Sign PDFs from Collabora Online 📝

Collabora Online now supports electronic PDF signing with eID Easy, bringing legally recognized digital signatures to your documents. Enhance your workflows, ensure compliance, and secure your documents with ease.

🔗 Download the White Paper to learn more about this powerful feature: https://www.collaboraonline.com/case-studies/eid-easy-signs-pdfs-from-collabora-online/?utm_campaign=White_Paper&utm_medium=Social&utm_source=Mastodon&utm_content=Sign-pdf

#CollaboraOnline #PDF #DigitalSignatures

Until these tools learn how to properly trust sources, check them yourself, and ensure their trustworthiness before using them.

I'm wondering if some kind of trust ecosystem could work here, though? It wouldn't be hard for the AIs to verify digital signatures, right?

https://arstechnica.com/security/2025/04/ai-generated-code-could-be-a-disaster-for-the-software-supply-chain-heres-why/

#supplychainsecurity #supplychainattack #LLMs #factchecking #softwaresupplychain #SoftwareSupplyChainSecurity #ai #packagemanagement #weboftrust #factchecking #digitalsignatures

🚀Protect your files and images from tampering with PGP!📁📷

#CyberSecurity #PGP #Encryption #DataSecurity #DigitalSignatures #TechTips #OnlineSafety #PrivacyMatters #SecureFiles

https://bytesectorx.blogspot.com/2024/11/how-to-use-pgp-sign-secure-files-images.html

The SignServer Team is happy to announce the release of SignServer CE 7.1.1

Featuring NIST approved quantum-safe algorithms ML-DSA and SLH-DSA.

https://github.com/Keyfactor/signserver-ce/releases/tag/v7.1.1

#Keyfactor #SignServer #digitalsignatures #codesigning #pki #postquantum

KONSIGN: The Ultimate E-Signature Solution for Seamless Digital Transactions

Visit: https://konze.com/blog/konsign-the-ultimate-esignature-solution

#KONSIGN #ESignature #DigitalSignatures #PaperlessBusiness #SecureSigning #ElectronicSignature #BusinessGrowth #DigitalTransformation #DocumentSigning #BusinessWorkflow #SignAnywhere #SecureTransactions

How E-Signatures Overcome Top Business Challenges: Why KONSIGN is the Answer You're Looking for?

Discover how e-signatures address business challenges like inefficiency, rising costs, and security risks. Learn why KONSIGN is the ultimate solution for streamlined workflows.

Visit: https://konze.com/blog/how-esignatures-overcome-top-business-challenges

#KONZE #KONSIGN #ElectronicSignature #Esignature #Esign #BusinessSolutions #PaperlessWorkflow #DocumentManagement #SecureSignatures #BusinessProductivity #DigitalSignatures #SaaS

Sign Smarter, Save Trees: Embrace Sustainability with KONSIGN 🌍

🌳 Did You Know? Offices use 10,000 sheets of paper yearly—12 trees gone! 🌍 Go green with KONSIGN, our eco-friendly e-signature solution. Switch today and save trees for a sustainable future! 💡

https://konze.com/products/konsign

#KONZE #KONSIGN #ElectronicSignature #Esignature #Esign #GoPaperless #EcoFriendly #DigitalTransformation #GreenBusiness #PaperlessOffice #DigitalSignatures #SmartWorkplace #SaveEnvironment #SaveTrees #SavePaper

Do you know the term #RSA-4096 Key and its Role in Code Signing Certificate?

Check out the detail guide for more details here.

https://www.ssl2buy.com/wiki/rsa-4096-key-in-code-signing-certificate

#rsa #encryption #EmailEncryption #DigitalSignatures

What To Use Instead of PGP

It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they should be doing.

It isn’t.

I don’t blame individual Internet users for this confusion. There is a lot of cargo-culting around communication tools in the software community, and the evangelists for the various projects muddy the waters for the rest of us.

The part of the free and open source software community that thinks PGP is just dandy, and therefore evangelize the hell out of it to unsuspecting people, are the same kind of people that happily use XMPP+OMEMO, Matrix, or weird Signal forks that remove forward secrecy and think it’s fine.

Not to mince words: The same people who believe PGP is good are also famously not great at cryptography engineering.

If you’re going to outsource your opinions on privacy technology to someone else, make sure it’s someone who has actually found vulnerabilities in cryptographic software before. Most evangelists have not.

I’m not here to litigate the demerits of PGP. The Latacora article I linked above makes the same arguments I would make today, and is a more entertaining read.

