I have a locally generated root certificate (Company_CA.pem) used to sign PDF files. The signing process works fine and, after installing the public key on Adobe, I'm able to verify signatures and certificate.
Now, I need to do that in the terminal, So, I'm trying to use pdfsig on a Ubuntu 22.04 Docker image.
From my understanding, to have the certificate validation working, I must add the certificate to the Network Security Services (NSS) database. To do so, I have done the following
apt-get update
apt-get -y install libnss3-tools
mkdir -p $HOME/.pki/nssdb
chmod -R 0700 $HOME/.pki
certutil -d sql:$HOME/.pki/nssdb -N --empty-password
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n company -i /Company_CA.pem
The entire process was completed without errors. However, when I run pdfsig with a pdf file I get
- Signer Certificate Common Name: Sig D
- Signer full Distinguished Name: E=sig@company.com,CN=Sig D,O=Company,L=Marina Del Rey,ST=CA,C=USA
- Signing Time: Jan 11 2022 12:46:49
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 115717], [120036 - 257774]
- Not total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted.
When I run certutil -d sql:$HOME/.pki/nssdb -L, I get
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
company C,,
Why do I still get Certificate issuer isn't Trusted.. Am I missing something here?
How can I make myself (the certification issuer) trusted?
I have tried to play around with the trustargs (i.e, -t "P,P,P") but the outcome is still the same.
I'm running
pdfsig -v
pdfsig version 22.02.0
Copyright 2005-2022 The Poppler Developers - http://poppler.freedesktop.org
Copyright 1996-2011 Glyph & Cog, LLC
