Validating e-DO App (Polish e-dowód electronic ID) signed files on Linux

validate.sh

#!/bin/bash

DIR=/tmp/pl.ID_CA
rm -rf $DIR
mkdir $DIR

# Import the root CA
curl -sS http://repo.e-dowod.gov.pl/certs/PLID_Root_CA.cer | certutil -d $DIR -A -n "PLID_Root_CA.cer" -t "C,C,C"

# Verify the root CA fingerprint against https://www.gov.pl/attachment/325d4a20-6347-454c-b3dd-9164535021ee (page 5)
# This command only prints the certificate - check the output manually!
certutil -d /mnt/ramdisk/pl.ID -L -n "PLID_Root_CA.cer"

# Import intermediate certificates
curl -sS http://repo.e-dowod.gov.pl/certs/certyfikaty_pl.ID.txt | while read -r line; do
    curl -sS http://repo.e-dowod.gov.pl/certs/$line | certutil -d $DIR -A -n "$line" -t ",,"
done

# Print the entire certificate store for debugging
certutil -d $DIR -L

# Verify the document using the imported certificates
pdfsig -nssdir $DIR file.pdf

# You should get an output similar to the following:
#
# Digital Signature Info of: file.pdf
# Signature #1:
#   - Signer Certificate Common Name: AAAAA BBBBB CCCCC
#   - Signer full Distinguished Name: C=PL,SN=CCCCC,givenName=BBBBB,givenName=AAAAA,serialNumber=PNOPL-DDDDDDDDDDD,CN=AAAAA BBBBB CCCCC
#   - Signing Time: Apr 11 2021 13:30:30
#   - Signing Hash Algorithm: SHA-384
#   - Signature Type: ETSI.CAdES.detached
#   - Signed Ranges: [0 - 15806], [34752 - 60199]
#   - Total document signed
#   - Signature Validation: Signature is Valid.
#   - Certificate Validation: Certificate is Trusted.
#
# If you see "Signature is Valid" and "Certificate is Trusted", that means the file is signed correctly