It is of my opinion as a security engineer that specializes in applied cryptography that nobody should use PGP, because there’s virtually always a better tool for the job you want to use PGP for.

(And for the uncommon use cases, offering a secure, purpose-built replacement is a work-in-progress.)

Note: I’m deliberately being blunt in this post because literally more than a decade of softspokenness from cryptography experts has done nothing to talk users off the PGP cliff. Being direct seems more effective than being tactful.

If you want a gentler touch, ask your cryptographer. If you don’t have a cryptographer, hire one.

If you can accept that every billionaire is the result of a failed system, that’s how cryptographers feel about people using PGP.

Instead, let’s examine the “use cases” of PGP and what you should be using instead. (Some of this is redundant with the Latacora article, but I’m also writing it 5 years later, so some things have changed.)

I’m focusing on the “what” in this post, not the “why”. If you want to know the why, read the Latacora blog, or the Matthew Green blog.

If you’re curious about the credibility of my recommendations, read my other blog posts or ask your cryptographer.

Instead of PGP, Use This

This section contains specific tools to solve the same problems that PGP tries to solve, but better.

What makes these recommendations better than PGP?

Simply, they don’t make cryptographers want to run the other way screaming when they look under the hood. PGP does.

Some people are forced to use PGP because they work for a government that legally requires them to use PGP. In that corner case, your hands are tied by lawyers, so you don’t need to bother with what cryptographers recommend.

Signing Software Distributions

Use Sigstore.

Note that this is an ecosystem-wide consideration, not something that specific individuals must manually opt into for each of their hobby projects. The only downside to Sigstore is it hasn’t been widely adopted yet.

If you’re a Python developer, you can just use PEP 740 to get attestations with Trusted Publishers, which gives you Sigstore for free. For most developers, this is as simple as setting up a GitHub Action to publish to PyPI.

This is a developing trend: Other programming language and package management ecosystems are following suit. I expect to see Sigstore attestations baked into NPM and Maven before the next US presidential election. With any luck, your favorite programming language could be on this list too.

Sigstore doesn’t just give you a signature that you check with a long-lived public key, nor does it require you to do the Web Of Trust rigamarole.

Rather, Sigstore gives you a lot for free. Sigstore was designed around ephemeral signing certificates rather than a long-lived private key. It was purpose-built for preventing supply-chain attacks against open source software.

Combined with Reproducible Builds, Sigstore solves the triangle of secure code delivery.

Alternatively, use minisign. If your package ecosystem doesn’t support Sigstore yet, you can get by with minisign (which is signify-compatible) until they modernize.

You can also use SSH signatures, if you’d prefer. (More on that below.)

Signing Git Tags/Commits

Use SSH Signatures, not PGP signatures.

With Ed25519. Stop using RSA.

Sending Files Between Computers

Use Magic Wormhole.

You could also use SSH + rsync to do this job. That’s fine too.

Encrypting Backups

Tarsnap is the usual recommendation here.

There are a lot of other encrypted backup tools that work fine, if you don’t want to give Colin Percival your business. I don’t have a financial stake in any of them, nor have I audited them thoroughly.

Borg uses reasonable cryptography, but I haven’t had the time to review it carefully.

Kopia looks fine, but I really hate that they misuse “zero knowledge” to describe an encryption protocol (rather than a proof system). We should not reward this misbehavior by marketers.

The point is: You’ve got options.

Too many options, in my opinion, to settle for PGP.

Encrypting Application Data

Use Tink or libsodium.

Avoid: OpenPGP, OpenSSL and its competitors.

Not a lot to say here. I’ve written a lot about this over the years. Misuse-resistant cryptography libraries–especially ones that make key management less painful for users–are the way to go.

Encrypting Files

Use age.

Age is what PGP file encryption would be if PGP didn’t suck shit.

Age has two modes: Public-key encryption, and password-based key derivation.

Here’s a quick comparison table between what age offers, and what PGP uses in the installed base:

Like, it’s not even close.

Some PGP proponents will insist that AEAD is possible now, but as long as the installed base of PGP remains backwards compatible with the lowest common denominator, that’s what your software uses.

Just use age. Or rage, if you’re a Rust enthusiast.

(And if you have concerns about “which age key should I trust?”, I’m already planning an age-v1 extension for the Public Key Directory project. More on that below.)

Private Messaging

Use Signal.

Security teams around the world insist that they need PGP for bug bounty submissions or security operations, but Signal does this job better than PGP ever did.

