Adobe Acrobat when doing a signature which invalidates previous signature

New Here ,
Mar 23, 2022 Mar 23, 2022

Copy link to clipboard

Copied

Hi, I have a problem when I digitally sign a document that has signed once in Acrobat Acrobat states that previous signature "the document has changed after signing" but no changes have been made and the current signature is valid Why does Reader say so and state that the previous signature is invalid?

TOPICS
Security digital signatures and esignatures

Views

256

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 24, 2022 Mar 24, 2022

Copy link to clipboard

Copied

Can you share an example twice-signed PDF for analysis?

And can you clarify how you sign? Your question can be interpreted to only imply that you use Adobe Acrobat to validate the signature, the signature may have been created using a different software.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 24, 2022 Mar 24, 2022

Copy link to clipboard

Copied

237286667dqy_0-1648189878721.png

As shown above,The part above the line marked with Rev1 is revision 1 of the document.When signing the document with a second signature, the program don’t change any of the bytes of revision 1. We add additional content (provided that the first signature allows this content), and
we create a new signature. This new signature is based on a message digest that includes the entire byte array of revision 1. The result is revision 2. When signing the document with a third signature,the bytes of revision 2 are preserved.

Note:the signature contents format is PKCS7.

The previous signature pdf is in below attachment and you can sign this file secondly.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 25, 2022 Mar 25, 2022

Copy link to clipboard

Copied

The issue is essentially the same as in this thread (you'll also find some references to stack overflow answers for similar issues there). Merely in that case the error was added with the first signature and in your case it was added before the first signature.

 

The cause of this issue is an error in the cross reference table of the first revision of the document. PDF viewers in general ignore or repair a lot of minor errors, so no viewer warns about it. Adobe Acrobat also ignores it. Usually that is. Except when checking for a signature (except the final signature of the document) whether there are any disallowed later changes, in that case that error results in such a validation failure.

 

In detail:

At the end of each revision of a PDF there is a cross reference table or stream mapping object numbers to their respective position in the file. According to the PDF specification the cross reference of the initial revision must not be segmented. Furthermore, there must be a mapping for every object number from 0 to Size-1.

In case of your document, though, it is segmented:

xref
0 2
0000000000 65535 f
0000000017 00000 n
4 46
0000000124 00000 n
[...]
0000144732 00000 n
51 15
0000144824 00000 n
[...]
0000280018 00000 n
67 18
0000280272 00000 n
[...]
0000415611 00000 n
86 29
0000415637 00000 n
[...]
0000578855 00000 n
116 15
0000578882 00000 n
[...]
0000713877 00000 n
132 34
0000714132 00000 n
[...]
0000853009 00000 n
167 70
0000853235 00000 n
[...]
0001003374 00000 n

Also there are no mappings for object numbers 2, 3, 50, 66, 85, 115, 131, and 166.

 

Thus, you should ask the source of your documents to provide PDFs without such errors for signing.

 

If you also were responsible for the first signature, you could repair the original PDF. But as you are only responsible for the second one, the error is burnt into the PDF.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 27, 2022 Mar 27, 2022

Copy link to clipboard

Copied

Yeah!Your analysis enlighten me,But i have two questions:
①Why does the final signature validate check was successful expect for others!

②I have analogous problems that pdf cross-reference is consecutively.And what cause of this issue?The attachment see below.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 27, 2022 Mar 27, 2022

Copy link to clipboard

Copied

Yeah!Your analysis does make sense for me,but i have two questions:
1.why does the final signature check validate successfully other than previous signature?

2.I have a pdf document with consecutive cross-reference and result is similar to this case.the attachment see below!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 28, 2022 Mar 28, 2022

Copy link to clipboard

Copied

quote

1.why does the final signature check validate successfully other than previous signature?

The problem occurs when Acrobat checks whether incremental updates after the signed revision contain disallowed changes. But there are no incremental updates after the final signature in your document. Thus, Acrobat does not execute that check for that final signature and, therefore, does not stumble there.

quote

2.I have a pdf document with consecutive cross-reference and result is similar to this case.the attachment see below!

