Add Signature Properties verification panel

Adds a toolbar doorhanger that lists every digital signature in the
opened PDF, runs verification asynchronously on document load, and
reports per-signature trust status with grouped sub-revisions and
the certificate chain.

Worker (src/core/document.js, worker.js, src/display/api.js):
getSignatures() walks /AcroForm/Fields, slices ByteRange detached
payloads, maps SubFilter to the PDFSignatureAlgorithm enum, and
groups sub-signatures by ByteRange containment.

Bridge: web/external_services.js exposes createSignatureVerifier();
web/firefoxcom.js implements it via FirefoxCom.requestAsync against
NSS (verifyPdfSignature, viewPdfCertificate); web/genericcom.js +
web/generic_signature_verifier.js opt-in via
enableSignatureVerification with mock fixtures so the GENERIC
build doesn't ship a button that can't return real results.

UI: web/signature_properties_manager.js owns the doorhanger DOM,
auto-verifies on load, and updates the toolbar button with one of
four state icons (loading dots, green verified, orange warn, red
error). View certificate opens about:certificate in MOZCENTRAL.
Banner severity collapses to verified / warn / error with messages
keyed to the actual return-code combination (verified, untrusted,
expired, revoked, invalid, unknown). Sub-signatures render
recursively; the green status / certificate check is reserved for
the top-level card when every signature in the document is
verified. The "Certificate: <kind>" parenthetical shows specific
information per case: actual expiration date for expired (walking
the chain to find the truly-expired entry), issuer CN for
unknown-issuer / self-signed / untrusted-issuer, one-word reason
for revoked or generic untrusted.

Three full-color SVGs ship for the toolbar state icons (verified,
warn, error). The loading state uses pure-CSS animated dots.

Gated by the enableSignatureVerification AppOption — true in
MOZCENTRAL (real NSS path), false in GENERIC by default.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: beurdouche

gulpfile.mjs

@@ -225,6 +225,7 @@ function createWebpackAlias(defines) {
     "web-print_service": "",
     "web-secondary_toolbar": "web/secondary_toolbar.js",
     "web-signature_manager": "web/signature_manager.js",
+    "web-signature_properties_manager": "web/signature_properties_manager.js",
     "web-toolbar": "web/toolbar.js",
     "web-views_manager": "web/views_manager.js",
   };

l10n/en-US/viewer.ftl

@@ -785,3 +785,101 @@ pdfjs-views-manager-paste-button-after =
 pdfjs-new-badge-content = NEW
 
