Skip to main content
M
Muddassir Awan
Participating Frequently
November 24, 2021
Question

PAdES LTA signature got invalid with document lock dictionary

  • November 24, 2021
  • 1 reply
  • 971 views

Hi,

I am facing an issue that PAdES-LTA signature gets invalid when document locking dictionary is embedded in the document:

PdfSigFieldLock pdfSigFieldLock = new PdfSigFieldLock();
 pdfSigFieldLock.SetDocumentPermissions(PdfSigFieldLock.LockPermissions.NO_CHANGES_ALLOWED);
 string[] fieldToLock = new string[] { signingRequest.FieldName };
 pdfSigFieldLock.SetFieldLock(PdfSigFieldLock.LockAction.INCLUDE, fieldToLock);
 pdfSigner.SetFieldLockDict(pdfSigFieldLock);

I found the answer that this bug is at Acrobat's end:
https://stackoverflow.com/questions/66421091/signature-with-document-locking-gets-invalid-in-case-of-pades-part-4/66422552#66422552

Could any one comment any suggested solution or have information that is this issue is fixed at Adobe end or not.
Regards,
Muddassir Awan

 

1 reply

MikelKlink
MikelKlink
Participating Frequently
November 24, 2021

Please be aware that you compare slightly different mechanisms.

 

The stack overflow answer you link to refers to a PDFBox issue where Leonard Rosenthol of Adobe confirmed that

  • incremental updates with only validation related information in a DSS and document time stamps may be added to a PDF even if it's certified (DocMDP transform) with no-changes-allowed, that
  • it is a bug that Adobe Acrobat reports such additions as invalidating the certification signature, and that
  • this bug shall be fixed eventually.

 

In contrast to this you change permissions to no-changes-allowed using a signature field Lock dictionary. Unfortunately these two mechanisms are specified individually, and the latter mechanism specification does not include an exception for DSS and document timestamps.

 

Thus, by the letter of the specification it is impossible to extend a signature to LT or LTA if that signature locked a document to no-changes-allowed using the Lock dictionary mechanism.

 

The intent might have been different here. I'll create an issue for clarification on the PDF association pdf-issues project.

----

PS: The request for clarification is at https://github.com/pdf-association/pdf-issues/issues/131

MikelKlink
MikelKlink
Participating Frequently
December 5, 2021

The intent might have been different here. I'll create an issue for clarification on the PDF association pdf-issues project.

----

PS: The request for clarification is at https://github.com/pdf-association/pdf-issues/issues/131

 

The powers that be meanwhile have confirmed in the linked issue that both variants of no-changes-allowed shall be interpreted identically. In particular no-changes-allowed shall not forbid DSS and DTS updates.

 

Thus, to return to your original question

quote
Could any one comment any suggested solution or have information that is this issue is fixed at Adobe end or not.

 

Your use case is valid and Adobe Acrobat is in error.

Considering, though, that Leonard Rosenthol logged that bug at Adobe more than a year ago and it still isn't fixed, an impression is conveyed that Adobe does not prioritize the correctness of the Acrobat signature validation results in any way. Consequentially you should recommend your clients/users to mistrust Acrobat signature validation results and use alternative validators.

 

M
Muddassir AwanAuthor
Participating Frequently
August 7, 2025

Hello @MikelKlink 

Could you please assist us with this ongoing issue in Adobe? Is Adobe considering this an expected behavior, or is this bug still pending a fix? I looked through the community but couldn't find a clear explanation.

Could you provide us with guidance on this matter as we continue to encounter this issue in Adobe? Is Adobe treating this as an accepted behavior, or is this bug still awaiting resolution? I have searched the community but was unable to find a satisfactory explanation.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices