On Wed, Apr 16, 2014 at 11:31 AM, imacat <ima...@mail.imacat.idv.tw> wrote: > On 2014/04/16 21:28, Jürgen Schmidt said: >> On 4/15/14 4:14 PM, imacat wrote: >>> On 2014/04/14 16:21, Jürgen Schmidt said: >>>> the RC3 build (rev. 1586584) is uploading and most of the files >>>> are already available. Only 32 bit language packs for Linux are >>>> currently missing. >>>> >>>> I plan to start a vote later today but would like to invite >>>> everybody to test the new build already ... >>>> >>>> https://cwiki.apache.org/confluence/display/OOOUSERS/Development+Snapshot+Builds >>> I found that I cannot digitally sign my documents with 4.1 as 4.0 >>> anymore. Is it a planned change, or a bug? >> >> can you provide more information how exactly you did it in 4.0? I am >> not very familiar with document signing and haven't signed a document >> before. The information I found is not clear to me and the behaviour >> is always the same in 4.0, 4.0.1 and 4.1 at least on Mac. I have a >> self signed cert created ... > > On Linux, OpenOffice document signature is done via the Mozilla > firefox certificate store. On Windows, it is done via the Windows > certificate store. > > I suppose the procedure is as follows: > > 1. Get/create a personal X.509 key/certificate with e-mail as the common > name. Self-signed personal key/certificates should be OK. > > 2. Import it into the Mozilla firefox certificate store or Windows > certificate store. > > 3. Close OpenOffice, including the quick run icon, if it is currently > running. Restart it. > > 4. Save some document with something. > > 5. Sign the document from [File]=>[Digital Signature]. > > Before 4.0, the personal key/certificate in the Mozilla certificate > store will be shown in [File]=>[Digital Signature]. On 4.1, this is > missing. > > Digital signature is an important part to OpenOffice macro security > and document integrity. If this is unintended, we will have to do > something to fix it. >
So what happens to a document that was signed with AOO 4.0.1? Can you read it in AOO 4.1? Can you verify the signature? Same for a signed macro? I think it is important to know whether AOO 4.1 "fails safe" with signed macros if it is unable to verify the signature. If a user has set security to allow only execution of signed macros and AOO 4.1 permits them to be executed without being able to verify the signature, then we have a much more serious problem. I'm not saying that this problem exists, but we should check carefully to make sure it is not a problem. -Rob >> >> Does anybody know more about document signing and how it is intended >> to work? >> >> Juergen >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >> For additional commands, e-mail: dev-h...@openoffice.apache.org >> > > > -- > Best regards, > imacat ^_*' <ima...@mail.imacat.idv.tw> > PGP Key http://www.imacat.idv.tw/me/pgpkey.asc > > <<Woman's Voice>> News: http://www.wov.idv.tw/ > Tavern IMACAT's http://www.imacat.idv.tw/ > Woman in FOSS in Taiwan http://wofoss.blogspot.com/ > OpenOffice http://www.openoffice.org/ > EducOO/OOo4Kids Taiwan http://www.educoo.tw/ > Greenfoot Taiwan http://greenfoot.westart.tw/ > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
