I'm trying to use the pdfsig utility from Poppler to verify the signature of a certain PDF file. When I use it, it displays (some irrelevant info redacted):
Digital Signature Info of: /<redacted>/<redacted>.pdfSignature #1: - Signature Field Name: Signature1 - Signer Certificate Common Name: <redacted> - Signer full Distinguished Name: CN=<redacted>,SN=<redacted>,givenName=<redacted>,serialNumber=<redacted>,C=ES - Signing Time: <redacted> - Signing Hash Algorithm: SHA-256 - Signature Type: ETSI.CAdES.detached - Signed Ranges: [0 - 3645], [57647 - 131752] - Total document signed - Signature Validation: Signature is Valid. - Certificate Validation: Certificate issuer isn't Trusted.The problem is the last bit: "Certificate issuer isn't Trusted". It doesn't mention who the issuer is in the first place, so I used:
pdfsig -dump /<redacted>/<redacted>.pdfand then checked the signature contents with:
openssl pkcs7 -inform der -noout -text -print_certs -in <redacted>.pdf.sig0That helped and displayed three certificates:
Subject: C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCMFNMT is the Fábrica Nacional de Moneda y Timbre (of Money Heist fame), which is a Spanish public institution and CA. That's the root (RAIZ) certificate.
Subject: C=ES, O=FNMT-RCM, OU=Ceres, CN=AC FNMT UsuariosThat's a child certificate for users (Usuarios) which also belongs to the FNMT.
Subject: C=ES/serialNumber=<redacted>, GN=<redacted>, SN=<redacted>, CN=<redacted>That's the signer's certificate, issued by the FNMT as a child of "AC FNMT Usuarios".
A run with strace(1) revealed that it was trying to open stuff at /etc/pki/nssdb/ and failing, then at ~/.pki/nssdb/ and failing too, and it did not try to access /etc/ssl/certs/ at all, so I guessed I needed to provide the root certificate by playing by libnss rules, which I have never used before. After some manual reading and googling I entered these commands:
certutil -N -d ~/.pki/nssdb --empty-passwordcertutil -A -n 'AC RAIZ FMT-RCM' -i /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt -a -t c,c,c -d ~/.pki/nssdbBut pdfsig stubbornly refused to trust the issuer:
- Certificate Validation: Certificate issuer isn't Trusted.So at this point, I don't know what else to do for pdfsig to consider the issuer (FNMT) as trusted. Any help would be appreciated.
