I am a Linux desktop user.
Someone sends me a PDF file which is digitally signed. It is supposed to be signed using some kind of government / regulated body / official institution issued certificate.
Is there a way that I, as a typical end-user, could determine whether the signature is valid?
I know Windows Acrobat Reader works to some extend, though even there it's not really clear about the validity of a signature as opposed to the fact that it's there and seems to be from XYZ.
I spent few hours experimenting with that and found that:
pdfsig command from poppler-utils package is able to validate PDF signature. Usage is simple:
pdfsig signed.pdf
But for me it works only for visible signatures (version 0.62.0 on Fedora 28). For invisible signatures it shows:
File 'signed.pdf' does not contain any signatures
Master PDF Editor is a GUI tool which shows and validates signatures as shown on the picture below and it is enough to have free version.
LibreOffice Draw is able to show and validate signature using
File -> Electronic signatures -> Electronic signatures
But in my case it again shows only visible signatures.
In KDE you can use Okular which behaves similarly as Adobe Acrobat Reader on windows.
Alternatively you can in terminal shell use python's module pyhanko whose command returns something if document is signed, but this returned something is usually "failed" even though Adobe and Okular vaidate it positively.
Foxit PhantomPDF should be able to provide the functionality of verifying digital certificates - available on a purchase basis. Foxit Reader can only digitally sign the certificates. mutool sign signed.pdf functionality is not available in ubuntu builds. May be present in Arch.
I found something that works for now, but it’s a Flatpak container and containers are apparently not very safe. Therefore I will continue to use pyhanko.
Maybe it already works for you if you have a new enough Linux (version 21.01 of poppler). Otherwise, I followed the recommendation (https://cloudstore.zih.tu-dresden.de/index.php/s/j5BKKyJYZFBzGsB) that the most comfortable way is via flatpack (https://flathub.org/apps/details/org.kde.okular). I also tried building a container a little bit - unsuccessfully.
It works for me if I install a newer Okular via Flatpak:
Following https://flatpak.org/setup/Debian :
# apt install flatpak
# flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
More info and source: https://flathub.org/apps/details/org.kde.okular
# flatpak install flathub org.kde.okular
# flatpak run org.kde.okular
Sources: https://docs.kde.org/stable5/en/okular/okular/signatures.html#adding_digital_signatures, https://docs.kde.org/stable5/en/okular/okular/configure-backends.html, https://docs.kde.org/stable5/en/okular/okular/config-pdf.html#config-pdf-digital-signatures):
(( This step in case signing still doesn’t work. ))
In Okular: Settings -> Configure Backends -> radio tick “Custom:” and select the location where the Firefox data database with digital certificate is located (in my case it works /home/username/.mozilla/firefox/gwn47hz7.default-esr).
Tools -> Digitally sign… -> (asks me for Firefox’s ‘master password’ in other words) -> draw a square for signature -> select digital certificate -> name of signed file.
