Participant

Answered

10.11.6 CAC signing not working with 11.0.17 Acrobat

Forum|Forum|9 years ago
July 20, 2016
17 replies
63632 views

I have verified that I can sign on a 10.11.5 mac but when the OS is updated to 10.11.6 with the same Acrobat installation signing fails. The certificates show as valid and are used for login so I know they are valid. Any solutions so far?

This topic has been closed for replies.

Correct answer Andrea Valle

Dear CAC and PIV card users on MacOS computers, here’s an update on our progress to solve the issue that many of you are facing when signing in Adobe Acrobat and Reader after updating Mac OSX to version 10.11.6 or 10.12.

I will provide some technical details at the end if you’re interested, but first we have some important news. We have been working closely with Apple and especially with Kenneth Van Alstyne, the developer who manages the Mac OSX port of the open source CACkey driver, to understand and solve this issue.

Kenneth has just released a new version 0.7.8 of the CACkey driver that should solve this issue and includes several fixes.

It is already available for Download from here: Index of /download/0.7.8

Please give it a run and let us know if it works for you.

Note: this update is specific to CACkey driver users. We heard that some users of the Centrify driver have been impacted as well. We need more help to investigate about it, as it may also require an update to work again. Please consider using CACkey version 0.7.8 until we have more to share on Centrify.

Best regards

Andrea Valle, Sr. Product Manager, Adobe Document Cloud

And now some technical details…*

Adobe Acrobat adopts SHA256 as the default digest algorithm for digital signatures since version 9.1 (2009). However, CACkey drivers before v.0.7.8 don’t support SHA256 when used via Apple Keychain/tokenD, but only the deprecated SHA1 algorithm. To make the signature possible when SHA256 is not supported, Acrobat adopts a fallback mechanism to SHA1.

Apple Mac OSX update 10.11.6 made SHA-2 (which was previously unsupported) as the default hashing algorithm, due to which the behavior of certain crypto API in OSX have changed. For this reason Acrobat started to fail signing: the SHA1 fallback mechanism is impacted by these crypto API changes and fails.

CACKey 0.7.8 for Mac OSX now includes a new PKCS11.tokend module that adds SHA-2 support (SHA256, SHA384, and SHA512), so Acrobat does not have to fallback to SHA1 anymore.

Adobe is working to fix the fallback mechanism in Acrobat due to OSX 10.11.6, but this has no more impact on signing with CACkey driver after the user updates to version 0.7.8.

* Thanks to Kenneth Van Alstyne and Adobe’s Krishna Kumar Pandey for working hard at solving this issue.

Show previous replies

franks66222332

Participating Frequently

Hi everyone, I have this same problem. Since we use Centrify, I too cannot use the workaround.

I wanted to add a clue that I see the following error with my cert when I view details: "The selected certificate has errors: Invalid policy constraint" and "Validation Model: Shell".

I tried to add the path for the PKCS#11 module as:

/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS/libccid.dylib

But Adobe Acrobat does not accept it.

I have tried 2 different CAC readers to no avail. The SCM3500 and the HID Omnikey 3121.

Any workaround would be welcome.

S

sillybaku

Participant

This is the solution: it assumes you are using CACKey, but can probably be translated to other middleware:

Verify permissions of /Library/CACKey/libcackey.dylib are correct; they should be -rwxr-xr-x (755) and owned by root, group admin. If they're not, change them using Terminal.app:
- sudo chown root:admin /Library/CACKey/libcackey.dylib
- sudo chmod 755 /Library/CACKey/libcackey.dylib
In Adobe Reader DC, open Preferences, then go to Signatures --> Identities & Trusted Certificates --> More...
Cick "PKCS#11 Modules and Tokens"
Click "Attach Modules"
Enter path to your PKCS#11 module; for CACKey this is /Library/CACKey/libcackey.dylib
Click "OK"
Click the little triangles to open up the module until you see the card
Click the card
Click on the email signing certificate (look for one issued by DOD EMAIL CA-xx and includes Intended usage of Digital Signature)
Click the "Usage Options" popup menu and select "Use for Signing"
Click Close, then Click OK.

The above steps will need to be repeated for each user account on the machine.

If you're using something other than CACKey, then you'll need to determine the path for your PKCS#11 module. If you have Firefox or Thunderbird installed, then it's the same as the one you have configured in those applications in order to use your CAC.

