Introduction

odfsig is an Open Document Format (ODF) digital signatures tool: currently can verify already created signatures.

The latest version is v24.8, released on 2024-08-01. See the release notes.

Description

odfsig verifies the digital signatures in an ODF document.

Dependencies

Build-time

Runtime

Platforms

odfsig has been used on a variety of platforms:

  • Linux
  • Windows
  • macOS

Resources

License

Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

Download

From GitHub.

Development notes

Coding style

  • Memory management: no manual delete. Use an std::default_delete<> template specialization when it comes to releasing resources with C library calls.

  • No conditional compilation at a C preprocessor level (#ifdef). If something like that is needed, create interfaces, create multiple implementations of that interface and implement a factory function multiple times. Use the build system to ensure that only one of the factory implementations are compiled.

  • Error handling: no exceptions. Return errors when dealing with user input, or use assert() to find bugs in the code.

  • Naming: type names (classes, etc.) should start with an upper-case letter (e.g. ZipVerifier). Other names should be camel case, and start with a lower case letter (e.g. openZip()). Class members are prefixed with an underscore (_).

  • Whitespace formatting: install the git hook in git-hooks/ to let clang-format handle formatting for you.

Checklist before release

Ideally CI checks everything before a commit hits master, but here are a few things which are not part of CI:

  • using system libraries: this works on latest stable openSUSE (Leap 15.3 currently):
scripts/build.sh

NOTE: the lack of --internal-libs is the point of this exercise

  • version check of libraries:
scripts/extern.py
  • fuzzing:
workdir/bin/odfsigfuzz -max_len=16384 tests/data/

NOTE: This requires a --fuzz build.

Changelog

24.8

  • Maintenance release with up to date dependencies
  • the macOS port is now deprecated, CI & release binary will be removed in the next release

7.3

7.2

  • Fix a missing include
  • Update bundled externals
  • Use IMPORTED_LOCATION_<CONFIG> instead of patching for the zlib and googletest externals

7.1

  • Link bundled nss statically, which provides a self-contained executable on Linux and macOS

7.0

  • Update bundled googletest, libxml2, libxmlsec, libzip, nss and xmlsec to latest versions

6.0

  • Don't crash on directory argument

5.0

  • Can validate multiple files in one go

4.0

  • Initial XAdES certificate hash verify support
  • Automatic packaging on all platforms
  • Fix a crash found with fuzzing

3.0

  • Runs on macOS
  • Don't silently ignore unrecognized arguments

2.0

  • First release with multiple backends (MS CNG next to NSS)
  • Runs on Windows

1.0

  • Initial release
  • Runs on Linux
  • Can detect digest mismatches in signatures
  • Can detect certificate validation problems