Dears,
i am new to this, but i have successfully created and signed PDF document in macOS and Adobe Acrobat PRO. I have even added my digital eSignature (based on official paid certificate).
However i have some real issues with it:
- first, when i view the PDF document throught ADOBE Acrobat PRO, it shows that its "signed and all signatures are valid." But when opened via standard macOS preview app, then there is no information about signature and i can even delete the signature object
- second, when i sent the PDF (signed and protected) over an email to my self again and open it up, the protection is removed and signature shows just as picture object without saying its esignature.
Any ideas?
here is PDF security preference before
and here is picture of PDF security preference after sending it over an email to myself again
Also i ticked the checkbox that i want to lock the document during eSigning. But i tried even to protect the PDF against changes after eSigning, but Adobe wont let it happen because the document is eSigned..
Any idea?
I followed the solution guides how to setup the certificates but i can not make it secure. I have even downloaded the Adobe Acrobat PRO (paid one), no luck
Kind Regards,
Martin
7
Replies
- second, when i sent the PDF (signed and protected) over an email to my self again and open it up, the protection is removed and signature shows just as picture object without saying its esignature.
Can you share a copy of the document both before sending and after retrieving?
Your description sounds like during transmission the signature form field had been flattened (and so all functionality except the appearance the was gone).
- first, when i view the PDF document throught ADOBE Acrobat PRO, it shows that its "signed and all signatures are valid." But when opened via standard macOS preview app, then there is no information about signature and i can even delete the signature object
Please don't see the signature as a means to prevent changes. It is not. It is a means to detect changes.
i think i solved the first point,
Just after answering I saw your message that you had solved your first issue. I merely was too lazy then to edit my answer. 😉
in your answer you mean that Apple`s preview app can rewrite (change) the PDF? I thought that PDF is secured against changes...
A PDF signature does not prevent changes to be applied to a document. It merely allows to detect them.
A PDF signature contains the information which byte ranges of the PDF file are signed and (implicitly or explicitly) a hash value of the bytes in those byte ranges. (Commonly only byte ranges are accepted covering the whole PDF revision created by the signer except the signature value itself.) These information are cryptographically secured using the private key of the signer which can be checked using the associated public key.
Nothing in this structure prevents a program to change the PDF.
But a recipient expecting the signed PDF can test
- whether the expected signature is there; otherwise, someone has removed it;
- whether the signature is from the expected signer by inspecting the cryptographic properties of the signature; otherwise someone manipulated the document and replaced the signature;
- whether the hash value in the signature matches the actual hash value of the signed byte ranges; otherwise someone has manipulated the signed byte ranges;
- whether the signed byte ranges cover the whole signed revision except the signature value; otherwise someone might have manipulated unsigned parts;
- whether there are no additions added after the signed revision with newer revisions; otherwise someone has added content.
(Depending on the kind of signatures applied, specific added content in newer revisions may be considered allowed; this is used for e.g. for forms to allow fill-ins and additional signatures after the first signature.)
Adobe Acrobat executes these checks on signed PDFs. Many previewers don't. On the other hand there are web services for checking PDF signatures, e.g. the European Commission DSS Demonstration WebApp .
not sure if you were explaining me the overall theory about PDF eSignature what it does OR you have explained it regarding the test example i have sent you
The explanation there was quite generic, a very short description of what a validator does when validating a PDF signature.
I love technicalities but right now i iam trying to figure out , if my file is 100% correctly signed
Well, here it already starts to get complicated. To know whether it is 100% correctly signed, one has to decide what way of signing is 100% correct.
For example, if you want to be sure that your PDF signature is recognised by public sector bodies in the EU, it should follow the requirements for PAdES BASELINE signatures. If you need it to be recognized in the US health sector, the technical requirements may differ substantially, using PAdES signatures may be a hindrance there.
The signature in your file is a regular PDF signature as commonly created by Adobe Acrobat. It is not a PAdES BASELINE signature, though. What kind of signatures you need, depends strongly on your signing use cases.
If you want to create PAdES BASELINE signatures in Adobe Acrobat, you can start by going into the Preferences (Category Signatures, Creation and Appearance Preferences, Default Signing Format) and select "CAdES-Equivalent". This should allow you to create PAdES BASELINE-B signatures. If you additionally configure a time stamp server, creating PAdES BASELINE-T signatrues should also be trivial. For BASELINE-LT and BASELINE-LTA, you'd need additional steps.
after my very quick check there are sseveral yellow lines
Well, the Qualification Details warnings both refer to your X.509 certificate, not the specific PAdES signature, the certificate apparently does not indicate that the associated private key is on a Qualified Signature Creation Device (like a smart card). Depending on what you sign and who will be the recipient of the signed document, that might be required, though.
The AdES Validation Details warning refers to a requirement for PAdES signatures.
The referenced web service is configured to not insist on PAdES BASELINE but to also accept the Adobe Acrobat default signatures. The recognized format is PKCS7-B: Not PAdES BASELINE, but similar to PAdES BASELINE-B if one ignores two or three characteristics making the difference between PAdES and non-PAdES.
Essentially you first need to find out what kind of signatures your recipient requires, then you can make dedicated checks.
AdChoices