Applies to version: 2020.1.x and above; author: Marcin Pisarek
From WEBCON BPS 2020 on the MODERN form the ability of signing PDF and/or DOCX attachments by using digital signatures (x.509 certificates) has been introduced.
This article describes two actions:
- Sign an attachment – the action allowing to sign an attachment
- Verify attachment’s signature – the action checking if the attachment was correctly signed
Detailed information about signing attachments and digital signature you can find at Applying digital signatures to attachments.
A simple workflow was configured:
Fig. 1. Workflow configuration – schema
The workflow consists of the following steps:
- Registration – the step in which the contract details are filled in
- Preparation – the step in which the contract is prepared
- Verification – the step in which the attachment with the contract is signed and verified
- Archive – the step in which all prepared and verified contracts are located
The “Sign an attachment” and “Verify attachment’s signature” actions will be configured in the “Verification” step.
Signing of the attachment by a user is possible only within the context menu of the individual attachment. This signature is implemented for individual attachments.
The “Sign an attachment” action is configured in the “Attachments menu”. Notice, that the action name will be displayed in the attachment context menu from the form level. After adding the “Sign an attachment” action, go to their configuration by using the “Configure” button.
Fig. 2. Configuration of the “Sign an attachment” action
In the configuration of the action select the “Signature performed by the user”. By default, the signed file will have the same name, category and description as the source file – in this case the new version of this attachment will be created. The system allows you to change the method of converting the file in the “Configuration of signed attachments” section.
To use this action you need to open the form from the Internet Explorer (requires using the Active-X component).
To sign the attachment, the user must expand the context menu and select the signature action. For the above configuration this action is available in the “Verification” step.
Fig. 3. The form – selecting the “Sign an attachment” action from the context menu
Then a window will appear where you indicate the selected digital signature (x.509 certificate) with which the attachment should be signed.
Fig. 4. The form – selecting the digital signature
After selecting the certificate, the attachment will be electronically signed when the certificate is compatible with the publisher’s filter set.
Fig. 5. The form – a message about completing the “Sign an attachment” action
The verification process allows you to check the certificate publisher and digital signature parameters (the validation date, publisher trust etc.)
This action can be configured for the context menu of the individual attachment in the “Attachments menu” option or on the transition/final path. After adding this action on the “Verified” path, go to their configuration by using the “Configure” button.
Fig. 7. Configuration of the „Verify attachment’s signature” action
The configuration of the action was divided into three sections:
Attachments to be processed
The method of selecting the attachment for which the verification will be performed. It can be realized based on the category, regular expression or SQL query.
This section defines the following parameters: validation level, certificate publisher filter.
There are two validation levels:
- Valid signature – the correctness of the signature is verified, but the certificate publisher trust is not checked
- Valid signature and trusted certificate – verifies both the sign correctness and the certificate publisher trust
In the “Certificate issuer filter” field the certificate publisher is defined. This option allows you to select only the trusted publisher – in our case it is the digital certificate.
In the “Behavior” field there is two options:
- Information – the system allows you to go through the path independently from the verification result, and the verification status will be logged in the system.
- Block transition – if the signature verification will fail, the system will not let to go through the path and the verification status will be logged in the system.
- Verification results – in this section there are form fields to select in which the verification result will be signed. These form fields can be used in the next steps.
To verify the digital signatures, go through the path on which the “Verify attachment’s signature” action is defined or by using the context menu of the individual attachments.
For the above configuration the action is available on the “Verified” path in the “Verification” step. By going through the path, the action of verification will be performed and the instance will move to the “Archive” step. The result of the configuration will be saved in the indicated form fields in the configuration of the action.
Fig. 8. The form – result of the configuration