[HN Gopher] Digitally sign PDF files from your commandline - ope... ___________________________________________________________________ Digitally sign PDF files from your commandline - open-pdf-sign Author : todsacerdoti Score : 196 points Date : 2022-12-19 13:15 UTC (9 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | RjQoLCOSwiIKfpm wrote: | If only banks knew this! | | They actively coax you into receiving your bank account | statements as PDF, but I haven't found ANY bank which signs the | PDFs (while bragging about security all the time). | | I wonder what happens if they lose your money due to bugs or even | intentionally - will they then happily accuse you of forging the | PDFs because they're unsigned? | | With paper that'd be not so trivial, in my country the paper | often has some special format and the paper itself is of a | special type, and it ages and you cannot easily guess the printer | which was used. | | Hence I still demand all my statements on paper. Same for utility | companies, health care, and other institutions which want to | convert their regular physical bills to PDFs. | | I also demand paper because the concept of forcing the customer | to manually go to N websites every month to download PDFs is | idiotic. Nobody pays me for that wasted time of my life. | | A paper mailbox instead is a central place where I can retrieve | all of my documents easily in O(1). I wonder how many decades it | will take the IT industry to realize that? | superphil0 wrote: | Hi, Philipp here (one of the creators) Haha, this is so funny, | this is one of the BIG reasons why we built this in the first | place | RjQoLCOSwiIKfpm wrote: | :) | | Do they pay you for this? | superphil0 wrote: | No, but would be cool if they used it | RjQoLCOSwiIKfpm wrote: | I would advise you to deliver your incredible goodwill to | a non-profit organization which actually values it | instead of working on something for banks :) | | The rotten, soulless entities that is banks do not | deserve ANY free work. | | They don't care about you, they won't value you work, | they won't give anything back. | | They'll use it to maximize their profits at best. | | But most likely, they won't do anything: With absolute | certainty, they KNOW that PDFs can be signed. They have | to deal with cryptography anyway, and have security | consulting. | | They very likely intentionally decided to not sign PDFs | anyway just because they can get away with it without | getting sued, and save money by that. | philihp wrote: | They very likely hired an external firm to write their | PDF export, and the person implementing it was just | trying to finish the contract on time and to spec. | | The overhead of maintaining a properly secured PKI key | and implementing signing of generated PDFs with it is | nonzero. | | Banks aren't always rotten and soulless, they are cold | and lazy machines that do the bare minimum that their | customers ask. | | This project is great, let's spread awareness that PDFs | _can_ keep an internal digital signature and maybe | someday their customers will demand it. | yardstick wrote: | Does your bank encrypt the PDFs? Some of mine do (Europe). Some | combo of bank account and birthday to open them - they state | this in the email - so trivial to open by others that know you, | but not strangers. Better than nothing I guess. | RjQoLCOSwiIKfpm wrote: | They refuse to send emails because "emails are insecure", you | HAVE to go to their website to download the PDFs..... | | (And encryption is NOT a signature. Anyone who knows the | password can forge an encrypted file with the same password. | So the PDFs would still be worthless.) | s_dev wrote: | >And encryption is not a signature. | | Encryption involves using signing key and universally | uniquely identifying something. | | That's exactly what it is. In fact encryption is even more | secure than a normal written signature. | | I can sign a piece of text put it here -- sign it with my | private key -- put it on HN with my public key and everyone | can be sure I wrote it. | wongarsu wrote: | Encryption usually involves a signing/authentification | step to prevent certain crypto attacks, but in symmetric | encryption schemes those only prove that the document | hasn't been modified after encryption. You still create a | different document, sign it with the same password, and | nobody would be able to prove that that's not the | original. | | With asymetric encryption you have a sort of signature | because only the sender has the encryption key, so | forging somemthing that opens with the same decryption | key is hard. But I have yet to see somebody encrypt pdfs | with an asymetric method. | necovek wrote: | With "identity certificates" or "electronic IDs" used in | parts of Europe, documents are indeed signed with | asymmetric cryptography: a recipient of a document can't | modify it and keep the signature valid. | Avamander wrote: | > That's exactly what it is. In