Signature process in LibreOffice 6.3
Steve.Martin at ruhr-uni-bochum.de
Fri Feb 7 15:46:29 UTC 2020
my name is Steve Martin and I am an enrolled student at the Ruhr
University Bochum. I have a question regarding the implementation of the
signature process in LibreOffice.
I use a self-created X.509 certificate for signing my ODT documents.
As soon as I sign my ODT document, the file "documentsignatures.xml" is
created in the META-INF folder in the OpenDocument package. Before I
signed my ODT document, I had decompressed the ODT document and added an
additional file entry in META-INF/manifest.xml:
Then I saved the manifest.xml file and compressed all the files back
into a ZIP package. I can now open this file with LibreOffice and sign
it with my X.509 certificate.
After I signed the document, I decompressed it again and copied the
meta.xml file into the Thumbnails directory. Thanks to the previously
added file entry in the manifest.xml file, I can now compress all the
partial files back into a ZIP archive and open the document with
LibreOffice as normal, without being shown the message that the file is
However, I don't understand why do I get now the message that the
signature is not valid? I decompressed the ODT document with the invalid
signature and compared the documentsignatures.xml file contained in the
META-INF folder with the documentsignatures.xml file that was created
immediately after the signature was created. Both files are exactly the
same and neither contain the value "Thumbnails/meta.xml" in the URI
attribute in the <Reference> elements.
Since none of the files that are listed in the documentsignatures.xml
were manipulated, the signature should be valid? Or is there another
signature somewhere besides the XML signature about the file structure
of the ODT document?
Thanks many for your help
More information about the LibreOffice