1

If I open a signed PDF in GNOME Papers (the new Document Viewer in 25.04) it shows me a banner Document has been digitally signed and the button View Signature.... When I click the button I get a modal window with the signature details. It says:

  • Signature is valid.
  • Signed with a certificate issued by unknown issuer.

This certificate is issued by one of EU countries’ recognized certification center. I have the country’s root certificate in PEM .crt format and a bunch of intermediate certificates for the CAs. The certificate signed the document in question has been issued by one of these CAs.

I want to install the root country certificate (and CAs to have the full chain if AIA doesn’t work) in a way, so it could be used only to verify documents (code signing) and emails (s/mime).

In Fedora I could use trust anchor and throw in a couple of p11-kit files to do exactly that. In Debian tho trust is compiled in a read-only mode and update-ca-certificates ignores any p11-kit settings.

In macOS (and probably on Windows) it is a matter of several click on UI. In Ubuntu it looks like it is impossible and I have to trust the installed certificate for everything. Which seems unreasonable to me while having some many digital documents these days.

2

You can install the country root certificate and intermediaries specifically for document and email signature verification, like an S/MIME certificate by placing them in a custom NSS database used by apps like GNOME Papers. Run certutil -A to import the certs with appropriate trust flags (e.g., C, C,C, for client/email/code signing). Unfortunately, Ubuntu doesn’t separate trust roles easily via update-ca-certificates, but using a dedicated NSS database gives you fine control without globally trusting the certs.

3

Will I need to point every app (like Papers) to this custom db via an env variable?

4

I’ve just tried to add the certificates via Firefox UI and now I get - Certificate Validation: Certificate is Trusted. from pdfsign, but Papers still say an unknown issuer.