Is the document loaded from an existing file on disk or directly as a url from a remote server? http(s) or windows share ?

From a "being nice to end users PoV", I think a QtWE is the best approach
From a "being nice to our selves PoV", I think QTD is easiest, alternatively having a button to open in a browser.

Just for reference:
Make it signature pretty: https://dev.gnupg.org/T6732
Default path: https://dev.gnupg.org/T6731
signed_signed: https://dev.gnupg.org/T6730

Unfortunately, "make it not ugly" is a bit hard to work with. I'm open for ideas.

I'm going to assign this to @aheinecke - but @ebo might also have opinion on how it would be nice.

As this issue was originally just about the "versioned file" and where to place _signed, I think we should keep this closed. Will create new issues based on the notes here.

I'm told that this is also what acrobat does, which is one of the reasons for the current approach.

This should be in the newest for testing.

What I would like to be able to do would be:

The poppler api exposes it. Has done it since more or less the incarnation of pdf signing in poppler I think.

The poppler API exposes key usage extensions, and I'm trying to reconstruct them from the canX flags, which of course is highly inaccurate.

gpgme puts digitalSignature and norRepudiation into canSign. We need them separated at the sources (maybe exposing keyUsage directly in gpgme. That would also make the code in poppler better and more accurate. I'm trying to reconstruct the keyUsages from the canSign&friends functions.

I did a little bit of testing with okular, and it kind of gives similar numbers.