fact encryption is even | more secure than a normal written signature. | | No, certainly not. | | The biggest issue is that you're conflating a human | concept of a signature and the cryptographic one. This is | obvious from your second paragraph. | | > I can sign a piece of text put it here -- sign it with | my private key -- put it on HN with my public key and | everyone can be sure I wrote it. | | Cryptographically maybe, legally no. We lack crucial | information about who can use your keys, there's nothing | that says you can't share a random keypair that has no | legal backing. We also don't know if your keys are valid | at all, maybe you're underaged? Do we know if your keys | were valid during the time of signing, maybe you _were_ | underaged? | | It's way more complex than Sign(text). | pinusc wrote: | Are encrypted PDFs signed? AFAIK it's just symmetric | encryption. You only need a password to decrypt, after | all | Avamander wrote: | It's not only PDF's, email sent by banks should be both DKIM | and S/MIME signed but we barely get the former. | necovek wrote: | I'd rather go to 5 web sites and download PDFs than open 5 | envelopes, throw them away, and sort out different paper | documents into different binders or folders: nobody is paying | me for the wasted time of my life to do that either :) | | How do you organise your paper documents? | emodendroket wrote: | What are you going to do with a bank statement from a few | months ago anyway? You will never look at it. | sowbug wrote: | It becomes relevant during a divorce, or a capital gain or | loss that has expenses related to the basis. Sometimes it's | to your advantage not to have the documentation, but those | situations are often zero-sum, so the other party will go | the extra mile to find whatever is missing. | emodendroket wrote: | In those rare circumstances where someone wanted to see | an old statement I've never had difficulty logging in and | finding the statements online. | oezi wrote: | I bought a duplex scanner and haven't looked back. Everything | gets shredded unless it is required (contracts, official | documents). | 72deluxe wrote: | This is also perfect for keeping a digital copy of | everything in the pursuit of the dream of being a digital | nomad we all secretly harbor. | dotancohen wrote: | > How do you organise your paper documents? | | I just throw them in a box, without even opening them. On the | off chance that I ever need one, I go to the box and fish out | all the envelopes from that bank, and look for ones from the | likely date range. | | That is, I optimize for quick storage at the expense of slow | retrieval. But even the slow retrieval isn't bad. | tenebrisalietum wrote: | Paperless ng | | Make your scanner put files in a place that Paperless can | read them, then Paperless OCRs the file, makes it searchable, | somehow finds the date of the documents, auto tags if you | have it setup, and basically is a dream. | | I don't organize them anymore, if I need an old document I | search for some text in it or by date. | | https://github.com/jonaswinkler/paperless-ng | | There is a newer Paperless ngx that I have to upgrade to at | some point. | sureglymop wrote: | Paperless-ngx looks pretty cool! But do you have any | recommendations for a scanner that has the required | feature? | tenebrisalietum wrote: | I use an old Epson Workforce WF-7100. This printer does | two sided scanning on the ADF, and you can create presets | for color, black and white, etc. Mine was given to me out | of a garage and has some wear and tear - the ADF jams a | lot, so sometimes I have to use the glass. | | As long as the device can scan to PDF into a network | folder, I think most scanners/printers will work. | Paperless works by monitoring a folder you choose - it | doesn't care how files get to that folder. | | It's very common for most all-in-one printer/scanners to | be able to save to a Windows/SMB network share. In my | case on the Linux box running Paperless, I also installed | and setup Samba and exposed a share for the scanner. | | An engineering firm I used to work for rented Kodak i2600 | document scanners from the company providing their | printers - and they were constantly scanning and these | devices didn't mess up. If I did high volume scanning I'd | try to get one of those. | RjQoLCOSwiIKfpm wrote: | This can easily be streamlined to consume little time by: | | - Realizing that whenever you need to extract some old | document in the future for reference / proof, you'll likely | have a date range when it happened to go looking for it. And | needing something old happens rarely enough that the overhead | of searching for it can be neglected, so you'll layout your | binders to make putting things away fast, not searching | things. And the older things become the less likely it is | that you'll ever need them again. So sorting by date is | important. | | - Thus realizing that any finished documents can go to a | SINGLE