Once this configuration change has been made, the signature dialog box will change slightly to include a field to enter your PIN (or as Adobe calls it, "certificate password"), as shown in the screen shot below. You'll need to enter your PIN here, rather than clicking Sign and then getting the standard OS X dialog to enter your PIN.

seanb51854381

Participating Frequently

Thanks for posting such a great set of instructinos sillybaku.

But I have to parse that and call it a workaround vs a solution. Those steps are unnecessary for Safari, Chrome, Apple Mail, and all other (non-Mozilla) tools to maintain their interoperability with CACs on OSX, before and after 10.11.6.

Adobe still need to return to this with a solution to which can restore the functionality and ease of configuration & use which users have been relying on for years.

S

sillybaku

Participant

Oh, I agree with that! But at least this will get the functionality back.

robertw1340361

Participant

PLEASE help us figure this out! I have the exact same problem. After upgrading to 10.11.6 I can no longer sign documents.

M

mpoweru

Participant

Shakti,

I have used other certificates with success. This appears relegated to CAC signing so far (No real isolation performed. This is strictly deductive). I utilize an SCM3310 cac reader.

For whatever that is worth...

K

Kshakti

Adobe Employee

Hi everyone,

Please check the site MilitaryCAC's Ask your Mac specific question page and verify anything is missing in your case as suggested in the site.

Thanks,

Shakti K

M

MacMama

Participant

I too have this issue on about 200 Mac systems. I have tried all of the following and the issue is unresolved:

roll back Acrobat to previous version
reinstall CAC software (using full Centrify client)
reinstall CAC drivers (SCR3310 v2)
issuers roots and certificates are in System Keychain and trusted
issuers roots and certificates are in Adobe and trusted
unchecked "require certificate revocation checking to succeed whenever possible during signature verification" in Signature Verification Preferences
completely removed Adobe and all associate files and started with a fresh install
tried smart cards using SHA1 encryption versus SHA256 encryption

This definitely seems to be from the OS X upgrade , but any help would be greatly appreciated!

K

Kshakti

Adobe Employee

Hi,

As stated above By Alain that issue got resolved when he rolled back his syetm to MAC OS 10.11.5 .

Thanks,

Shakti K

seanb51854381

Participating Frequently

Shakti,

Surely Adobe is not meaning to advise users to roll their systems back to a known-vulnerable operating system version? As also documented by Alain and others, nearly every other application is behaving normally and appropriately under 10.11.6 - only Acrobat is giving users fits.

Seeing your second message, I'll generate and attach a sample file to this thread shortly.

We collectively appreciate yours and the team's efforts to solve this issue expeditiously - for many teams, this has resulted in a considerable work blockage which needs to be resolved soonest.

Thanks.

Sean

D

DocChilton

Participant

I've had the same issue. Doesn't matter if it's Adobe Reader or Adobe Reader DC. Seems to be an issue with 10.11.6.

For the record, I'm using a SCR331 card reader with the most recent version of CACKey as the middleware. I can still sign emails with the CAC--just can't sign a PDF.

K

Kshakti

Adobe Employee

Hi Jeffrey/Greg,

Can you please try to upgrade the CAC Reader driver using details in link MilitaryCAC's Apple / OS X 10.11 (El Capitan) Resource page and let me know if issue is resolved/still reproducible?

If you've just updated your Mac OS from 10.11.3 to 10.11.6 and your SCR 331, 3310, 3300v2, or 3500 model reader has stopped working, you may need to update the driver per https://forums.developer.apple.com/message/127598# You'll see in epeterso's 29 March reply where it has a link to the scmccid_mac_5.0.35.zip file

Thanks,

Shakti K

M

mpoweru

Participant

I too am having this issue as well. Per Shakti's write up above I attempted to do the following:

1- I have attempted the removal and reinstall of my CAC Enabler. Restart Mac; Issue Persists

2- I have installed the epeterso 29 March scmccid_mac_5.0.35 update. Restart Mac; Issue Persists

Note: The error received when attempting to sign = "credential selected for signing is invalid"

Any fix known for this issue?

As FYI: I also have a secondary system and I found this issue is resolved if I roll back my system to OS X 10.11.5; unfortunately my primary systems most recent 10.11.5 backup is too far in the past for me to roll back without a ton of work and time. I hope a fix is found soon.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded