pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Chojecki <i...@rayman2200.de>
Subject Re: Multiple signatures
Date Mon, 04 Mar 2013 11:07:07 GMT
Am 04.03.2013 10:39, schrieb Maruan Sahyoun:
> Hi,
> how did you verify that the signature is invalid? It might be the
> intended behavior if the verification means that you have e.g. a
> yellow exclamation mark in Adobe Acrobat. Why might that be correct?
The exclamation mark tells only that there are minor problems with the 
signature. If a signature is invalid or can't be parsed, Adobe will show 
a X instead of a exclamation mark [1]. All other symbols shows that the 
signature _isn't_ invalid. Adobe complains on the screenshot that the 
certificate isn't trustful. Trustful means adobe can not check this 
certificate against his known trust center or the certificate is 
selfsigned. So if the adobe reader should show a checkmark [2], the 
certificate need to be marked as trustfulness.

> Well adding the first signature means the signature is applied with
> the state the PDF has as that point in time. Adding the second
> signature means adding additional content after the first signature
No, that's not correct. The signature covers the whole document incl. 
the incremental update. So if you sign once you sign the original and 
the first update. After doing the second sign you sign the update 1 and 
update 2. See [3] The first signature covers it own changes. if you 
alter a document after signing, the signature isn't automatically 
invalid. Adobe will inform the user that the document was altered after 
signing. The signature stay intact.

> was applied. This will be reflected in Acrobat by displaying the
> yellow exclamation mark. Inspecting the message in the signature
> dialog will say that after the signature was added changes were done
> to the PDF - which is correct.
The signature will be added incremental. The previouse sections 
wouldn't be altered at all. If you compare both documents with a diff 
tool that can handle pdf as text you would see, that the new signature 
doesn't change the prevouse document. What will happen is, that with a 
incremental update the xref table/stream refer to altered and/or new 
objects. So if I want sign the first page, the pdfbox need to alter the 
page object and write a new one. The new page use the same object id and 
will be refered by the xref table/stream. So if the parser read the 
document and show it on the screen, he will find the altered page. The 
most error happens if the altered or new objects, or the xref 
table/stream are broken.

> In order to verify if there might be an issue could you please
> provide some additional information.
> With kind regards
> Maruan

PS: sorry for the wide explanation of the problematic. The signing 
process is a little bit complex and can't be explained in one or two 
sentence. If you have questions about signing, you can mail me direct 
for not going too much offtopic.

[3] http://partners.adobe.com/public/developer/en/images/tip3-2.jpg

View raw message