How do I digitally sign a PDF with a S/MIME certificate?

Question

I have already acquired a S/MIME certificate (a .p12 file) issued by an authority. Using it in Writer, I can digitally sign documents by following this procedure : How do I make a digital certificate available to LibreOffice Writer for digital signatures?

Can I do the same for PDF files? If yes, what method do you suggest me? I would prefer a solution that relies on Free Software.

Tankman六四 · Answer 1 · 2018-04-11T06:45:27.093

Your only option is Portable Signer. Download it and run the jar. It requires a private key in a p12 file though (not compatible with SmartCard).

You might expect Ubuntu document signing tools like qdigidoc or gpg would do, but no, they don't play with PDF signatures.

You might then expect Ubuntu PDF manipulation tools like qpdf, which provides encryption, or pdftk, which provides watermarking, to provide signing features too, but, no, they don't.

The total list of opensource tools available for your purpose is: http://wiki.cacert.org/PdfSigning

Unfortunately, none of the tools is currently maintained and none can be found in Ubuntu packages. Portable Signer is the most well maintained of all.

Portable Signer hasn't been updated since 2014 - this is the most well maintained among all.
jSignPdf hasn't been updated since 2013.
jPdfSign hasn't been updated since 2006.
CACert's PdfSigner uses outdated iText tool.
OpenSignature hasn't been updated since 2008.
Footprint's link is broken.
jPDFSecure (commercial) – updated in 2017 but it is a Java library not a user tool.

As of Dec 2020, Portable Signer is no longer the only option: KDE's Okular now can create certificate-based embedded digital signatures that are visible to users of other PDF viewers (see my answer). — mak, Dec 17 '20 at 07:59
Best in Feb. 2022: http://jsignpdf.sourceforge.net/ JSignPdf are updated on 19th Dec. 2021 it's easy to use. — fquinto, Feb 10 '22 at 06:35

mak · Answer 2 · 2020-12-18T14:12:05.970

Good news! KDE's PDF viewer Okular (with backend Poppler) now supports embedded digital signatures in PDFs, similar to how Adobe Reader does it. Details are found in a post by TU Dresden, who has sponsored the implementation of this feature.

The feature is expected to appear in releases from April 2021 (Okular v21.04, Poppler v21.01). As of December 2020, it is already possible to compile the current development version of Okular and the Poppler PDF library locally to obtain the feature. Instructions and a build script are provided with the TU Dresden post.

I have completed the installation using the instructions in the script (watch out for truncated lines in the online-preview!) on KDE Neon 5.20 (based on Ubuntu 20.04 LTS) using Poppler as of Commit 407293bf and Okular as of Commit 110ccd61 (future versions should of course continue to work, so this is just for full reproducibility). I have installed under /usr/local/ and created a start script okular-sign with the variable definitions as in the TU Dresden manual. The new version of Okular identifies as "Version 21.03.70". As typical for KDE, this "local" version of Okular does interfere with the official one from the distribution, which is partly changed to the new version even when starting the old binary (presumably this is due to KDE's system-wide registration of "parts" or some such component). I hope that it will be possible to revert to an official version when signing support is released in my distribution's packages.

After successful installation, I could create a digital signature as advertised in the post:

Open a PDF
Click 'Digitally sign' in the 'Tools' menu. Alternatively add the "Digitally sign" icon in your preferred tool bar and click it.
Draw a rectangle where you want to have the visible hint for the electronic signature.
A dialogue will ask for the private key to use, in case there are multiple. Select the one you want to use.
Enter the passphrase of your key.

One is prompted to save the signed PDF under a new file name after that.

Thumb up for this solution. Nevertheless it doesn't solve the question. I tried as well but the problem is that then the .pfx of .p12 files cannot be imported. Or I did something wrong? — Stefano_g, Feb 10 '21 at 17:25
@Stefano_g I did not import any certificates in Okular, but Okular did allow me to chose my current certificate for signing without further setup. In Help>Configure Backends>PDF Certificates, the default certificate database under ~/.mozilla/firefox is selected. I had previously imported my certificate in Firefox. — mak, Feb 11 '21 at 21:29
Ok I am just stupid. I didn't see the tab "my certificates" to import it. I mange to sing it, but the signature is a bit ugly, i.e. big red square. If I do it on windows I get a completely different result with "printed" more info. Is it correct? — Stefano_g, Feb 26 '21 at 00:18
@Stefano_g Yes, the signature placeholder in PDF looks different from what Adobe products would create (for a start, no Adobe logo in the background). I have already had to explain to some people in our administration that the validity of the digital signature is not conferred by the look of this placeholder. This was accepted, but I agree that a more "trustworthy" look that does not appear in red (like an invalid signature!) would be better. Maybe someone could file an issue on this. — mak, Mar 05 '21 at 20:19
There is no "Ditigally sign" option in the "Tools" menu for me... — Mickaël C. Guimarães, Nov 28 '21 at 22:05
I confirm the difficulties. There seem to be fatal bugs at present. — Max Flow, Sep 08 '22 at 06:29
FYI: Soon it should be added to Gnome Evince too https://gitlab.gnome.org/GNOME/evince/-/issues/143 — Sergey Ponomarev, Oct 02 '23 at 21:45

