===== D-TRUST SIGNATURE VALIDATION =====

Did you receive a PDF document that I signed with a certificate using D-TRUST sign-me[0]?
Here is how you can verify the signature to be correct.

There is a sample document[1] on this server, signed with a basic signature.

=== VERIFYING BASIC SIGNATURES ===

D-TRUST sign-me provides basic electronic signatures for free. Still, the certificate is only applied after the signer
has authenticated their account details using eID or video chat.

# download "D-Trust Limited Basic Root CA 1 2015" from D-Trust
wget https://www.d-trust.net/cgi-bin/D-TRUST_Limited_Basic_Root_CA_1_2015.crt

# add to certificate store as trusted certificate authority for email
certutil -d /etc/pki/nssdb -A -t ",C," -n "D-Trust Limited Basic Root CA 1 2015" -i D-TRUST_Limited_Basic_Root_CA_1_2015.crt

# from now on, you can always verify my signatures using:
pdfsig -nssdir /etc/pki/nssdb document.pdf

=== VERIFYING QUALIFIED SIGNATURES ===

The process is the same, but with a different root CA. D-TRUST sign-me charges a lot of money for this type of certificate.
In addition to the above, the user validates their identity using SMS TAN or mobile 2FA before each signing process.

# download "D-Trust Root CA 1 2021" from D-Trust
wget https://www.d-trust.net/cgi-bin/D-TRUST_Root_CA_1_2021.crt

# add to certificate store as trusted certificate authority for email
certutil -d /etc/pki/nssdb -A -t ",C," -n "D-Trust Root CA 1 2021" -i D-TRUST_Root_CA_1_2021.crt

# from now on, you can always verify my signatures using:
pdfsig -nssdir /etc/pki/nssdb document.pdf

=== REFERENCES ===

[0]: https://www.d-trust.net/de/loesungen/sign-me-portal
[1]: https://fynngodau.de/mystery/signatures/document.pdf
man pdfsig
man certutil