Skip to main content
P
Predator130
Participant
July 20, 2016
Answered

10.11.6 CAC signing not working with 11.0.17 Acrobat

  • July 20, 2016
  • 17 replies
  • 63632 views

I have verified that I can sign on a 10.11.5 mac but when the OS is updated to 10.11.6 with the same Acrobat installation signing fails.  The certificates show as valid and are used for login so I know they are valid.  Any solutions so far?

This topic has been closed for replies.
Correct answer Andrea Valle

Dear CAC and PIV card users on MacOS computers, here’s an update on our progress to solve the issue that many of you are facing when signing in Adobe Acrobat and Reader after updating Mac OSX to version 10.11.6 or 10.12.

I will provide some technical details at the end if you’re interested, but first we have some important news. We have been working closely with Apple and especially with Kenneth Van Alstyne, the developer who manages the Mac OSX port of the open source CACkey driver, to understand and solve this issue.

Kenneth has just released a new version 0.7.8 of the CACkey driver that should solve this issue and includes several fixes.

It is already available for Download from here: Index of /download/0.7.8

Please give it a run and let us know if it works for you.

Note: this update is specific to CACkey driver users. We heard that some users of the Centrify driver have been impacted as well. We need more help to investigate about it, as it may also require an update to work again. Please consider using CACkey version 0.7.8 until we have more to share on Centrify.

Best regards

Andrea Valle, Sr. Product Manager, Adobe Document Cloud

And now some technical details…*

Adobe Acrobat adopts SHA256 as the default digest algorithm for digital signatures since version 9.1 (2009). However, CACkey drivers before v.0.7.8 don’t support SHA256 when used via Apple Keychain/tokenD, but only the deprecated SHA1 algorithm. To make the signature possible when SHA256 is not supported, Acrobat adopts a fallback mechanism to SHA1.

Apple Mac OSX update 10.11.6 made SHA-2 (which was previously unsupported) as the default hashing algorithm, due to which the behavior of certain crypto API in OSX have changed. For this reason Acrobat started to fail signing: the SHA1 fallback mechanism is impacted by these crypto API changes and fails.

CACKey 0.7.8 for Mac OSX now includes a new PKCS11.tokend module that adds SHA-2 support (SHA256, SHA384, and SHA512), so Acrobat does not have to fallback to SHA1 anymore.

Adobe is working to fix the fallback mechanism in Acrobat due to OSX 10.11.6, but this has no more impact on signing with CACkey driver after the user updates to version 0.7.8.

* Thanks to Kenneth Van Alstyne and Adobe’s Krishna Kumar Pandey for working hard at solving this issue.

17 replies

janes_p
janes_p
Inspiring
August 9, 2018

Thanks for the clarification Andrea Valle, and also for the technical background.

Can you clarify a bit more what exactly causes the message "The credential selected for signing is invalid".

Reason: I am working with our Swiss signature provider SwissSign (operated by Swiss Post) to get our certificate to work with Adobe Acrobat (Pro DC, in my case).

Swiss Post support page: Postsuisseid - Postsuisseid (images missing, unfortunately)

Andrea Valle
Community Manager
Andrea ValleCommunity Manager
Community Manager
August 9, 2018

Hi Peter,

I think you should better create a new thread for your issue because it's unrelated to this thread (signing with CAC cards).

Anyways, the message "The credential selected for signing is invalid" can have multiple reasons, the most common of which is that the Key Usage or Extended Key Usage of the SwissSign certificate is not suitable for digitally signing a document.

For example it could be intended only for client authentication or encryption, so Acrobat will deem it as invalid for signing.

Please check this page for more information about this under the 11.0.9 section:

A: Changes Across Releases — Digital Signatures Guide for IT

Regards

Andrea

O
oscarg61026051
Participant
January 16, 2018

UPDATE:  Within 10 minutes of posting and re-reading the beginning of this post and running the CACKey driver from page 1. and following the "attach module" steps that is in the notes; the rest was cake and I was able to sign digitally with my CAC. I was hesitant at first to download but after purchasing the subscription and the inability to still not sign. I was in dire need of a solution. That solution was the CACkey driver. 