score 18 · Answer 3 · edited Apr 06 '20 at 16:14

18

If you have the certificate available in Writer and if using its Export to PDF function, you can also digitally sign the resulting PDF from the last tab of the dialog right before the export.

As far as I can tell, Acrobat Reader for Android says the document is protected, for what it's worth.

Update '17: Since last December you can sign PDF files with LibreOffice by going File → Digital signatures → Sign Existing PDF.

That will open Draw which is capable of signing the PDF.

edited Apr 06 '20 at 16:14

Socowi

103
1
4

answered Jul 13 '15 at 01:08

K3---rnc

1,235

3

I notice it sometimes fails to find the font and then it distorts the entire document, pushing text off the page – Jonathan Oct 14 '18 at 05:31

ArekBulski · Answer 4 · 2015-04-12T17:38:05.500

17

I found that you can use gpg to sign a PDF in a way that it still opens up in a viewer.

gpg --clearsign --output=signed.pdf input.pdf

Above would yield .asc file which is basically concatenation of input||signature but file extension is forced into .pdf making it to open in viewer, produce thumbnails, etc.

enter image description here

You can verify signature using gpg again.

$ gpg --verify signed.pdf 
gpg: Podpisano nie, 12 kwi 2015, 19:07:15 CEST z użyciem RSA kluczem
gpg: Poprawny podpis od "Arkadiusz Bulski <arek.bulski@gmail.com>"

Be warned that some pdfs dont work well with signing this way, such as optimised pdfs. You should check the results yourself.

edited Apr 12 '15 at 17:38

answered Apr 12 '15 at 17:29

ArekBulski

1,181
2
13
32

3

Do PDF readers give any indication that this is a PGP-signed PDF? – Mendhak Jun 01 '17 at 19:20
No, PDF is viewed despite the attached signature. – ArekBulski Jun 02 '17 at 13:51
3

Perhaps GPG header will be ignored by some software, but Adobe Acrobat Reader and Foxit Reader don't like it and consider such PDF broken. So yes, mind interoperability problem. – dma_k Oct 06 '17 at 10:02
4

Interesting, but the question was about S/MIME certificates. – Andy Oct 25 '17 at 18:51
How to view this non-detached-signature embedded PDF at all? – SYK Oct 01 '18 at 22:27
File format is damaged according to Preview.app (Mac) – f01 Mar 20 '20 at 21:03
3

DO NOT USE --CLEARSIGN FOR PDFs. --clearsign can only be applied on text file, no other type of files including PDF files. This is because --clearsign does bring changes to the file, causing distortions.
See: https://dev.gnupg.org/T5367
– Hans Deragon Mar 27 '21 at 13:40

score 9 · Answer 5 · edited Mar 24 '21 at 22:01

9

There is a GPL tool called AutoFirma from Spanish Government which works quite nice with p12 formatted certificates. For now it's only available in Spanish, but source code is available here or on Github and could be translated.

edited Mar 24 '21 at 22:01

Pau Coma Ramirez

312
2
9

answered Feb 12 '21 at 14:36

geraldo

201

3

Requires Java Runtime Environment which automatic dependency installer does not appear to resolve. sudo apt-get install openjdk-8-jre – Pau Coma Ramirez Mar 20 '21 at 12:39
This is such a nice discovery! Great tool, easy to use and it can even insert a visual representation of the signature (Herramientas -> Preferencias -> Firma PAdES (PDF) -> Check the two boxes under Opciones de firma). – dav.garcia Jul 31 '22 at 09:15

score 8 · Answer 6 · edited Jun 06 '12 at 17:57

8

You can sign PDF files with gpg/seahorse.

