2 release   
Hardware: All   
OS: All   
See Also: https://issues.apache.org/ooo/show_bug.cgi?id=121505
Whiteboard:
i915 platform: i915 features:
Attachments: File signed by MS Word (result of step 7 in the repro steps)

Description Chris Rae [MSFT] 2012-12-18 18:43:55 UTC
Created attachment 71744 [details]
File signed by MS Word (result of step 7 in the repro steps)

Using LibreOffice to add a signature to a document that has already been signed by someone in MS Word invalidates the (still-valid) original signature.

Steps (note that a file is attached which allows you to skip steps 1-7):

1) Boot MS Word
2) Hit Escape (Create default document)
3) File -> Info -> Protect Document -> Add a Digital signature
4) Save file as ODF format (.odt)
5) Choose an RSA certificate that uses a SHA1 hash (DSA is fine too)
6) Click Sign
7) Exit MS Word
8) Open document in LibreOffice
9) Under File menu, click Digital Signatures
10) Notice they're considered valid
11) Now click "Sign Document" button and add a digital signature using a SHA1 cert
12) Observe invalid original signature

It seems that this might be happening because LibreOffice is rewriting the XML for the MS Word signature, but omitting the Type attribute on the Reference element.
Comment 1 Chris Rae [MSFT] 2012-12-18 18:46:46 UTC
This is also filed for OpenOffice.org (https://issues.apache.org/ooo/show_bug.cgi?id=121505).
Comment 2 Florian Reisinger 2013-04-21 14:21:49 UTC
Hmm, seems the other way round this time...

On saving LibreOffice says, that Didital Signitures get deleted, because I changed soemthing. No error message... No way to tell, what happens behind the scenes. (Someone tested it with 3.4.6 @issues.apache.org -> AND confirmed it)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.