The cross reference problem identified in your original document is very often the cause of these troubles but not always, other details may also trigger it.

I'll take a look at your attachment and try to identify the cause. (I cannot promise anything, though, the Adobe Acrobat algorithms used here are proprietary and closed source after all...)

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 28, 2022 Mar 28, 2022

Copy link to clipboard

Copied

Thanks for your support!And i can't wait for your analysis about this question!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 28, 2022 Mar 28, 2022

Copy link to clipboard

Copied

Concerning your new attachment: It has a broken AcroForm structure. Page 1 references numerous form field widgets with merged-in form fields but the Fields array in the AcroForm object is empty (in the original revision) or only contains signature fields (in the signed revisions).

Adobe Acrobat repairs this in its internal representation of the document when loading the PDF. The check for disallowed changes in incremental updates after a signature reacts strongly to such repairs...

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 28, 2022 Mar 28, 2022

Copy link to clipboard

Copied

So how can we avoid this case in signature process?It takes account of law affair。

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 28, 2022 Mar 28, 2022

Copy link to clipboard

Copied

Well, as mentioned, the test for disallowed changes in incremental updates is proprietary and closed source. Furthermore, I would assume that the influence of error corrections in the PDF loading process on this test result is accidental, an unplanned side-effect. As such, these influences surely are subject to change without notification.

 

Thus, you cannot effectively avoid such cases in the signing process.

 

(There is an ETSI group working on revised rules on allowed and disallowed changes that allow standardized tests. Unfortunately, though, they decided to use Adobe's algorithm as a starting point, but Adobe did not get around for over a year to provide information on that algorithm; probably the ETSI group is waiting still. So I would not hold my breath waiting for these revised rules and implementations thereof...)

 

As an aside, though, using Adobe as validation tool to take account of law affairs in my eyes is a bad idea: Adobe's validation is too much a one-size-fits-all approach which in particular ignores lots of errors in signatures themselves. It usually can be used to get a first impression on validity but errs often in either direction.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 24, 2022 Mar 24, 2022

Copy link to clipboard

Copied

Hi there

 

++ Adding to the discussion

 

Once the PDF is signed and the signature process is complete, the PDF gets locked for further editing. Even adding new signatures is not allowed. If somehow you sign the already signed PDF it will eventually invalidate the previous signature.

 

Hope this information will help.

 

Regards

Amal

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 24, 2022 Mar 24, 2022

Copy link to clipboard

Copied

Yeah.once the PDF is signed,the PDF gets locked for further editing.

below figure shows the previous signature pdf document properties:

237286667dqy_0-1648191335270.png

The program sign the other PDF document sequentiallly cannot invalidate the previous signature but expect for this document.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 25, 2022 Mar 25, 2022

Copy link to clipboard

Copied

quote

Once the PDF is signed and the signature process is complete, the PDF gets locked for further editing. Even adding new signatures is not allowed. If somehow you sign the already signed PDF it will eventually invalidate the previous signature.

 

This is not correct, at least not in this generality.

 

When Adobe Acrobat 9 was introduced, Acrobat validation policies changed considerably to nearly what we have today. Before that nearly any change in an incremental update was accepted and merely warned or informed about. Since then, though, only a very limited set of changes has been allowed, see this stack overflow answer with references. At the start adding new signature fields in particular was forbidden for PDFs which already were signed with a certification signature but allowed for signatures only signed with an approval signature.

Meanwhile this has changed a bit, now adding signature fields is allowed even for PDFs with certification signatures unless they are certified with no-changes-allowed.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 28, 2022 Mar 28, 2022

Copy link to clipboard

Copied

LATEST

Hi there

 

We are sorry for the trouble. You may share your request/feedback to the engineering team using the link https://www.adobe.com/products/wishform.html

 

Regards

Amal

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines