pdfly icon indicating copy to clipboard operation
pdfly copied to clipboard
verified publisher icon py-pdf

ENH: pdfly sign / check-sign

Open Lucas-C opened this issue 1 year ago • 9 comments

Intent Provide a pair of new subcommands:

  • pdfly sign : take a PDF document and a pair of public/private certificates, and produce a signed PDF document
  • pdfly check-sign : take a signed PDF document and a public certificate, and check if its signature is valid

Suggested implementation fpdf2 is already a dependency of pdfly, and combined with endesive could be use to perform signing: https://py-pdf.github.io/fpdf2/Signing.html

endesive could be used to check the signature.

There are some example usages we could support:

  • [x] signing using a PKCS12 certificate archive:
pdfly sign input.pdf --p12 certs.p12 -o signed.pdf

Implemented by @moormaster in PR https://github.com/py-pdf/pdfly/pull/165

  • [ ] signing using a PEM certificate bundle:
pdfly sign input.pdf --pem certs.pem -o signed.pdf
  • [ ] signing using GPG keys:
pdfly sign input.pdf --gpg-pub-key ~/.gnupg/pubring.gpg --gpg-sec-key ~/.gnupg/secring.gpg -o signed.pdf
  • [ ] checking a signature using a PKCS12 certificate archive:
pdfly check-sign signed.pdf --p12 certs.p12
  • [x] checking a signature using a PEM certificate:
pdfly check-sign signed.pdf --pem certs.pem

Implemented by @moormaster in PR https://github.com/py-pdf/pdfly/pull/166

  • [ ] checking a signature using a GPG key:
pdfly check-sign signed.pdf --gpg-pub-key ~/.gnupg/pubring.gpg
  • [ ] verify a signature using a .p7m file (requested in https://github.com/py-pdf/pdfly/discussions/193)

Extra useful documentations:

  • https://github.com/py-pdf/fpdf2/blob/master/test/signing/README.md
  • https://github.com/py-pdf/fpdf2/blob/master/test/signing/test_sign.py

Extra features we could consider:

  • display how much does adding the signature increased the file size, in percent
  • provide an optional --inplace / -i flag that would allow to NOT provide an output PDF filepath because the input PDF file would be directly modified

Lucas-C avatar Nov 08 '24 07:11 Lucas-C

hello, remember me? (: I'm the beginner cyy-2024! Thank you very much for your help!I guess I can do a simple p12 signature.~

cyy-2024 avatar Nov 09 '24 13:11 cyy-2024

Hi @cyy-2024

Thank you for your contribution 👍

I'm going to try to review your PR today 🙂

Lucas-C avatar Nov 12 '24 07:11 Lucas-C

PR #72 could not be completed, this issue is up-for-grabs 🙂

Lucas-C avatar Dec 15 '24 13:12 Lucas-C

I have added two PRs for a first implementation of

  • sign - #165
  • check-sign - #166

commands supporting only .p12 files for signing and PEM file for check-sign.

moormaster avatar Oct 09 '25 09:10 moormaster

Thank you @moormaster 👍

I gave you some feedbacks on the PRs

Lucas-C avatar Oct 09 '25 16:10 Lucas-C

Could you add the hacktoberfest topic to the pdfly repository (or hacktoberfest-accepted label to the PRs)? They are currently in the state of "not participating"

Image

https://hacktoberfest.com/participation/#pr-mr-details

moormaster avatar Oct 10 '25 17:10 moormaster

Oh yes, sure 👍 I just did so, and add hacktoberfest-accepted to the PR I just merged today

Lucas-C avatar Oct 10 '25 18:10 Lucas-C

Oh yes, sure 👍 I just did so, and add hacktoberfest-accepted to the PR I just merged today

Thanks! This one, too, please? #168 🙃

moormaster avatar Oct 10 '25 20:10 moormaster

Thank you very much for your work on this @moormaster 👍

I'm keeping this issue open so that we can track implementation of the other usages considered: signing using a PEM certificate, checking signature using a PKCS12 one, or doing both operations based on a GPG key.

Lucas-C avatar Oct 12 '25 16:10 Lucas-C