Learn more: https://help.ubuntu.com/community/GnuPrivacyGuardHowto

You can for instance use OpenSignPDF, that can be download here: http://opensignature.sourceforge.net/english.php

I hope this answers your question.

edited Jun 06 '12 at 17:57

Agmenor

16,214

answered Jun 06 '12 at 17:43

Octávio Filipe Gonçalves

15,825

Thank you Subv3rsion! Alternatively, I also found some proprietary programs in the Ubuntu Software Center. But I am not going to make advertisement here. – Agmenor Jun 06 '12 at 17:58
3

Ok, but please, can you tell me what programs did you found? – Octávio Filipe Gonçalves Jun 06 '12 at 18:02
1

Note that GPG and Seahorse might not like the S/MIME format that PDF(s) sometimes require in business environments. – Thomas Ward Jun 06 '12 at 18:15
2

Some times, some people really need to sign with a .p12. This doesn't answer the question. – jgomo3 Feb 26 '14 at 00:12

qwr · Answer 7 · 2021-03-02T07:26:40.387

5

Master PDF Editor has a free version that will sign .p12 files.

However the free version leaves an ugly watermark. Interestingly enough, this can be removed within the program itself or with another PDF editor (ex. LibreOffice Draw). I think version 4 does not leave a watermark.

edited Mar 02 '21 at 07:26

answered Apr 18 '18 at 21:09

qwr

2,802

yeah, this is the only solution that works – perepepe Nov 15 '23 at 09:25

score 5 · Answer 8 · edited Apr 02 '20 at 18:53

5

I ended up doing following

Installed Virtual Box
Then installed virtual box extension pack (For usb token)
Download windows 10 iso available for free from MS website.
Boot into windows downloaded Adobe reader and signed the document.

Not the native solution but it gets the work done.

edited Apr 02 '20 at 18:53

MariusSiuram

187
12

answered Jan 14 '19 at 11:39

Mr Coder

630

Q: How do I sign in Ubuntu? A: Use another OS. – liakoyras May 15 '23 at 09:43

score 3 · Answer 9 · answered Dec 31 '19 at 11:50

3

Using LibreOffice with version bigger than 5.3 you can sign PDF documents.
Go To File > Digital Signatures > Sign existing PDF... The original entry dated from December 2016: https://vmiklos.hu/blog/pdf-sign.html

answered Dec 31 '19 at 11:50

cheche

356
2
9

This is by far the simplest and easiest solution. It works fine with physical tokens. – wazoox Sep 09 '21 at 14:53

score 2 · Answer 10 · answered Sep 07 '22 at 13:50

2

As @fquinto mentioned in a comment:

jsignpdf is a solid option.

PDF signing software written in Java. It supports visible signatures, timestamping, certificate verification and many other cool features

answered Sep 07 '22 at 13:50

Mahmoud

841

Amanda · Answer 11 · 2020-06-29T13:36:57.903

Since google led me here. These are my steps without p12 formatted certificate. based on how to get p12 formatted client certificate file and how to sign documents .

register on cacert.org via join https://www.cacert.org/index.php?id=1
get client certificate as described in the cacert wiki:
- you might possibly need to do this in a another browser (e.g. Pale Moon)
- Instructions: http://wiki.cacert.org/Technology/KnowledgeBase/ClientCerts#To_get_your_client_cert_from_CAcert
backup the client certificate as p12 formatted file (make sure to keep the backup password. You will need it later)
- https://askubuntu.com/a/122264/839814
install PortableSigner
- https://sourceforge.net/projects/portablesigner/
run PortableSigner
- sudo /usr/local/PortableSigner/PortableSigner.sh
use GUI to set
- input file
- output file name
- signature file (your newly exported client certificate as p12 formatted file)
- password is the backup password you set when creating the p12 formatted file.
Click "Ok" to create signed document.

Schorschii · Answer 12 · 2024-03-11T11:42:50.477

0

You may also want to take a look at my Simple Signer. In addition to LibreOffice Draw, it can also add a visual stamp onto the document (which is linked to your signature) as known from the Adobe Reader.

In addition to that, you can choose if you want to sign or certify your document.

edited Mar 11 '24 at 11:42

answered Apr 29 '22 at 12:20

Schorschii

126

score 0 · Answer 13 · answered Jun 06 '12 at 19:50

0

PDF Studio 7 Pro, available in the Software Center, features digital signing of PDFs. As of when I am writing it costs only 125 $.

According to the official website, it is indeed S/MIME signing.

answered Jun 06 '12 at 19:50

Agmenor

16,214

26

'only' $125. Hah! – wordsforthewise Sep 05 '16 at 01:54

How do I digitally sign a PDF with a S/MIME certificate?

13 Answers13

Linked