LibreOffice Signature Lines in Calc - Journal

Wrapped up most of the Mail Merge work for 6.1. Now looking for something new.

Questions:

1. Should I look at other testing activities listed in https://wiki.documentfoundation.org/QA and https://wiki.documentfoundation.org/QA/GetInvolved?
2. How do I know what the dev team are planning to do (not just things that have already been implemented)?

Looked at https://wiki.documentfoundation.org/ReleaseNotes/6.2, but only 2-3 things listed, seem to be minor.

Biggest thing seems to be:

Signature Lines are now available in Calc too (Samuel Mehrbrodt, CIB) tdf#117903

under https://wiki.documentfoundation.org/ReleaseNotes/6.2#Calc.

Decided to have a look. Started touring, creating a mindmap.

I have signed with a digital signature, which was considered valid until I deleted the signature, at which point it was not considered valid.

Tried some naive ways of tricking LO into thinking a signature remained valid after modification, but unzipping and ods, copying an old documentsignatures.xml and then zipping it back up. No luck, signature is not even recognised (as far as I can tell).

Need to try to understand a little more the process of creating and modifying signatures in LO.

Experimented exporting to and saving copy to different formats. Also went part of the way using Send, which copies/exports files to /tmp for emailing. I could check out the files in /tmp.

After using Send functionality to export to xlsx, I could not get signature line to work.

Ideas:

1. Learn more about security in this area. [High Priority]
2. I should look at the bugs raised in the Writer version of this feature.
3. Explore the menus a bit more.
4. How do I fill in the "Signed By" field?

Read up on the background and bugs of the Writer version of this feature.

Origin: ask.libreoffice.org/en/question/1119/

For more technical/implementation details of signing/certificates, see https://wiki.documentfoundation.org/ReleaseNotes/5.3#Document_signing. And also https://vmiklos.hu/blog/ooxml-signature-export.html.

Inferred a bit more about scenarios of use. You may have signatories A and B (e.g. a proofreader and editor resp.) Signatory A receives the document, checks the content and then signs it and sends it to B. B checks the content AND that B's certificate is valid, and then signs it.

However, when B signs it A's signature and certificate (indeed, all certificates already in document) is removed. Perhaps this is ok if we trust B. But, this leaves no paper trail for A (non-repudiation bug?).

For multiple certificates, need to use File > Digital Signatures. Or, the first person could sign it and then all subsequent signers use File > Digital Signatures. Otherwise, when using the signature line you will remove all the previous certificates, because you have modified the document.

Explored authentication capability/operation.

I have no idea how one is supposed to use the "Thumbprint MD5" or "SHA-1". How am I supposed to verify the ID of the certificate? I guess I would have verified the certificate when I added it to my keyring, but am I sure that the certificate I am seeing in LO is the very same certificate, and not a very similar one?

(EDIT: I note that others have had a similar problem, see https://bugs.documentfoundation.org/show_bug.cgi?id=113192.)

Then explored integrity capability/operation.

Experimented with modifying various objects after signing. Then, considered what factors might affect the operation of signing, e.g. having a document which already has some sort of signature or is encrypted.

Trying to find other examples similar to bug 119331 (password saved documents). What other ways of encrypting or signing a document (in any sort of manner) are there?

I notice Options > LibreOffice > User Data has options to select "OpenPGP signing key" and "encryption key". I do not see how these work. Cannot find documentation (click Help https://help.libreoffice.org/Scalc/cui/ui/optuserpage/OptUserPage). What Wizardry uses those keys?

Experimented with File > Versions functionality. I notice that if current version is signed then looking at previous versions LO will state they are signed, even though no signature appears in Digital Signatures dialog. I assume it signs the whole document, including previous versions. So it might be (technically) correct to consider the previous versions as signed.

Defocused a bit and experimented going backwards and forwards through versions, signing different versions of the same document multiple times. No problems detected.

However, I note in https://bugs.documentfoundation.org/show_bug.cgi?id=108794 that:

If you have multiple gpg keys, always the first one is used for signing.

How would I know which one is "used" at any time? No extra details are given. Perhaps I am missing something, something that I am not observing.