 pdfjs-views-manager-waiting-for-file = Uploading file…
+
+## Signature Properties (digital signature verification)
+
+pdfjs-signature-properties-button =
+    .title = Signature Properties
+    .aria-label = Signature Properties
+pdfjs-signature-properties-button-label = Signature Properties
+
+# Banner shown above the signature list summarizing the overall state.
+pdfjs-signature-properties-banner-verified = Document signed and verified
+# Variables:
+#   $signer (String) - display name of the top-level signer.
+pdfjs-signature-properties-banner-verified-with-signer = Document signed by <strong data-l10n-name="signer">{ $signer }</strong>
+# Variables:
+#   $count (Number) - number of signatures whose status is `unknown`.
+pdfjs-signature-properties-banner-unknown =
+    { $count ->
+        [one] Document signed but the signature could not be verified
+       *[other] Document signed but { $count } signatures could not be verified
+    }
+# Variables:
+#   $count (Number) - number of signatures whose certificate is untrusted.
+pdfjs-signature-properties-banner-untrusted =
+    { $count ->
+        [one] Document signed with a certificate that is not trusted
+       *[other] Document signed with certificates that are not trusted
+    }
+# Variables:
+#   $count (Number) - number of signatures whose certificate is expired.
+pdfjs-signature-properties-banner-expired =
+    { $count ->
+        [one] Document signed with an expired certificate
+       *[other] Document signed with expired certificates
+    }
+# Variables:
+#   $count (Number) - number of signatures whose CMS verification failed.
+pdfjs-signature-properties-banner-invalid =
+    { $count ->
+        [one] Document has an invalid signature
+       *[other] Document has invalid signatures
+    }
+# Variables:
+#   $count (Number) - number of signatures whose certificate is revoked.
+pdfjs-signature-properties-banner-revoked =
+    { $count ->
+        [one] Document signed with a revoked certificate
+       *[other] Document signed with revoked certificates
+    }
+
+# Per-signature status row.
+pdfjs-signature-properties-status-verified = Status: Signature verified
+pdfjs-signature-properties-status-unknown = Status: Unable to verify (unsupported)
+pdfjs-signature-properties-status-untrusted = Status: Signature verified
+pdfjs-signature-properties-status-expired = Status: Signature verified
+pdfjs-signature-properties-status-invalid = Status: Signature invalid
+pdfjs-signature-properties-status-revoked = Status: Signature verified
+
+# Per-signature certificate row.
+# Variables:
+#   $issuer (String) - issuer common name, e.g. "DigiTrust CA 3"
+pdfjs-signature-properties-certificate-trusted = Certificate: Trusted ({ $issuer })
+pdfjs-signature-properties-certificate-unknown = Certificate: Unavailable
+pdfjs-signature-properties-certificate-untrusted = Certificate: Untrusted
+# Variables:
+#   $reason (String) - one-word reason word, e.g. "self-signed".
+pdfjs-signature-properties-certificate-untrusted-with-reason = Certificate: Untrusted ({ $reason })
+# Variables:
+#   $issuer (String) - issuer common name from the leaf certificate.
+pdfjs-signature-properties-certificate-untrusted-unknown-issuer = Certificate: Unknown issuer ({ $issuer })
+# Variables:
+#   $issuer (String) - subject common name of the self-signed certificate.
+pdfjs-signature-properties-certificate-untrusted-self-signed = Certificate: Self-signed ({ $issuer })
+# Variables:
+#   $issuer (String) - common name of the untrusted issuer.
+pdfjs-signature-properties-certificate-untrusted-untrusted-issuer = Certificate: Untrusted issuer ({ $issuer })
+pdfjs-signature-properties-certificate-expired = Certificate: Expired
+# Variables:
+#   $reason (String) - locale-formatted notAfter date of the expired cert.
+pdfjs-signature-properties-certificate-expired-with-reason = Certificate: Expired ({ $reason })
+pdfjs-signature-properties-certificate-revoked = Certificate: Revoked
+# Variables:
+#   $reason (String) - one-word reason word, e.g. "revoked".
+pdfjs-signature-properties-certificate-revoked-with-reason = Certificate: Revoked ({ $reason })
+
+pdfjs-signature-properties-view-certificate = View certificate
+
+# Variables:
+#   $reason (String) - the reason text from the signature dictionary.
+pdfjs-signature-properties-reason = Reason: { $reason }
+# Variables:
+#   $timestamp (String) - the formatted signing timestamp.
+pdfjs-signature-properties-timestamp = Timestamp: { $timestamp }
+# Variables:
+#   $count (Number) - number of sub-signatures (revisions).
+pdfjs-signature-properties-sub-signatures = Sub-signatures ({ $count })
+
+pdfjs-signature-properties-verify = Verify
+pdfjs-signature-properties-reverify = Re-verify

src/core/document.js

@@ -1990,6 +1990,160 @@ class PDFDocument {
     return shadow(this, "fieldObjects", promise);
   }
 
