Mass Automated and Legally Secure Digital Signing of VP Hours

digital signature

bash

VP hours

Autor:in

Johannes Titz

Veröffentlichungsdatum

18. April 2022

Currently, our institute faces a small problem with issuing VP (Participant) hours for students. (For those who don’t know: Psychology students have to participate in numerous experiments during their studies and receive so-called VP hours in return.) Previously, this was all done using a paper form, which was finally rendered impossible by COVID-19. We are currently in a semi-digital transition phase. Better than at the health department – we don’t send faxes – but not much better; the forms are filled out digitally and sent via email. The staff has to sign each VP hour individually. Normally, this signature isn’t even legally valid, as S/MIME isn’t used. There’s a better way! Using the jsignpdf tool, you can automatically sign hundreds of VP hours in no time with a digital signature. Here’s how it works.

First, you need a digital signature and the jsignpdf tool (http://jsignpdf.sourceforge.net/). The signature is available for free at TU Chemnitz through the URZ (https://www.tu-chemnitz.de/urz/security/ca/pindex.html). The issuance is quick and well-documented on the URZ site. Installing jsignpdf should not pose major issues, and there’s a Windows version available. On Arch Linux, I used yay:

yay -S jsignpdf

Now we can create a test signature for our document. I can’t explain it better than the URZ, so just follow the steps here: https://www.tu-chemnitz.de/urz/security/ca/pdfsig.html#sign

Step 5 is essential because it sets the position of the signature in the document (area in pixels). An image of the signature isn’t strictly necessary, as the document’s printed version is of no value, and the digital signature is already being checked for validity.

If the signature works for the document, we’re almost done. jsignpdf is clever and saves all chosen parameters in a configuration file. On Arch Linux, this file is located in the .JSignPDF dot-file. It’s best to save this file separately, so it can be adjusted and doesn’t need to be recreated when switching documents.

Using jsignpdf from the command line, you can directly use the .JSignPDF (or another) configuration. If, for example, we have a folder (batch) with many VP hours, we can have jsignpdf sign all these documents (using bash):

read -s mypassword                                                              
jsignpdf --load-properties --keystore-password $mypassword batch/*.pdf -d batch_out
unset mypassword

Since my signature is encrypted (yours likely is too!), I first read the password using read -s. After jsignpdf execution, the password is deleted.

--load-properties specifies that the .JSignPDF should be used. If you have another file, use --load-properties-file <file>.

-d is the folder where the signed documents will be saved. In my case, the unsigned documents are in batch and are saved in batch_out after signing.

Signing each document takes a short moment, about 0.5-1s per signature. This is because a lot of information needs to be integrated into the file. It still goes pretty quickly, especially compared to the manual method.

The result in a PDF viewer (here Okular) looks like this:

The document is valid and has not been tampered with. But who guarantees that the signature is really mine? You can see that here:

The DFN has verified my identity (via ID card) and guarantees that the signature belongs to me. Unless someone stole my signature without my knowledge, this is all pretty secure, even safer than an offline signature!

If the document is subsequently altered, Okular will indicate this:

Manipulation is therefore immediately exposed.

The documents still need to be sent to the students, but this is simply done by a student assistant.

One downside is that the signature is always placed in the same location. The used form allows multiple VP hours to be entered. The script could be extended to check where the first empty field is and place the signature there. However, since this approach is only a temporary solution, the effort probably isn’t worth it. A digital solution without signatures is coming soon. Until then, using jsignpdf via the command line is an efficient solution for me and perhaps for a few others as well. And of course, it can be easily applied to all kinds of documents.