This is a proposal to fix #1330. The strategy is to change
SignatureHandler::getAvailableSigningCertificates to optionally narrow certificate search with nickname as hint, and to authenticate only where needed.
PK11_FindCertsFromNickname handles all cases fine:
PK11_Authenticate when needed
We can now call
pdfsig -add-signature -nick 'sc0:mycert1' -nss-pwd 'externalpw' -nssdir 'sql:/tmp/nssdb/' doc.pdf doc_signed.pdf, and it works.
Benefit for Qt frontends: Prior to this MR, users had to answer two password dialogs, one for NSS Cert DB and one for smart card, even if NSS Cert DB was empty. Now the empty NSS Cert DB is skipped and users have to answer only a single dialog.