binder which is sorted by date, you don't need a | separate one for healthcare, utilities, whatever. You don't | even need registers in the binder, just flat date sorting. | | - Therefore, you'll only be having 3 binders: | | "ToDo", "Done" and "Constantly needed" (the latter is for | contracts for example). | | Sort the contents of "ToDo" and "Done" by date. Adding new | paper will be quick because new stuff arrives close to the | most recent date so you don't have to search a lot for the | place to insert it at. | | AND: Make sure to mark the date on every document with a | highlighter of always the same color so you can easily spot | the dates when inserting. | | TL;DR: Most documents will go to a single or two sorted-by- | date places, just like your email inbox. This makes adding | things fast. | emodendroket wrote: | My paper statements do not come on a special paper either. | slowhand09 wrote: | If only banks knew this The one secret Banks hate! _FTFY_ | MrGilbert wrote: | I'm really glad I get most of my documents digital right now. I | can download them, sort them into folders on my home server, | and I'm happy as I could be. If I need a file or invoice, I | simply open my server's folder structure and grab the one I | need. | sowbug wrote: | I'd be satisfied if my bank's web developers learned about the | Content-Disposition header and set the filename reasonably. | Nothing quite like downloading dozens of statements for various | accounts at the end of the year and then having to rename | dozens of files named "download.php (1-30).pdf" in your | downloads folder. With a single line of code, each of those | could be "institution-acct-year-month-day.pdf" instead. It | would significantly reduce the toil that punishes diligent | customers. | pge wrote: | In the fraud case at tech company NS8[1] (for which the CEO was | recently sentenced to prison), the CEO apparently edited PDF | bank statements before sharing them with his CFO. I think most | people naturally assume that a PDF is unalterable so a PDF | document. While not commonly exploited, that assumption is a | big security gap. We need a way to sign PDFs to ensure their | authenticity. | | [1]https://www.sec.gov/litigation/complaints/2020/comp24905.pdf | terom wrote: | A way to sign PDFs would be great, but then we also need a | way to verify the signatures. And verify that it was signed | by whoever issued the document, not someone else who tampered | with it. | | Not really sure what the state of the art there actually is. | Pessimistically I figure we're still at the stage where | websites would put an image of a lock with a green checkmark | on their website to make it look secure - i.e. really only | just for show. | superphil0 wrote: | https://ec.europa.eu/digital-building-blocks/DSS/webapp- | demo... | jve wrote: | Hello from 3rd world country. It feels weird to read this and | just download bank statement digitally signed as .pdf.asice | format. Well, I can also use my id card to login to bank. Many | people here don't realize how things are very well right here, | at some very small country. | judge2020 wrote: | > Nobody pays me for that wasted time of my life. | | Would you say the same for self checkout at the grocery store? | | What about burger bars where you have to put your own toppings | on? | RjQoLCOSwiIKfpm wrote: | Yes. They're saving money hoping that the customer does the | work for free! | | What is your point anyway? | | Do you really think I should be wasting half an hour to a | full hour of my life every month to download a dozen of PDFs | (remember, it's not only banks which want that) so big | corporations can save like $5 on paper & postage? | | Why would I want to work for below minimum wage for those | people, for no tangible benefit to me? | | (Paper is as easy to process as PDFs, and IMHO in fact easier | to process: | | You can fit multiple sheets on your desktop in parallel, you | can shuffle it around, hold it next to each other for cross- | referencing, you can write stuff onto it and be sure it will | be readable in 10 years (might not be true for PDF annotation | software!), the disk it's stored on won't die, your relatives | can read it if you die, etc. If paper was a VR-product all | these things would be advertised as great new VR features. In | real life we get these 3D-features for free but their | advantages are completely ignored when forcing the usage of | computers for the sake of it.) | muhehe wrote: | > so big corporations can save like $5 on paper & postage? | | At their scale it's much. I honestly don't care about their | costs, but at their scale that's tons of paper and gas | that's totally wasted. | | I don't know which country you're from, but all my bank | statements, utility invoice etc go to my email, so there is | no need to log anywhere. I'm not sure about others right | now, but utilities are definitely signed. Maybe you could | talk to your bank/... about it. | RjQoLCOSwiIKfpm