Once that is installed then hit the "back' button and enter this " /usr/local/lib/pkcs11/cackey.dylib " under attach module and BOOM you have the answer.

*****I too am running into the issue of unable to sign with digital certs using my military CAC while using ADOBE DC.  I have traveled the webs and this forum and as many state ADOBE is not addressing the issue. I am running the latest IOS High Sierra 10.13.2 and Adobe DC will not see the CAC reader and of course the reader is plugged in with the card inserted; verified by logging into websites/military sites that require CAC log in.

SmartGraphicArt
SmartGraphicArt
Inspiring
December 28, 2017

Having the same issue with DC Pro (and Reader) on Windows 7.

A
Anonymous
December 31, 2019

I'm also having this same issue on Windows 10 Enterprise, Adobe Acrobat Pro DC (2015) v 15.006.30508, 90 Meter SmartCard Manager Plus 1.6.35 s on a VDI governement network.  When trying to digitally sign a pdf it will not read my token.  I can self-sign.  I log into my workstation with my token and can digitally sign and encrypt emails.  My certificates are not expired.  This is happening to everyone on base.  Any help would be appreciated!  We need to get this working as soon as possible!

Andrea Valle
Community Manager
Andrea ValleCommunity ManagerCorrect answer
Community Manager
October 21, 2016

Dear CAC and PIV card users on MacOS computers, here’s an update on our progress to solve the issue that many of you are facing when signing in Adobe Acrobat and Reader after updating Mac OSX to version 10.11.6 or 10.12.

I will provide some technical details at the end if you’re interested, but first we have some important news. We have been working closely with Apple and especially with Kenneth Van Alstyne, the developer who manages the Mac OSX port of the open source CACkey driver, to understand and solve this issue.

Kenneth has just released a new version 0.7.8 of the CACkey driver that should solve this issue and includes several fixes.

It is already available for Download from here: Index of /download/0.7.8

Please give it a run and let us know if it works for you.

Note: this update is specific to CACkey driver users. We heard that some users of the Centrify driver have been impacted as well. We need more help to investigate about it, as it may also require an update to work again. Please consider using CACkey version 0.7.8 until we have more to share on Centrify.

Best regards

Andrea Valle, Sr. Product Manager, Adobe Document Cloud

And now some technical details…*

Adobe Acrobat adopts SHA256 as the default digest algorithm for digital signatures since version 9.1 (2009). However, CACkey drivers before v.0.7.8 don’t support SHA256 when used via Apple Keychain/tokenD, but only the deprecated SHA1 algorithm. To make the signature possible when SHA256 is not supported, Acrobat adopts a fallback mechanism to SHA1.

Apple Mac OSX update 10.11.6 made SHA-2 (which was previously unsupported) as the default hashing algorithm, due to which the behavior of certain crypto API in OSX have changed. For this reason Acrobat started to fail signing: the SHA1 fallback mechanism is impacted by these crypto API changes and fails.

CACKey 0.7.8 for Mac OSX now includes a new PKCS11.tokend module that adds SHA-2 support (SHA256, SHA384, and SHA512), so Acrobat does not have to fallback to SHA1 anymore.

Adobe is working to fix the fallback mechanism in Acrobat due to OSX 10.11.6, but this has no more impact on signing with CACkey driver after the user updates to version 0.7.8.

* Thanks to Kenneth Van Alstyne and Adobe’s Krishna Kumar Pandey for working hard at solving this issue.

Mouse07410
Mouse07410
Participating Frequently
October 21, 2016

Andrea, that is great to hear, thank you!

FYI, the current OpenSC.tokend (see above for the pointers to GitHub) supports SHA-2 family, and ECC (ECDSA tested with MS Outlook, Apple Mail, Safari, Firefox; ECDH not tested). It is also open source.

Regarding PKCS11.tokend included in CACKey,  that would mean that on MacOS 10.12 smartcard support would be in Legacy mode, rather than using new CTK?

Andrea Valle
Community Manager
Andrea ValleCommunity Manager
Community Manager
October 21, 2016

Hi,

I think so but I defer to Kenneth to give you a definitive reply.

