How to sign a pdf in Okular or other FOSS program?
How do I sign a PDF in Okular?
To my knowledge, currently none of Okular's backends support electronic signatures, although that feature has been requested a number of times.
As an alternative, a PDF (or any other file) may be signed using a detached signature with GPG or any of its numerous frontends (such as Kleopatra or Kgpg in KDE).
I have a .png of my signature, and I basically want to insert it into the document on the dotted line
Do not do this.
Anyone having access to your PNG or any document where it is used, such as the PDF you are intending to embed this on, will have a perfect, infinitely reproducible copy of your autograph signature. It offers no security at all and in fact is detrimental to it: upon seeing your scribble on a document, recipients may be tempted to assume that it is authentic and not bother to check for an actual (and legally valid) electronic signature. Acrobat is, or at least used to be, a major offender in this regard—I have seen documents trivially "forged" because of this ill-conceived feature.
Okular (and Poppler) will support digital signatures in PDFs in its official release starting April 2021. Details are found in a post by TU Dresden, who has sponsored the implementation of this feature. Note that this not about inserting a graphics with your scanned signature, but about adding a solid digital certification to the PDF, similar to what is supported by some Adobe products.
As of December 2020, it is already possible to compile the current development version of Okular and the Poppler PDF library locally to obtain the feature. Instructions and a build script are provided with the TU Dresden post.
I have completed the installation using the instructions in the script (watch out for truncated lines in the online-preview!) on KDE Neon 5.20 (based on Ubuntu 20.04 LTS) using Poppler as of Commit 407293bf and Okular as of Commit 110ccd61 (future versions should of course continue to work, so this is just for full reproducibility). I have installed under /usr/local/
and created a start script okular-sign
with the variable definitions as in the TU Dresden manual. The new version of Okular identifies as "Version 21.03.70". As typical for KDE, this "local" version of Okular does interfere with the official one from the distribution, which is partly changed to the new version even when starting the old binary (presumably this is due to KDE's system-wide registration of "parts" or some such component). I hope that it will be possible to revert to an official version when signing support is released in my distribution's packages.
After successful installation, I could create a digital signature as advertised in the post:
- Open a PDF
- Click 'Digitally sign' in the 'Tools' menu. Alternatively add the "Digitally sign" icon in your preferred tool bar and click it.
- Draw a rectangle where you want to have the visible hint for the electronic signature.
- A dialogue will ask for the private key to use, in case there are multiple. Select the one you want to use.
- Enter the passphrase of your key.
One is prompted to save the signed PDF under a new file name after that.
Okular is limited by it's backend poppler. Within the last few months poppler has slowly been adding support for the nss backend. https://bugs.freedesktop.org/show_bug.cgi?id=16770
However, until this functionality is exposed in it's API (also being worked on) and until that API is utilized in Okular, it won't be able to sign/verify signed PDFs.
The cli tool pdfisg that comes with recent version of poppler can read signatures and determine if the signature is valid and if the cert issuer is trusted.
For signing, there is a FOSS java app called PortableSigner that can sign PDF documents. http://portablesigner.sourceforge.net/
Recent versions of LibreOffice also feature document signing.