wrote: | > At their scale it's much. | | At their scale it is replaceable: They earn money to do | their duties, if they cost a bit more they bill the | customers a bit more so they get it back. | | The time of my life is NOT replaceable. I do not get it | back EVER. | | And they very likely don't give a damn about their | customers, it doesn't matter to them if some cronjob | delivers PDFs or another cronjob prints letters - at the | end of the day they just want to go home. | | I do CARE about living, it gravely matters to me how much | of my life I have available for myself. | | > tons of paper and gas that's totally wasted. | | It's not wasted: It fulfilled it's purpose of delivering | information to me in a convenient fashion. | | And once I'm done with it, it goes into the paper bin and | gets recycled. | | > I don't know which country you're from, but all my bank | statements, utility invoice etc go to my email, so there | is no need to log anywhere. I'm not sure about others | right now, but utilities are definitely signed. | | Every company here has a different method. Websites, | emails which link to websites, emails which are the | invoice, emails which have an attachement that is the | invoice. | | It is impossible to cleanly integrate this into one | workflow. | | A plain old regular paper mailbox however already is a | clean, integrated workflow which ships unified pieces of | paper which all have the same size and are able to be put | into the same kind of folders thus. | | Hence optimizing this to be more convenient for companies | means taking away individual lifetime which matters to | individuals for the sake of enriching entities which do | not care about the money they saved, it's just a number | in some database for them. | | > Maybe you could talk to your bank/... about it. | | Do you seriously believe they will do anything? | | Whenever I interact with those kind of people, I rarely | get an answer ever, and that's about things which are | part of their daily duties. | | If you go to them expecting them to actually do something | out of their ordinary - good luck. It will get ignored | with a 99% probability. | | And even if one of them does something: Then the other | dozen companies I have to deal with will not do anything. | | So paper has to stay anyway. I'm happy with it. It's | convenient, it's super standardized, and it just works. | Kon-Peki wrote: | > the grocery store | | Funny enough, the only digitally signed email I've ever | (knowingly) received came from Aldi. I sent them a question | about food waste and the response showed up in Apple Mail | with a badge and signature validation notice that I'd never | seen before. | Avamander wrote: | That's most likely BIMI with DKIM (DKIM alone is relatively | common) but it's unfortunately not S/MIME. Latter would | actually be a "sender signed email" rather than former, | "domain signed email". | Kon-Peki wrote: | I went back and searched my email. It was an RSA-2048 | S/MIME certificate issued by Aldi Sud and Apple Mail now | warns that the certificate is expired (the email was from | a few years ago, when the certificate was valid). The | email came from a supply chain person in their Hong Kong | office - maybe that explains the level of security? | Avamander wrote: | Huh, that is very interesting (and rare). Also highlights | one flaw of S/MIME, there isn't any validity (OCSP) | stapling equivalent for it. | Calzifer wrote: | > I wonder what happens if they lose your money due to bugs or | even intentionally - will they then happily accuse you of | forging the PDFs because they're unsigned? | | > With paper that'd be not so trivial, in my country the paper | often has some special format and the paper itself is of a | special type, and it ages and you cannot easily guess the | printer which was used. | | Read a similar discussion recently. Even with paper you can | prove your account balance at day X but if your bank lose your | money at day X + n and you want it back they could still claim | you withdraw all since day X and had an empty account at day of | lose. | RjQoLCOSwiIKfpm wrote: | Fine, so the paper protects me for bogus withdrawals during a | number of X days, it just doesn't protect me for the | additional n. | | The PDFs protect me for 0 days because they can claim I've | faked them right from the beginning. | | I'll take the paper :) | vbezhenar wrote: | I think that a big missing elephant is a tool which provides | authenticated download. | | What I mean is the following: | | Let's say that I'm downloading PDF from mybank.com. Browser | establishes TLS connection to the mybank.com, sends request, | receives response PDF and then does something with response. | This TLS connection could be serialized as it is with | accompanied ephemereal keys. Those bytes include remote peer | X509 certificate signed by digicert and the whole exchange is | further cryptographically signed with corresponding key. | | So basically