+  #collectSignatureFields(fields, out, depth) {
+    const RECURSION_LIMIT = 10;
+    if (depth > RECURSION_LIMIT) {
+      warn("#collectSignatureFields: maximum recursion depth reached");
+      return;
+    }
+    if (!Array.isArray(fields)) {
+      return;
+    }
+    for (const fieldRef of fields) {
+      const field = this.xref.fetchIfRef(fieldRef);
+      if (!(field instanceof Dict)) {
+        continue;
+      }
+      if (field.has("Kids")) {
+        this.#collectSignatureFields(field.get("Kids"), out, depth + 1);
+        continue;
+      }
+      if (!isName(field.get("FT"), "Sig")) {
+        continue;
+      }
+      const sigDict = this.xref.fetchIfRef(field.get("V"));
+      if (!(sigDict instanceof Dict)) {
+        continue;
+      }
+      const parsed = this.#parseSignatureDict(field, sigDict, fieldRef);
+      if (parsed) {
+        out.push(parsed);
+      }
+    }
+  }
+
+  #parseSignatureDict(field, sigDict, fieldRef) {
+    const byteRange = sigDict.get("ByteRange");
+    if (
+      !Array.isArray(byteRange) ||
+      byteRange.length !== 4 ||
+      byteRange.some(n => !Number.isInteger(n) || n < 0)
+    ) {
+      return null;
+    }
+    const contents = sigDict.get("Contents");
+    if (typeof contents !== "string" || contents.length === 0) {
+      return null;
+    }
+
+    const filterName = sigDict.get("Filter");
+    const filter = filterName instanceof Name ? filterName.name : null;
+    const subFilterName = sigDict.get("SubFilter");
+    const subFilter = subFilterName instanceof Name ? subFilterName.name : null;
+
+    let signatureType = null;
+    if (subFilter === "adbe.pkcs7.detached") {
+      signatureType = 0;
+    } else if (subFilter === "adbe.pkcs7.sha1") {
+      signatureType = 1;
+    }
+
+    // Slice the two ByteRange byte spans out of the underlying PDF stream.
+    // ByteRange = [a, b, c, d] means signed bytes are [a..a+b] and [c..c+d];
+    // the gap covers the /Contents hex blob itself.
+    const [a, b, c, d] = byteRange;
+    const stream = this.stream;
+    const data = [
+      new Uint8Array(stream.getByteRange(a, a + b)),
+      new Uint8Array(stream.getByteRange(c, c + d)),
+    ];
+
+    const pkcs7 = stringToBytes(contents);
+
+    const t = field.get("T");
+    const fieldName = typeof t === "string" ? stringToPDFString(t) : "";
+    const name = sigDict.get("Name");
+    const reason = sigDict.get("Reason");
+    const location = sigDict.get("Location");
+    const contactInfo = sigDict.get("ContactInfo");
+    const m = sigDict.get("M");
+
+    const refKey =
+      fieldRef instanceof Ref ? `${fieldRef.num}.${fieldRef.gen}` : "inline";
+    const id = `${refKey}:${a}-${b}-${c}-${d}`;
+
+    const fileLength = stream.end || 0;
+    const lastSignedByte = c + d;
+
+    return {
+      id,
+      fieldName,
+      signerName: typeof name === "string" ? stringToPDFString(name) : null,
+      reason: typeof reason === "string" ? stringToPDFString(reason) : null,
+      location:
+        typeof location === "string" ? stringToPDFString(location) : null,
+      contactInfo:
+        typeof contactInfo === "string" ? stringToPDFString(contactInfo) : null,
+      signingTime: typeof m === "string" ? m : null,
+      filter,
+      subFilter,
+      signatureType,
+      byteRange,
+      pkcs7,
+      data,
+      revisionIndex: 0,
+      parentId: null,
+      coversWholeDocument: fileLength > 0 && lastSignedByte >= fileLength - 100,
+    };
+  }
+
+  get signatures() {
+    const promise = this.pdfManager
+      .ensureDoc("formInfo")
+      .then(async formInfo => {
+        if (!formInfo.hasSignatures) {
+          return [];
+        }
+        const annotationGlobals = await this.annotationGlobals;
+        if (!annotationGlobals) {
+          return [];
+        }
+        const fields = annotationGlobals.acroForm.get("Fields");
+        if (!Array.isArray(fields) || fields.length === 0) {
+          return [];
+        }
+
+        const collected = [];
+        this.#collectSignatureFields(fields, collected, 0);
+
+        // Group sub-signatures by ByteRange containment: outer revision is
+        // the largest covering signature (largest c + d). Sort descending,
+        // then point each later signature at the smallest enclosing parent
+        // that came before it.
+        collected.sort(
+          (a, b) =>
+            b.byteRange[2] + b.byteRange[3] - (a.byteRange[2] + a.byteRange[3])
+        );
+        for (let i = 0; i < collected.length; i++) {
+          const sig = collected[i];
+          sig.revisionIndex = i;
+          for (let j = i - 1; j >= 0; j--) {
+            const candidate = collected[j];
+            if (
+              candidate.byteRange[2] + candidate.byteRange[3] >
+              sig.byteRange[2] + sig.byteRange[3]
+            ) {
+              sig.parentId = candidate.id;
+              break;
+            }
+          }
+        }
+        return collected;
+      });
+
+    return shadow(this, "signatures", promise);
+  }
+
   get hasJSActions() {
     const promise = this.pdfManager.ensureDoc("_parseHasJSActions");
     return shadow(this, "hasJSActions", promise);

src/core/worker.js

@@ -549,6 +549,10 @@ class WorkerMessageHandler {
         .then(fieldObjects => fieldObjects?.allFields || null);
     });
 
+    handler.on("GetSignatures", function (data) {
+      return pdfManager.ensureDoc("signatures");
+    });
+
     handler.on("HasJSActions", function (data) {
       return pdfManager.ensureDoc("hasJSActions");
     });

src/display/api.js

@@ -1074,6 +1074,17 @@ class PDFDocumentProxy {
     return this._transport.getFieldObjects();
   }
 
+  /**
+   * @returns {Promise<Array<Object>>} A promise that is resolved with an
+   *   {Array} of digital signatures present in the document, each with
+   *   metadata (signerName, reason, signingTime, ...) plus the PKCS#7
+   *   blob and signed-data byte spans needed for verification. Returns
+   *   an empty array when no signatures are present.
+   */
+  getSignatures() {
+    return this._transport.getSignatures();
+  }
+
   /**
    * @returns {Promise<boolean>} A promise that is resolved with `true`
    *   if some /AcroForm fields have JavaScript actions.
@@ -3017,6 +3028,10 @@ class WorkerTransport {
     return this.#cacheSimpleMethod("GetFieldObjects");
   }
 
+  getSignatures() {
+    return this.#cacheSimpleMethod("GetSignatures");
+  }
+
   hasJSActions() {
     return this.#cacheSimpleMethod("HasJSActions");
   }