Once upon a time, you needed to give people a phone number to use Signal, but that hasn’t been the case for a long time. Still, many people have missed that memo and think it’s a requirement.

My Signal username is soatok.45. Go ahead and message me. You won’t learn my phone number that way.

In the near future, I plan on developing end-to-end encryption for direct messages on the Fediverse (including Mastodon). This is what motivated my work on the Public Key Directory to begin with.

But this is not intended to be a Signal competitor by any measure. It’s a bar-raising activity, nothing more.

I understand some people don’t like or trust Signal for whatever reason, but every single alternative that’s been suggested to Signal has offered inferior cryptography to Signal’s. So I will continue to recommend Signal.

Miscellaneous PGP Alternatives

This section contains things people think they need PGP for.

Identity Verification

I’m actively working on something better!

If you want the ability to vend a transparently verifiable public key for a given user, that’s one of the use cases for the Public Key Directory I’m designing in order to build end-to-end encryption for the Fediverse.

Although this is purpose-built for the Fediverse, I’ve deliberately included support for Auxiliary Data messages, whose formats will be specified by protocol extensions.

Rather than trying to grok the Web-of-Trust, you can simply have your software check that multiple independent Public Key Directories have verified the record, since its inclusion is published in an append-only transparency log, secured by a Merkle tree.

My design doesn’t preclude any manual key verification, or key-signing parties, or whatever other PGP cultural weirdness you want to do with these public keys. It just establishes a baseline trustworthiness even if you’re not a paranoid computer nerd.

My project isn’t finished yet. In the meantime, you can manually check public keys when using the other recommendations on this page.

Encrypted Email

Don’t encrypt email. From the Latacora article:

Email is insecure. Even with PGP, it’s default-plaintext, which means that even if you do everything right, some totally reasonable person you mail, doing totally reasonable things, will invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen). PGP email is forward-insecure. Email metadata, including the subject (which is literally message content), are always plaintext.

There isn’t a recommendation for encrypted email because that’s not a thing people should be doing.

Now, there exists a minority of extremely technical computer user for which Signal is a nonstarter (because you need a smartphone and valid phone number to enroll in the first place).

Because those people are generally not the highest priority of cryptographers (who are commonly focused on the privacy of common folk–including people in poor and developing countries where smartphones are more common than desktop computers), there presently isn’t really a good recommendation for private messaging that meets their constraints.

Not Matrix.

Not XMPP+OMEMO.

Certainly not PGP, either.

What PGP offers here is security theater: the illusion of safety. But it’s not actually a robust private communication mechanism, as Latacora argues.

“I insist that I need encrypted email!”

If you find someone insisting that they “need” encrypted email, read up on the XY Problem. In a lot of cases, that’s what’s happening here.

Do they ipso facto need email (as in, specifically the email protocols and email software)?

And do they care more about this constraint, or the privacy of their communications?

Because if their goal just to communicate privately, see above.

If the tool they’re using being email is more important than privacy, they should consider sending empty messages with an attachment, and use age to encrypt the actual message before attaching it.

That’s serviceable, just beware that everything Latacora wrote about encrypted emails still applies to your use case, so expect someone to CC or forward your message as plaintext.

(Unless you’re legally required to use PGP because of a government regulation… in which case, why do you care about my recommendations if you’re chained by the ankle to your government’s bad technology choices?)

Finally, miss me with the “but someone can screenshot Signal” genre of objections.

As Latacora noted, people accidentally fuck up PGP all the time! It’s very easy to do.

Conversely, you have to deliberately leak something from Signal. There is no plaintext mode.

That’s the fucking bar you need to meet to compete with Signal.

PGP fails to be a Signal competitor, in ways that are worse than Threema, Matrix, or OMEMO.

Watch This Space

With all that said, I am actually designing an encrypted messaging protocol that will have an email-like user experience, except:

1. Everything is always end-to-end encrypted, with forward secrecy.
2. It’s not backwards compatible with insecure email.
3. It doesn’t use PGP, or any 1990’s era cryptography.

I can’t promise a release date yet. I’m prioritizing end-to-end encryption for the Fediverse before I write the specification for that project (tentatively called AWOO, but the cryptography underpinning both projects should be similar).

Maybe 2026? We’ll see!

If someone beats me to the punch, and their design is actually good, I’ll update the post and replace this with a specific recommendation.

Against PGP

I don’t know how to get the message out louder or clearer about how cryptographers feel about PGP than what I wrote here.

Latacora wrote their criticism in 2019. As I write this, 2024 is almost over. When will the PGP-induced madness end?

