Skip to main content
S
Seamountain
Participating Frequently
October 22, 2021
Question

Digital Signature. document changed, invalid signature.

  • October 22, 2021
  • 1 reply
  • 19821 views

Hi, I have a problem when I digitally sign a document in Reader.

Reader states that "the document has changed after signing" but no changes have been made.

I use Reader DC 2021 007 20091 and Windows 10 20H2.

 

Why does Reader say so and state that the signature is invalid?

    1 reply

    Amal.
    Amal.
    Legend
    October 22, 2021

    Hi there

     

    Hope you are doing well and sorry for the trouble. As described, when I digitally sign a document in Reader.  Reader states that "the document has changed after signing.

     

    Is this a behavior with a particular PDF file or with all the PDFs that you digitally sign? Please try with a different PDF file and check.  If the file is stored on a shared network drive, please download it to your compouter first and try signing it and check.

     

    You may also try to sign the PDF file online via Document Cloud https://documentcloud.adobe.com/link/home/ and see if that helps.

     

    Regards

    Amal

    S
    SeamountainAuthor
    Participating Frequently
    October 22, 2021
    556 / 5000
     

    Översättningsresultat

    Hi Amal,
    It does not matter if the document is stored locally on my computer or on a network device, I get the same problem with Adobe saying that the document has been modified, with the result that the signature is invalid.
    I did not test to sign online because it is not an alternative for me.
    I have seen some posts from 2017 about SHA1 and SHA256 and if I change the windows registry so that Adobe will use SHA1, I will not get the error that the document has been changed.
    So what is it that makes Adobe think the document has changed if I use SHA256?
    MikelKlink
    MikelKlink
    Participating Frequently
    October 25, 2021

    Hi,

    I enclose a document with a signature in Reader where my signature is invalid because the document has been changed or damaged since the signature.
    But as you can see, the document contains only my signature.

    I have also investigated the problem with SHA 256 and come to the conclusion that my laptop is new so it should be able to read my smartcard, HP Elitebook 840 G6, I also have the latest drive routine for Smartcard.
    My smartcard, the client for smartcard and the issuer of the certificate handles SHA256 and if I look at the certificate and the signature, it is made with SHA256.

    I have configured Reader to trust publishers that are configured in windows and I have also tried to configure the publishers in directly in Reader, but get the same error.


     Ok, I have checked the signature.

     In the embedded signature container there are two hash values. That is, there are two hash values that are relevant here; there also are numerous others.

     The first of these hash values is the hash value of the surrounding PDF document. That hash value is correct. Thus, there in particular are no changes to the document at all.

     Now this hash value together with some other important data constitute the "signed attributes". So what actually is signed is this set of attributes. For signing the hash algorithm and the hash value of these attributes is encrypted using the private key of your keypair to be verifiable via decryption using the public key.

     And this second hash value is incorrect in your document!

     I don't know whether during signing Adobe Reader calculates the hash value and forwards only the hash or whether it forwards the whole set of attributes to be hashed by the driver or device, but apparently either during the forwarding or during the hashing an error occurs, so the wrong hash value is signed.

     

     One thing that is noticeable in your signature is that the signed attributes are gigantic, there are about 1.5 MB of them! So maybe some part of the signature generation process (be it Adobe Reader or your card driver or card) is not built for that amount of data.

     Except a handful of bytes these signed attributes are taken up by a single embedded CRL. Thus, I'd propose you switch off embedding of validation information for a test and sign again. The result file should be much smaller, by about 3 MB. If that works, chances are that either indeed some part of the signing process is not up to signing such a large set of signed attributes or that there is a formatting error in the CRL.

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices