LibreSign
Signing with Smartcard/Yubikey/Gpg Key
In our company we're loving the fact that signatures are coming to nextcloud. Seeing the current implementaiton I'm wondering whether there is any support planned for external keys that are with the employees doing the signing instead of centrally stored as it appears to be here?
We have a rather strict requirement that signing be done with hardware based tokens that are based on normal gpg keys or x509 certificates, does this project address this need or would that be a separate addon that would also hook into the approvals workflow?
Just to clarify, it would be totally ok for us to install JSignPDF locally on the machines as I understand they do support PCKS11 keys, would it be possible to set up the online instance with the public key of the root CA we use and then just use it to validate signatures that were done locally?
Hi @Blackclaws , sorry about the delay.
We are very happy to know that LibreSign meets the needs of the company we are part of!
There are 2 issues that are on our wish list:
- To be able to add and manage signing keys other than just the LibreSign CA generated key. For this, we already have a plan of how to do it, there is a lack of funding to prioritize this issue.
- Enable use of token to sign documents. We still don't have how to implement this task because we don't have tokens for tests.
About JSignPDF, this is a requirement of the server and not of the clients. The flow is you send a PDF to Nextcloud, request the signature and when who must sign put the signature key password, the server will use this password along with JSignPDF to sign the document. No need to install on clients.
We also intend to make it possible for non-PDF files to be signed using PKCS #7 and are also dependent on funding to complete this change. With it, it will be possible to request signature of files of any extension other than just PDF.
If you are interested in supporting the project with any value, you can go to our Patreon. If you are interested in financing some specific functionality, create a specific issue yourself and finance it by BountySource, reaching an amount that pays for the development, we will prioritize the implementation.
If I understood what you described correctly, the current architecture cannot work with hardware tokens. as all signing operations are done by the server. Using hardware tokens would mean the client has to do the signing and somehow provide it to the server since private keys are held by the token.
Is that correct?
@bendem yes. To use hardware token one way is implement specific frontend and browser extension to interact with hardware, apply signature to the file on frontend and send the signed file to server. We have plan to implement this but without priority. We need investment to prioritize and pay the team.
Both Firefox and Chrome allow access to the system certificate store (where you would find yubikey and other hardware tokens if they have the appropriate libraries and are registered correctly) so at least technically its feasible. It would need someone to build the extensions and include the necessary serverside code. I'm guessing merge requests would be welcome for this feature?
Contributions are welcome! This isn't a simple change, will be necessary implement changes on API and implement new features on VueJS.
I wasn't saying it was easy. Just that it should be doable using the builtin functionality of browsers and that it shouldn't need any third party apps that users have to install (unless required by their hardware tokens)