this post was submitted on 28 Aug 2023
41 points (93.6% liked)

Open Source

31351 readers
167 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Howdy, not sure if this is the right place to ask but I figured this community has the best chance of using libreoffice. I recently started to learn about gpg and decided to try to digitally sign an odf file I created via libreoffice writter. Thought I could do the same with a pdf file but turns out you need a third party ca certification, so now I'm wondering, assuming only open formats can be signed, why even sign an odf file in the first place? Is it just for niche situations or do official/mainstream entities now support that format? Would it be considered legally binding? I heard that microsoft office gained support for the odf format back in 2021 so if the digital signature could still be verified on their end then I don't see a problem. Is that the case? My bad for all the questions I'm just trying to see the usecase for this seems to me that for anything professional signing with a third party ca cert. would be the better option.

top 4 comments
sorted by: hot top controversial new old
[–] gerbilOFdoom@beehaw.org 24 points 1 year ago (1 children)

The point of a digital signature is to announce that you made this document, as it exists at the time of writing. Once a change is made it should no longer identify as signed.

Most institutions don't use this functionality, despite the usefulness of it. At present, I'd recommend using it for publicly distributed files to protect against bad actors publishing a document that pretends to be yours.

As for legally binding, ask a lawyer. Generally, things are legally binding if they're signed by all parties. The specifics get funky, but a digital signature is a solid step for announcing that you did this thing at this datetime and a judge should recognize that if it comes down to it. Bonus points if all parties attach their digital signatures.

[–] Extrasvhx9he 5 points 1 year ago

Thank you so much that answered all my questions

[–] heavy@sh.itjust.works 6 points 1 year ago

I'd say the purpose of the feature is to do as intended, ensure the documents authenticity and integrity. The mechanism still requires people trust your signature (public key), so you need another strategy to establish that trust. If you wanted to share a confidential document to a person you know on discord, and they already trust your discord profile, you would need to use said profile to get people to trust the key you're going to use, belongs to and identifies you. This really isn't different from third party Cas, just a lot of certificates from them are already trusted by default and part of the internet wide key infrastructure.

[–] signofzeta@lemmygrad.ml 2 points 1 year ago

I’m not sure if this is legally binding, but it’s a way to prove that someone said “I signed this document and it has not been modified.” While S/MIME certificates are most commonly used for this purpose, getting one (especially for free) is nearly impossible. Signing with a GPG key is just using another tool, one whose ecosystem doesn’t require CA-sanctioned trust; the reader decides which keys are trusted and verified.