[MIG] report_qweb_signer: Migration to 18.0

Refactor to use pyHanko and the new Odoo core `certificate.certificate` model.

For now, a minimal refactor has been made as PoC to:

- Use PyHanko as the signer library (more complete, mantained and reliable)
- Remove all the forme java pdfsigner stuff.
- Be able to use Odoo core certificates.

Main pain points:

- `cryptography` version is fixed in Odoo `requirements.txt`. This makes very hard for other libraries to work with that version.
- The approach has been using the `pyhanko-cli` tool as backend so we can install it in it's own `venv` (or whatever isolation method is desired).

MT-11131

Author: chienandalu

report_qweb_signer/README.rst

@@ -7,7 +7,7 @@ Qweb PDF reports signer
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:98ab01f40082429507d6180e23d3ffba607dff06c259e5adf5e41fd07bf25b76
+   !! source digest: sha256:8e3e54c5fb4cf809950609cadd0a782a02940ee7a40be85ffbc935d24ec465fa
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -28,8 +28,8 @@ Qweb PDF reports signer
 
 |badge1| |badge2| |badge3| |badge4| |badge5|
 
-This module extends the functionality of report module to sign PDFs
-using a PKCS#12 certificate.
+This module extends the functionality of reports to sign PDFs using a
+PKCS#12 certificate.
 
 **Table of contents**
 
@@ -39,49 +39,36 @@ using a PKCS#12 certificate.
 Installation
 ============
 
-To install this module, you need to install Java JDK Headlees, e.g.:
+To install this module, you need to install pyhanko-cli, e.g.:
 
-   apt-get install default-jre-headless
+   pipx install pyhanko-cli
 
 Configuration
 =============
 
-In order to start signing PDF documents you need to configure
-certificate(s) to use in your company.
+To start signing PDF reports you'll need first to configure your desired
+certificate. To do so:
 
-- Go to ``Settings > Companies > Companies > Your company``
-- Go to ``Report configuration`` tab
-- Click ``Edit``
-- Add a new item in ``PDF report certificates`` list
-- Click ``Create``
-- Set name, certificate file, password file and model
-- Optionally you can set a domain and filename pattern for saving as
-  attachment
+- Go to *Settings > General Settings* and then to the section
+  *Certificates and Keys*. Then click on **Certificates**.
+- Add the cert you want to use: upload the file and set the password.
 
-For example, if you want to sign only customer invoices in posted state:
+Now you need to configure the reports using this certificate:
 
-- Model: ``account.move``
-- Domain:
-  ``[('move_type','=','out_invoice'), ('state', '=', 'posted')]``
-- Save as attachment:
-  ``(object.name or '').replace('/','_') + '.signed.pdf'``
+- Go to *Settings > Thecnical > Reporting > Reports*.
+- Search for the pdf report you want to sign.
+- In the report form, open the **Sign** tab.
+- Choose the **Certificate** you created before.
+- Optionally, you can set:
 
-**Note**: Linux user that executes Odoo server process must have read
-access to certificate file and password file
-
-Java Memory Settings
---------------------
-
-If you are signing large amounts of reports at the same time, or if you
-have a lower worker memory size than the JVM defaults, you may need to
-tune the JVM heap memory limits. Do so by adding a ``$JVM_ARGS``
-environment variable that contains the required flags. Check out these
-links too:
-
-- `StackOverflow
-  answer <https://stackoverflow.com/a/14763095/1468388>`__.
-- `Java
-  docs <https://docs.oracle.com/cd/E15523_01/web.1111/e13814/jvm_tuning.htm#PERFM161>`__.
+  - **Allow to sign only one document**: disallow signing a pdf that
+    contains multiple docs.
+  - **Save as attachment**: Set the signed document report file name
+    pattern. Example:
+    ``(object.name or '').replace('/','_') + '.signed.pdf'``
+  - **Signing domain**: Filter the document that will be signed.
+    Example:
+    ``[('move_type','=','out_invoice'), ('state', '=', 'posted')]``
 
 Usage
 =====
@@ -98,21 +85,25 @@ customer invoices.
 You can try the signing with the demo report that is included for
 customers called "Test PDF certificate".
 
-You can set extra parameters of JSignPdf library in the system parameter
-named 'report_qweb_signer.java_position_parameters', for example '-V' to
-visible signature into pdf. You can also set extra parameters for Java
-in the system parameter named 'report_qweb_signer.java_parameters'.
-
 Known issues / Roadmap
 ======================
 
-- When signing multiple documents (if 'Allow only one document' is
-  disable) then 'Save as attachment' is not applied and signed result is
-  not saved as attachment.
-- Add tests.
-- Why not taking the occasion to add the whole configuration at report
-  level (if to be signed or not, the domain, etc...)? See
-  https://github.com/OCA/reporting-engine/pull/533#issuecomment-898321161
+- This version 18.0 depends on pyhanko-cli for signing the documents,
+  which isn't ideal at all but avoids the dependency hell coming from
+  cryptography requisites.
+- In Odoo 19.0 Odoo implemented their own signing mechanism. We could
+  backport it but it depends on python 12 which supports the proper
+  cryptography library version and that would leave out any
+  infrastructure using lower versions. So: for v19 we should get rid of
+  all that external stuff and just use the core one. (ref:
+  https://github.com/odoo/odoo/pull/194698)
+- When signing multiple documents (if *Allow only one document* is
+  disabled) then *Save as attachment* is not applied and signed result
+  is not saved as attachment.
+- Add more tests.
+- This module is incompatible with the ``account_edi_ubl_cii`` module,
+  because the PDF content is altered after rendering. See:
+  https://github.com/odoo/odoo/blob/5977da2c93d522ece984d2fa8a31624f4b612eca/addons/account_edi_ubl_cii/models/account_move_send.py#L131C9-L140
 
 Bug Tracker
 ===========
@@ -154,13 +145,6 @@ Contributors
 Other credits
 -------------
 
-External utilities
-~~~~~~~~~~~~~~~~~~
-
-- JSignPdf: © Josef Cacek - License `MPL <http://www.mozilla.org/MPL>`__
-  or `LGPL2 <http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html>`__
-  - http://jsignpdf.sourceforge.net/
-
 Icon
 ~~~~
 

report_qweb_signer/__manifest__.py

@@ -6,26 +6,12 @@
 {
     "name": "Qweb PDF reports signer",
     "summary": "Sign Qweb PDFs usign a PKCS#12 certificate",
-    "version": "16.0.1.0.4",
+    "version": "18.0.1.0.0",
     "category": "Reporting",
     "website": "https://github.com/OCA/reporting-engine",
-    "author": "Tecnativa, " "Odoo Community Association (OCA)",
+    "author": "Tecnativa, Odoo Community Association (OCA)",
     "license": "AGPL-3",
-    "installable": True,
-    "depends": ["web_editor"],
-    "external_dependencies": {
-        "python": [
-            "endesive<=2.18.5 ; python_version < '3.12'",
-            "endesive ; python_version >= '3.12'",
-            "cryptography",
-        ],
-        "deb": ["default-jre-headless"],
-    },
-    "data": [
-        "data/defaults.xml",
-        "security/ir.model.access.csv",
-        "views/report_certificate_view.xml",
-        "views/res_company_view.xml",
-    ],
-    "demo": ["demo/report_partner_demo.xml", "demo/report_certificate_demo.xml"],
+    "depends": ["certificate", "account"],
+    "data": ["views/ir_actions_report_views.xml"],
+    "demo": ["demo/certificate_demo.xml", "demo/report_partner_demo.xml"],
 }

report_qweb_signer/data/defaults.xml

@@ -0,0 +1,12 @@
+<odoo noupdate="1">
+    <record id="demo_db_certificate" model="certificate.certificate">
+        <field name="name">Demo Certificate Qweb</field>
+        <field
+            name="content"
+            type="base64"
+            file="report_qweb_signer/static/certificate/test.p12"
+        />
+        <field name="pkcs12_password">admin</field>
+        <field name="company_id" ref="base.main_company" />
+    </record>
+</odoo>

report_qweb_signer/demo/certificate_demo.xml

@@ -41,7 +41,12 @@ License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
         <field
             name="attachment"
         >'test_' + (object.name or '').replace(' ', '_').lower() + '.pdf'</field>
+        <field name="certificate_id" ref="report_qweb_signer.demo_db_certificate" />
+        <field
+            name="signed_attachment"
+        >'test_' + (object.name or '').replace(' ', '_').lower() + '.signed.pdf'</field>
         <field name="attachment_use">True</field>
+        <field name="signing_allow_only_one">True</field>
         <field name="binding_model_id" ref="base.model_res_partner" />
         <field name="binding_type">report</field>
     </record>

report_qweb_signer/demo/report_certificate_demo.xml

@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 16.0\n"
+"Project-Id-Version: Odoo Server 17.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -112,11 +112,6 @@ msgstr ""
 msgid "Java"
 msgstr ""
 
-#. module: report_qweb_signer
-#: model:ir.model.fields,field_description:report_qweb_signer.field_report_certificate____last_update
-msgid "Last Modified on"
-msgstr ""
-
 #. module: report_qweb_signer
 #: model:ir.model.fields,field_description:report_qweb_signer.field_report_certificate__write_uid
 msgid "Last Updated by"
@@ -134,6 +129,7 @@ msgstr ""
 
 #. module: report_qweb_signer
 #: model:ir.model.fields,field_description:report_qweb_signer.field_report_certificate__model_id
+#: model:ir.model.fields,field_description:report_qweb_signer.field_report_certificate__model_name
 msgid "Model"
 msgstr ""
 
@@ -153,11 +149,6 @@ msgstr ""
 msgid "PDF certificates"
 msgstr ""
 
-#. module: report_qweb_signer
-#: model_terms:ir.ui.view,arch_db:report_qweb_signer.view_report_certificate_form
-msgid "PDF report certificate"
-msgstr ""
-
 #. module: report_qweb_signer
 #: model:ir.model.fields,field_description:report_qweb_signer.field_res_company__report_certificate_ids
 msgid "PDF report certificates"

report_qweb_signer/demo/report_partner_demo.xml

@@ -0,0 +1,8 @@
+# Copyright 2025 Moduon Team S.L. <info@moduon.team>
+# License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl.html).
+
+
+def migrate(cr, version):
+    # 1. Store certificate info (file path) to create the certs on post-mig
+    # 2. Transform report.certificate to their reports values
+    pass

report_qweb_signer/i18n/report_qweb_signer.pot

@@ -1,5 +1,2 @@
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
-
 from . import ir_actions_report
-from . import report_certificate
-from . import res_company