Experts are not divided here. There is no controversy to teach.

Every time a cryptographer has talked about PGP, it’s been to complain about how bad it is and opine that people shouldn’t be using it.

If you’ve read this far, you already know what you should be using instead.

Header art credits: CMYKat and the GnuPG logo.

Update (2024-11-16)

Someone tried to use their Fediverse software to submit an anti-furry comment to this blog post.

Therefore, I’ve added more furry art to it.

If you’re curious about the cryptography used by other messaging apps, please refer to this page that collects my blogs about this topic.

#alternatives #codeSigning #digitalSignatures #encryption #PGP #security #SecurityGuidance #signing

Why do you need a public key?
You Need a #PublicKey for:

#SecureCommunication:
#DigitalSignatures:
#Authentication:

Example Uses:
#EmailEncryption
#Codesigning
#websecurity
- https://qr.ae/p2AkK9
#IT #Security #WR3

As the field of #chipsecurity continues to evolve, staying ahead of potential threats while ensuring robust #protection mechanisms remains a constant challenge.

By understanding & implementing these advanced techniques, #manufacturers can significantly enhance the #security of #digitalsignatures in chips, safeguarding our increasingly connected world.

The Threat of Forgery

While #digitalsignatures are designed to be secure, they are not impervious to attacks. Forgery attempts, though extremely difficult when proper security measures are in place, remain a concern.

Types of forgery include total break, universal forgery, selective forgery & existential forgery.

The Fundamentals of #DigitalSignatures

Digital signatures rely on asymmetric #cryptography, utilizing a pair of keys: a private key for signing & a public key for verification. This system allows manufacturers to uniquely identify chips & verify their #authenticity.

The signing process involves hashing the chip's data or firmware & encrypting this hash with the chip's private key. Verification is then performed using the chip's public key, confirming both the integrity & origin of the data.

#DigitalSignatures in #Chip #Security: Balancing Threats & Protection

In #cybersecurity, digital signatures play a crucial role in ensuring the authenticity & integrity of electronic devices. As chips become increasingly complex & ubiquitous, understanding the intricacies of digital signatures, their implementation & potential vulnerabilities is more important than ever.

Me and the #SignServer team is happy to announce the release of SignServer Community 6.3 with an enchanced REST API, support for MS SQL Server, and upgrade to use Bouncy Castle 1.78.

Get it while it's hot! 😎️

#OpenSource #DigitalSignatures #CodeSigning #pki

https://github.com/Keyfactor/signserver-ce/releases/tag/v6.3.0.Final

The Corn Laws go digital | Cyberleagle

If you believe that digital signatures require a network of federated trusted third parties, clap your hands:

https://www.cyberleagle.com/2024/04/the-corn-laws-go-digital.html

https://alecmuffett.com/article/109709

#digitalSignatures #eidas #identity #regulation

The Corn Laws go digital | Cyberleagle
https://alecmuffett.com/article/109709
#DigitalSignatures #eidas #identity #regulation

Streamline trademark applications with digital signatures! Here’s how:

Understand digital signatures.
Get your Digital Signature Certificate.
Prepare application digitally.
Upload, sign, submit.
Track progress online. Simplify your journey!

Learn More:
https://www.setindiabiz.com/learning/add-digital-signature-trademark-application

#DigitalSignatures #TrademarkApplication
#setindiabiz

🔐✨ Μετασχηματίζοντας την Ψηφιακή Υπογραφή με ZOHO Sign ✨🔐

Σε έναν κόσμο όπου η ψηφιακή ασφάλεια και η αποδοτικότητα γίνονται όλο και πιο σημαντικές, πώς μπορούμε να διασφαλίσουμε ότι οι ψηφιακές μας συναλλαγές παραμένουν ασφαλείς, εύχρηστες και φιλικές προς το χρήστη; Η απάντηση μπορεί να βρίσκεται στο ZOHO Sign.

👉 https://zurl.co/VeUD

#DigitalSignatures #ZOHO #TechnologySolutions #SecureSigning #Efficiency #ZohoSign #ZohoTips #ZohoTipsDay #iwant2help #iwant2helptraining

Ditch the long process, embrace the ease! Manage rental agreements with ZeroChaos, and say goodbye to endless printing, signing, and stressing!
https://zerochaos.in/about-us/
#ZeroChaos #EffortlessRentals #DigitalAgreements #SimplifyRenting #StressFreeLiving #TechSavvyRenting #StreamlineManagement #DigitalSignatures #EfficiencyFirst