Andrea

R
ronnyj75312535
Participating Frequently
October 20, 2016

A new update to Adobe Reader DC without posotive results, this problem sitll messing around. Are you going to fix this problem or not? For some of us this urgent.

Mouse07410
Mouse07410
Participating Frequently
October 20, 2016

Since I'm successful signing on 10.11.6 with both Acrobat Pro and DC (Classic), it suggests that the problem may be with Centrify tokend. Because I don't seem to need to load any PKCS#11 library at all.

P.S. Authentication works too, and without Centrify. ;-)

M
MacMama
Participant
October 11, 2016

Another update to Adobe Acrobat Pro and we STILL CANNOT sign documents if the system is running OS X 10.11.6 and using Centrify to CAC authenticate.  Why Adobe can we add the PKCS#11 module from Centrify to Adobe Acrobat Reader DC and not  Adobe Acrobat Pro??  This needs to be fixed ASAP.

R
ronnyj75312535
Participating Frequently
September 19, 2016

Any news about this topic?

Mouse07410
Mouse07410
Participating Frequently
September 19, 2016

PDF signing using smart card (CAC or PIV) works fine on Mac OS X 10.11.6. Tested with Acrobat Pro 11.0.17 and 15.006.30198. For it to work out of box you need a working tokend.

If you do not have a working tokend - then the workaround provided above (adding a PKCS#11 library that accesses the CAC directly) would solve the problem, assuming your PKCS#11 library works correctly.

Currently I'm using Open Source tools (OpenSC and OpenSC.tokend). These tools fully support my workflow for smartcards, including PDF signing, S/MIME (signature and encryption, using Apple Mail and MS Outlook 2011 and 2016), Web sites authentication (Apple Safari, Google Chrome, Firefox using PKCS#11 library opens-pkcs11.so), and smartcard-based computer logon. I did not have to attach a PKCS#11 library, as it is unnecessary when your tokend is good:

Mac OS X 10.11.6 improved PDF signing - before Acrobat was only using SHA1 if the signing key was on a CAC. Now it correctly uses what it's supposed to - SHA256:

For those people who have problems with PDF digital signature - please check what tokend you're using, and try with a working one instead. I did, and you can see the results on the screenshots above.

R
ronnyj75312535
Participating Frequently
September 1, 2016

Some new ideas? We still having this problem and we need to resolve this problem as soon as possible?

J
johnl10732630
Participating Frequently
September 2, 2016

No solutions other than what's posted above. Again, that workaround only seems to work with Acrobat Pro/Reader DC and NOT with Pro/Reader XI. I found that it worked with the full version of Centrify, but not with Centrify Express. Finally, yesterday's security update 2016-001 for El Capitan didn't fix it either...

Sorry,

John

R
ronnyj75312535
Participating Frequently
September 2, 2016

I am working with the Acrobar Reader DC and the "solution" above dindt resolve the problem. I need a real solution to this problem.

A
Anonymous
August 29, 2016

Has there been any fix issued by Adobe for this?  We tried the work arounds suggested within this post but have not had any success.

We are using CACs with 10.11.6.  Signing used to work using 10.10, but after upgrading to 10.11.6, unable to sign...

J
Joseph Quilantan
Participant
August 12, 2016

Just wanted to add that we're seeing the same issue here. Centrify environment (thankfully not a ton of folks are making use of digital signatures as of yet) but I've tried Adobe Acrobat X, XI and Pro DC on 10.11.6 with zero success on signatures with certificates.

Made a 10.11.5 virtual machine to test it out and, of course, it worked just fine. I'll look into trying some of the other possible solutions (ie: trusting the Federal Bridge CA Certificate in Keychain Access, etc.). Any idea of a potential fix to this on the Adobe side yet? Rolling back just isn't acceptable.

    G
    George_Johnson
    Inspiring
    August 16, 2016

    I'd encourage people to report this as a bug here: Feature Request/Bug Report Form

    Posting here sometimes will get an issue into Adobe's system, but it's no guarantee, even if Adobe staff respond in the forums.

    Show more replies
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices