Why I can one click delete digital signature from a protected document?

Report · Oct 01, 2018

Good day!

I have signed some test pdf document with a digital signature.

As you can see on a picture the document is totally protected from any modification.

Now I go to a signature panel and rightclick my signature.

There is a Clear Signature option, which do what it says - deletes my signature and make document editable again.

So the question is, why the locked down and certified document is 2 clicks away from editing right in your software?

I know, there is plenty shady apps that breaks pdf security in seconds, its a disaster but we live in it.

But how come that your own software is capable of such things?

Best regard, Denis

Report · Oct 01, 2018

As stated here Validating digital signatures, Adobe Acrobat

"You cannot remove a digital signature unless you are the one who placed it and you have the digital ID for signing it installed."

I could clear the signature on PC with no certificates installed, just with Adobe Acrobat Pro.

And when I clear certificate on a same PC i have signed it, Acrobat do not ask me to insert token (my private key is not imported).

Report · Oct 01, 2018

Did you save and close the file after signing it?

Report · Oct 02, 2018

Yes. Definitely.

Report · Oct 02, 2018

You can clear a signature profile that is installed on your computer. Whether or not it should ask you for the password to do that is a matter for discussion. I agree it might be better to have it do that, but it's not currently necessary.

Report · Oct 02, 2018

It's a detail, though, really, as most PDF software ignores security settings. This is no kind of security really. This is why signatures were invented! We can't stop them being removed and we can't stop editing after the signature. But we can absolutely detect that this was done.

Report · Oct 02, 2018

Thank you for your reply guys!

Yes, I understand the concept of signature. It is not a method to protect your data, it only can guarantee that content was not altered.

But never the less:

1. Adobe states in its documentation that you need a private key to unsign the document. It is not only rational. Its about following your own documentation.

2. I know a lot of software that breaks adobe security easily. This does not mean Adobe should ignore lesser security issues.

3. Such "Clear Signature" options make it possible for a receiving side to accidentally remove the signature. So its even a usability flaw.

Report · Oct 02, 2018

1+2) I agree with you and with TSN about this, but mind you, we are not Adobe... You should report it here: Feature Request/Bug Report Form

3) No, that's not the case, unless the receiving side has access to the digital signature profile that was used to sign the file.

I can't remove your signature and you can't remove mine. I can invalidate your signature, though, by editing the file.

Report · Oct 02, 2018

That's the problem! I can remove signature without having a private key =(

Empty digital signature profile, fresh Adobe Acrobat Pro install and I can remove the signature set on another PC with a USB token.

Thank you for your help guys!

Report · Oct 02, 2018

I agree Adobe should fix their documentation or software so they agree.