pdfsig: Failed Certificate Validation not reflected in exit code
Signing a PDF with a signature that comes from my own CA, I ask pdfsig (22.02 from Jammy) to validate it.
garloff@TuxKurt(//):~ [0]$ pdfsig Documents/TandC_signed2.pdf
Digital Signature Info of: Documents/TandC_signed2.pdf
Signature #1:
- Signer Certificate Common Name: XXXXX
- Signer full Distinguished Name: E=XXXX,CN=XXXX,O=XXXX,L=XXX,ST=XX,C=XX
- Signing Time: Jul 29 2022 18:56:40
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 22564], [28158 - 28518]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer is unknown.
garloff@TuxKurt(//):~ [0]$
So (unlike most GUI tools, such as e.g. okluar-22.04) it correctly detects that the issuer is unknown/untrusted. BUT: It still returns 0 as exit code, requiring a wrapper that parses the textual output to detect the untrustedness. Which is not good. (Complex, and not robust.)
I would expect the exit code to be non-zero (unless -nocert is passed of course). If we are afraid of breaking existing workflows, we could pass an option -strictcert or so to control the expected behavior.