you already have cryptographically signed PDF from | your bank. You just don't have tools to save or verify this | signature. And juridical framework to further act on those | artifacts. But tech is deployed for 30+ years already. | superphil0 wrote: | We thought about it from the other side, we want to make it | easy that just every PDF gets signed. We know it is not | perfect, but it is better than not signatures at all. | Inspired by LetsEncrypt | | https://github.com/open-pdf-sign/open-pdf-sign- | configurator/... | detaro wrote: | No, what's tied to the certificate is only the identity of | the endpoints, not the content being transmitted (since | that's only protected by a symmetric key both sides know), so | you can forge a "recording" of a HTTPS session for any file | you want. | | There have been proposals to extend TLS to have this | capability, but to my knowledge none are really standardized | or used anywhere. | vbezhenar wrote: | Thanks, this is unfortunate. | hannob wrote: | It should be said that PDF signatures are a very fragile design, | leading to a pletora of security issues: https://pdf- | insecurity.org/ | | A core problem is that a pdf signature does not necessarily cover | a complete file, but can be a partial signature. This adds a | whole lot of complexity and unclarity around what is actually | signed, allowing all kinds of attacks. I feel this is all so | problematic that if you want to sign PDFs it's probably better to | not use PDF signatures, but some form of outside signatures over | the whole file. | Avamander wrote: | It is in theory possible to craft better-signed PDFs that would | pass the European eIDAS Qualified Electronic Signature | requirements. | | But in general the ASiC-E container format is more versatile | and also more robust against potential flaws. | kjetil wrote: | In practice, though, PAdES has a lot more support and has the | crucial property of being easy to view by end-users. | | Is there any wide use of ASiC? | Avamander wrote: | > In practice, though, PAdES has a lot more support and has | the crucial property of being easy to view by end-users. | | For now, I'd expect ever increasing compliance with eIDAS | in the future. PDFz are also not the only thing that people | want to sign, that's where an agnostic container format has | its benefits. | | > Is there any wide use of ASiC? | | I know that at least Estonia, Latvia, Lithuania and Finland | have deployed it. Of those Estonia probably has the widest | and longest use of it, as they migrated *to* ASiC-E, having | used the predecessors BDOC and CDOC previously. | howmayiannoyyou wrote: | Great solution, if we didn't have to install a JRE on a server. | victor106 wrote: | IT Runs on Java 8 | | https://vickiboykis.com/2019/05/10/it-runs-on-java-8/ | | hn discussion https://news.ycombinator.com/item?id=19877916 | hbaum wrote: | Hi, Thomas (one of the creators) here. This is actually the | reason, why we are still supporting JRE8 with open-pdf-sign | instead of having a JRE11 (or later) baseline. We are | offering a npm module as well (https://github.com/open-pdf- | sign/open-pdf-sign-node). While that does not get rid of the | JRE requirement, it makes integration in "modern" backends | easier. | spapas82 wrote: | Very nice! I've also implement a similar project that can be used | to not only sign documents but also check the validity of signed | documents through a simple API: https://github.com/spapas/pdf- | sign-check | | We use it for many years in a public sector organisation to make | sure that our internal documents are properly signed. | jgalt212 wrote: | Signing is great until you have to rotate your keys. | sowbug wrote: | Would you mind explaining? As I understand it, signing works | _better_ if you rotate your keys regularly. | jgalt212 wrote: | The public key is publicly available so the signature can be | verified. But when you rotate keys, what do you do? Post a | list of formerly valid public keys? Are all public keys | derived from one master/root key? And then you don't rotate | the master? So then the rule is rotate "almost all" your | keys. But then that rule goes out the window of master/root | key is compromised. | sowbug wrote: | That's pretty much how it works, at least in GPG world. You | generally never rotate the top-level certifying key, and | you use that only for certifying. | | All that said, "that's how GPG does it" is usually a strong | argument against a proposal. | killjoywashere wrote: | Can I use this with smart cards on Linux? And, if so, can someone | start wiring it into the various viewers? | | That's my one big hold-up from going full Linux: I absolutely | must be able to sign documents using a cert held on a smartcard. | jahewson wrote: | Nice, some years ago I worked on the Apache PDFBox code that | powers this. Great to see people build on top of it. ___________________________________________________________________ (page generated 2022-12-19 23:01 UTC)