pdfbox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tilman Hausherr (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (PDFBOX-4261) Invalidated signature signing pdf twice
Date Sat, 07 Jul 2018 13:19:00 GMT

    [ https://issues.apache.org/jira/browse/PDFBOX-4261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16535024#comment-16535024
] 

Tilman Hausherr edited comment on PDFBOX-4261 at 7/7/18 1:18 PM:
-----------------------------------------------------------------

can confirm that the problem happens when signing 92752146_noSign_anonymous.pdf twice with
1.8.

The signatures are OK, i.e. the ShowSignature example doesn't show any errors. The problem
seems to be related to one of your / your team's earlier issues (e.g. PDFBOX-3114), where
it came out that Adobe looks whether some "tree structures" were changed, e.g. indirect vs.
direct objects.

Some observations:
 - the object numbers of the pages are 4 and 42, /Pages is 3
 - the object numbers of the pages in the "bad" document are 55 and 50, /Pages is 59
 - in the "bad" document, one of the signatures is invisible but has an annotation entry.
That is allowed, but PDFBox stopped doing this at some time.
 - I tried handling it like in 2.0, i.e. not changing the page and not marking them for update,
but the objects changed anyway.
 - doing the PDFBOX-3631 change (avoid reusing the highest XRef stream object number) doesn't
solve it
 - the signature problem also happens with earlier 1.8.* versions
 - the signature problem doesn't happen with any 2.0.* versions, although below 2.0.2 no signatures
are shown

I'll look more at a later time but I can't guarantee that I'll find it and that it will be
corrected. Your client should really update to jdk 1.7, 1.8 or 1.9. Alternatively, try building
the 2.0 version with 1.6 and correct what doesn't work. If you're only doing signing, then
it is less to do.


was (Author: tilman):
 can confirm that the problem happens when signing 92752146_noSign_anonymous.pdf twice with
1.8.

The signatures are OK, i.e. the ShowSignature example doesn't show any errors. The problem
seems to be related to one of your / your team's earlier issues (e.g. PDFBOX-3114), where
it came out that Adobe looks whether some "tree structures" were changed, e.g. indirect vs.
direct objects.

Some observations:
- the object numbers of the pages are 4 and 42, /Pages is 3
- the object numbers of the pages in the "bad" document are 55 and 50, /Pages is 59
- in the "bad" document, one of the signatures is invisible but has an annotation entry. That
is allowed, but PDFBox stopped doing this at some time.
- I tried handling it like in 2.0, i.e. not changing the page and not marking them for update,
but the objects changed anyway.
- doing the PDFBOX-3631 change (avoid reusing the highest XRef stream object number) doesn't
solve it

I'll look more at a later time but I can't guarantee that I'll find it and that it will be
corrected. Your client should really update to jdk 1.7, 1.8 or 1.9. Alternatively, try building
the 2.0 version with 1.6 and correct what doesn't work. If you're only doing signing, then
it is less to do.

> Invalidated signature signing pdf twice 
> ----------------------------------------
>
>                 Key: PDFBOX-4261
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4261
>             Project: PDFBox
>          Issue Type: Bug
>          Components: Signing
>    Affects Versions: 1.8.15
>            Reporter: Claudio Tortorelli
>            Priority: Major
>         Attachments: issue_data.zip
>
>
> A customer sent us a pdf that has this problem: when it is signed twice by *pdfbox 1.8.x*
the second signature invalidates the first one.
> If we apply the same procedure using *pdfbox 2.0.x* the problem doesn't occur, but the
customer required java 1.5 so we can't switch to the new version in this case.
> For +privacy purposes+ we had anonymized the original PDF file by editing 3 stream inside
the pdf, without altering the original structure. So the file "92752146_noSign_anonymous.pdf"
you can find in attachement has not the original text/image streams, but reproduces the problem
as the original one.
> Thank you in advance
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org


Mime
View raw message