PDF signature on Linux

To produce a widely accepted signature that validates as a PAdES signature, you need to sign your PDF with an SSL signature of X.509 standard, that the issuing Certificate Authority (CA) has flagged to be intended for code / object signing. In this contribution I stress on the act of signing PDF documents, and just say: Inform yourself e.g. on the website of the association cacert.org how to obtain a code and object signing SSL certificate, and how to handle, configure and use certificates in your system(s), browser(s) and applications. As long as you don't have an SSL certificate, you cannot use this kind of official signature method, but can sign it with GPG.

The process itself is very easy if you use LibreOffice and Firefox. You can export to PDF every LibreOffice document and in the export dialogue select your personal digital signature certificate. Or you sign an existing PDF by (menu) File / Digital Signatures / Sign Existing PDF. But before doing it for the first time, you might need to tell LibreOffice where your Firefox profile with the Firefox certificate store is located, and maintain a list of timestamp servers' URLs that work for you.

When I first selected (menu) File / Export as / Export as PDF / (tab) Digital signatures / (button) Select..., I saw ... nothing.


It took me hours to find the reason: LibreOffice on Linux searches for signing certs in Firefox' or Thunderbird's certificate store, I had migrated my Firefox profile from Windows, and instead of throwing the profile contents into the default profile folder I had used another folder and edited Firefox' configuration. So I manually gave LibreOffice the differing path in Tools / Options / Security / Certificate Path, and could select my certificate. I could sign my PDF, open it in LibreOffice Draw, and it validated as a correct Adobe signature.

NSS path in LibreOffice Options.

Since timestamping signatures is a good idea, I searched and found a list of free timestamp servers. I inserted some URLs into the list in (menu) Tools / Options / Security / (button) TSAs, tested them, and when I selected one of the entries to timestamp my signature in the (menu) File / Export As / Export As PDF / (tab) Digital Signatures / (dropdown) Time Stamp Authority, my signature validated as a PAdES signature in LibreOfficeDraw.

 $ pdfsig path.pdf -nssdir (Firefox profile path) -dump

revealed that the timestamp server URL is part of the signature. (pdfsig is part of the poppler-utils, Linux Mint Software Center installed them for me.)