LibreOffice Signature Lines in Calc - Journal

2018-08-16 Thu

Wrapped up most of the Mail Merge work for 6.1. Now looking for something new.


  1. Should I look at other testing activities listed in and
  2. How do I know what the dev team are planning to do (not just things that have already been implemented)?

Looked at, but only 2-3 things listed, seem to be minor.

Biggest thing seems to be:

Signature Lines are now available in Calc too (Samuel Mehrbrodt, CIB) tdf#117903


Decided to have a look. Started touring, creating a mindmap.

I have signed with a digital signature, which was considered valid until I deleted the signature, at which point it was not considered valid.

Tried some naive ways of tricking LO into thinking a signature remained valid after modification, but unzipping and ods, copying an old documentsignatures.xml and then zipping it back up. No luck, signature is not even recognised (as far as I can tell).

Need to try to understand a little more the process of creating and modifying signatures in LO.

Experimented exporting to and saving copy to different formats. Also went part of the way using Send, which copies/exports files to /tmp for emailing. I could check out the files in /tmp.

After using Send functionality to export to xlsx, I could not get signature line to work.


  1. Learn more about security in this area. [High Priority]
  2. I should look at the bugs raised in the Writer version of this feature.
  3. Explore the menus a bit more.
  4. How do I fill in the "Signed By" field?

2018-08-17 Fri

Read up on the background and bugs of the Writer version of this feature.


For more technical/implementation details of signing/certificates, see And also

Inferred a bit more about scenarios of use. You may have signatories A and B (e.g. a proofreader and editor resp.) Signatory A receives the document, checks the content and then signs it and sends it to B. B checks the content AND that B's certificate is valid, and then signs it.

However, when B signs it A's signature and certificate (indeed, all certificates already in document) is removed. Perhaps this is ok if we trust B. But, this leaves no paper trail for A (non-repudiation bug?).

For multiple certificates, need to use File > Digital Signatures. Or, the first person could sign it and then all subsequent signers use File > Digital Signatures. Otherwise, when using the signature line you will remove all the previous certificates, because you have modified the document.

Explored authentication capability/operation.

I have no idea how one is supposed to use the "Thumbprint MD5" or "SHA-1". How am I supposed to verify the ID of the certificate? I guess I would have verified the certificate when I added it to my keyring, but am I sure that the certificate I am seeing in LO is the very same certificate, and not a very similar one?

(EDIT: I note that others have had a similar problem, see

Then explored integrity capability/operation.

Experimented with modifying various objects after signing. Then, considered what factors might affect the operation of signing, e.g. having a document which already has some sort of signature or is encrypted.

2018-08-18 Sat

Trying to find other examples similar to bug 119331 (password saved documents). What other ways of encrypting or signing a document (in any sort of manner) are there?

I notice Options > LibreOffice > User Data has options to select "OpenPGP signing key" and "encryption key". I do not see how these work. Cannot find documentation (click Help What Wizardry uses those keys?

Experimented with File > Versions functionality. I notice that if current version is signed then looking at previous versions LO will state they are signed, even though no signature appears in Digital Signatures dialog. I assume it signs the whole document, including previous versions. So it might be (technically) correct to consider the previous versions as signed.

Defocused a bit and experimented going backwards and forwards through versions, signing different versions of the same document multiple times. No problems detected.

However, I note in that:

If you have multiple gpg keys, always the first one is used for signing.

How would I know which one is "used" at any time? No extra details are given. Perhaps I am missing something, something that I am not observing.

[FSF Associate Member] [FSFE Associate Member]