ENH: pdfly sign / check-sign #71
Description
Intent
Provide a pair of new subcommands:
pdfly sign: take a PDF document and a pair of public/private certificates, and produce a signed PDF documentpdfly check-sign: take a signed PDF document and a public certificate, and check if its signature is valid
Suggested implementation
fpdf2 is already a dependency of pdfly, and combined with endesive could be use to perform signing: https://py-pdf.github.io/fpdf2/Signing.html
endesive could be used to check the signature.
There are some example usages we could support:
- signing using a PKCS12 certificate archive:
pdfly sign input.pdf --p12 certs.p12 -o signed.pdf
Implemented by @moormaster in PR #165
- signing using a PEM certificate bundle:
pdfly sign input.pdf --pem certs.pem -o signed.pdf
- signing using GPG keys:
pdfly sign input.pdf --gpg-pub-key ~/.gnupg/pubring.gpg --gpg-sec-key ~/.gnupg/secring.gpg -o signed.pdf
- checking a signature using a PKCS12 certificate archive:
pdfly check-sign signed.pdf --p12 certs.p12
- checking a signature using a PEM certificate:
pdfly check-sign signed.pdf --pem certs.pem
Implemented by @moormaster in PR #166
- checking a signature using a GPG key:
pdfly check-sign signed.pdf --gpg-pub-key ~/.gnupg/pubring.gpg
- verify a signature using a
.p7mfile (requested in Verify signed Documents #193)
Extra useful documentations:
- https://github.com/py-pdf/fpdf2/blob/master/test/signing/README.md
- https://github.com/py-pdf/fpdf2/blob/master/test/signing/test_sign.py
Extra features we could consider:
- display how much does adding the signature increased the file size, in percent
- provide an optional
--inplace/-iflag that would allow to NOT provide an output PDF filepath because the input PDF file would be directly modified