Error validating the digital signature of the updated manifest
The implementation of the digital signatures need to be changed to match the updated Digital Signature Specification for ODF 1.2.The needs to be included in the document signature, as well as other streams in META-INF.
This applies also for additional signature files contained in META-INF, such as However, an application shall consider a macro signature as invalid if a package contains files to which the macro signature is not applied, and which contain macro or executable code that the application is able to execute.Since a document signature is applied to all files, it includes the files to which a macro signature is applied.A document may have document and macro signatures applied simultaneously, and may have further applications specific signatures applied to its package.Document files and package files, that is the files which carry meta information for the package, such as manifest.xml,imay have a digital signature applied.(issue #XXXXX) For ODF 1.0/1.1 documents, some special handling for not signed macro streams in a signed document is needed (see below), because the implementation was different than what is specified in ODF 1.2 now (issue #XXXXX).
Older versions of OOo with a document signature only check for not signed files when these are not located in the META-INF folder.
No encrypting the signatures can be a privacy issue.
because someone could see who has signed a document.
It's not clear whether or not the document signature file itself should also always been signed, because it depends on the use case, so we want to leave this as optional.
This is the latest draft of the proposal that we will send to the OASIS Open Document TC: An Open Document document that is stored in a package may have one or more digital signatures applied to the package.
A document signature is a digital signature that is applied to all files contained in a package, regardless whether they are defined by this specification or are application specific extensions.