10.11.6 CAC signing not working with 11.0.17 Acrobat

Hi Jeffrey/Greg,

Can you please try to upgrade the CAC Reader driver using details in link MilitaryCAC's Apple / OS X 10.11 (El Capitan) Resource page and let me know if issue is resolved/still reproducible?

If you've just updated your Mac OS from 10.11.3 to 10.11.6 and your SCR 331, 3310, 3300v2, or 3500 model reader has stopped working, you may need to update the driver per https://forums.developer.apple.com/message/127598#  You'll see in epeterso's 29 March reply where it has a link to the scmccid_mac_5.0.35.zip file

Thanks,

Shakti K

I too am having this issue as well.  Per Shakti's write up above I attempted to do the following:

1-  I have attempted the removal and reinstall of my CAC Enabler.  Restart Mac; Issue Persists

2-  I have installed the epeterso 29 March scmccid_mac_5.0.35 update.  Restart Mac; Issue Persists

Note:  The error received when attempting to sign = "credential selected for signing is invalid"

Any fix known for this issue?

As FYI:  I also have a secondary system and I found this issue is resolved if I roll back my system to OS X 10.11.5; unfortunately my primary systems most recent 10.11.5 backup is too far in the past for me to roll back without a ton of work and time.  I hope a fix is found soon.

I updated the driver as you suggested and still have the same issue. I can't digitally sign PDFs with my CAC.

One item of note: checking "Lock after signing" will appear to sign the document after you push save, in that the digital signature shows up in on the document. However the "invalid credential" dialog box still shows up, and dismissing it makes the signature vanish.

Shakti -- Please see screenshot for additional debugging information. This artifact was created by signing a file and then while the "invalid credential" error was on the screen, copying the file in the background off to a new file to preserve its state, and then opening that copy. It would appear to implicate changes to the BER encoding in OSX or BER decoding handling in Acrobat as the source of the issue. Let me know if a sample file would be of value and I'll generate something which I can share.

Hi Sean,

The issue seems to be due to MAC OS Upgrade to 10.11.6.

Please send the sample file. We can try something here to debug the issue.

Thanks,

Shakti K

This is waht mine looks like too

Hi,

As stated above By Alain that issue got resolved when he rolled back his syetm to MAC OS 10.11.5 .

Thanks,

Shakti K

Shakti,

Surely Adobe is not meaning to advise users to roll their systems back to a known-vulnerable operating system version? As also documented by Alain and others, nearly every other application is behaving normally and appropriately under 10.11.6 - only Acrobat is giving users fits.

Seeing your second message, I'll generate and attach a sample file to this thread shortly.

We collectively appreciate yours and the team's efforts to solve this issue expeditiously - for many teams, this has resulted in a considerable work blockage which needs to be resolved soonest.

Thanks.

Sean

Hi Sean,

No , it is not advisable to roll the system back to a vulnerable version.

Please provide the file to debug.

Does signing works perfectly fine using Adobe Acrobat/Reader when signed using any other smart card other than CAC or any other certificate ?

Shakti,

Appreciate the clarification and fully agreed!

Attached is a test document which will display a signature, but which obviously fails validation with the aforementioned BER decoding error.

Regarding other smartcards, my only other are at home presently so those will have to wait until end of day at least before I can try to test. Does anyone else reading have a non-CAC smartcard with which they might be able to test? I'm inferring that PIVs have already been tried (and failed), but it's a valid point that we need to provide that information explicitly to the engineers.

And regarding Acrobat Reader, it also fails to sign the document, providing the same error message, although it also adds another to say that the signature could not be applied.

Please let us know what else we can do to assist with getting this fixed.

https://drive.google.com/open?id=0BwLXdbqvRdLQVzFwWkNKRUJyeEk [Sample document]

Sean

Shakti, et al,

Any progress or update on this? Our users continue to experience considerable frustration with the Adobe platform in the wake of this, as they see all their other tools working except these. Please advise if we can provide additional information or assistance in the diagnostic process.

Sean

I'm having the same issue with PIV signing.

We are using Centrify and PIV. I was able to fix two machines with Acrobat Reader DC doing the following...

I didn’t need to mess with the permissions. So I don’t think executable permission are actually required thus the instratuctions are just…

·         In Adobe Reader DC, open Preferences, then go to Signatures --> Identities & Trusted Certificates --> More...

·         Cick "PKCS#11 Modules and Tokens"

·         Click "Attach Modules"

o   Enter path to your PKCS#11 module; for Centrify this is /usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so

·         Click "OK"

·         Click the little triangles to open up the module until you see the card

·         Click the card

·         Click on the email signing certificate (look for one that says Intended Usage: Digital Signature, Non-Repudiation)

·         Click the "Usage Options" popup menu and select "Use for Signing"

·         Click Close, then Click OK.

If you do the above and it doesn't fix it look at the Certificate details and make sure your validation path looks good. (For me it's good when there are no triangles and only one path found. If it shows any errors try updating the Adobe Approved Trust List (AATL) under Preferences -> Trust Manager.

Thank you for the instructions. I got a licensed copy of Adobe Acrobat Pro DC and now I can sign PDF documents with my CAC again!

Thanks for posting such a great set of instructinos sillybaku​.

But I have to parse that and call it a workaround vs a solution. Those steps are unnecessary for Safari, Chrome, Apple Mail, and all other (non-Mozilla) tools to maintain their interoperability with CACs on OSX, before and after 10.11.6.

Adobe still need to return to this with a solution to which can restore the functionality and ease of configuration & use which users have been relying on for years.

Oh, I agree with that! But at least this will get the functionality back.

I agree with seanb51854381,  while these instructions are great for many users a permanent solution needs to be provided by Adobe or Apple.  We utilize Centrify in our environment and unfortunately the steps above do not resolve the issue here.  Installing CACKey will break the Centrify application.

When I try to apply a similar solution by pulling this file /usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so into the "PKCS#11 Modules and Tokens" in Adobe I get the error "Could not load the PKCS#11 module."

I think this is the correct location to obtain the PCKS#11 module but I may be mistaken.  From what I have read, Adobe doesn't like the .so extension but I cannot seem to locate a .dylib that will work.  If anyone has a suggestion I would be grateful for the input.