Unexpected byte range values defining scope of signed data

Report · Dec 24, 2024

In the attached file, after adding an annotation with Acrobat, the last signature is verified as valid

However, after saving and reopening.

While tried to validate this error message displayed:

Error during signature verification.

Unexpected byte range values defining scope of signed data.
Details: The signature byte range is invalid

I get this error for adobe Acrobate pro 2024.005.20320

Report · Jan 06, 2025

I had another look at your file, and I think I found the cause of the issue: In the final revision of test.pdf (the revision with the troublesome signature) all stream Length entries are incorrect, in some cases they even claim stream lengths that would make the stream exceed the end of the file.

I added an annotation with Acrobat and then fixed the stream Length entries in a hex editor; now Acrobat shows "Document has been altered or corrupted since it was signed" - yes, of course, my changes did alter the document bytes. To compare with that I applied some arbitrary but harmless changes after adding an annotation; in this case, even though the hash of the signed bytes also was changed, Acrobat continues showing "The signature byte range is invalid". Thus, fixing the stream lengths makes a difference!

Effectively those streams with the incorrect Length entries are broken, so your test.pdf document (and all similarly signed documents) will show that error in Acrobat after adding an incremental update.

View solution in original post

Report · Dec 24, 2024

I think this should be a bug from Adobe, but I don't understand why this file has a problem. Moreover, it's fine when validated immediately after addition. The problem only arises after saving, then it shows as invalid.

Report · Dec 25, 2024

This may also indicate an issue of the PDF itself, making Acrobat to repair that issue in memory and so changing the signed data.

I'm only on a smart phone now and, therefore, cannot analyze the file. I'll take a look later this week.

Report · Dec 25, 2024

Thank you... I also feel that there should be a problem with the PDF itself, but I have tried to look at the cross-reference stream and the data inside, and found nothing suspicious. What is puzzling is that if I don't add new increments, Adobe thinks there is no problem.

Report · Dec 27, 2024

I started analyzing the issue. There are some minor issues in the file, but I couldn't clearly reduce the issue to then.

Merely, when removing the revision with the last signature and applying a new one with some signing software I have here, the issue does not occur anymore. Thus, the issue is clearly rooted in that final file revision. But it can be anything, some property of the signature itself or some structure element completely unrelated to the actual signature in that revision.

I'll take another look next year.

Report · Dec 30, 2024

I've also made some explorations, such as trying to look into the data in the cross-reference stream of the last incremental update, aiming to find the root of the problem. Initially, I suspected the issue might be due to a cross-reference stream error, but unfortunately, I couldn't find any suspicious points when parsing the cross-reference stream with iText。

Thank you for your analysis of the issue, I'm really looking forward to definitively identifying what caused it. Thanks again

Report · Jan 06, 2025

I had another look at your file, and I think I found the cause of the issue: In the final revision of test.pdf (the revision with the troublesome signature) all stream Length entries are incorrect, in some cases they even claim stream lengths that would make the stream exceed the end of the file.

I added an annotation with Acrobat and then fixed the stream Length entries in a hex editor; now Acrobat shows "Document has been altered or corrupted since it was signed" - yes, of course, my changes did alter the document bytes. To compare with that I applied some arbitrary but harmless changes after adding an annotation; in this case, even though the hash of the signed bytes also was changed, Acrobat continues showing "The signature byte range is invalid". Thus, fixing the stream lengths makes a difference!

Effectively those streams with the incorrect Length entries are broken, so your test.pdf document (and all similarly signed documents) will show that error in Acrobat after adding an incremental update.

Report · Jan 06, 2025

Thank you very much. I will try to make changes and see the effect

Report · Feb 16, 2025

Hello,

I would like to share some information regarding this issue.

I am a developer working on e-signature applications, and my applications, which have been running without any issues for a long time, suddenly started throwing errors.

It took a while to understand the root cause because, while all other applications recognized the signatures as valid, Adobe Reader/Acrobat marked all signatures after the first one as invalid and only considered the last signature as valid.

After extensive trial and error, I discovered that this issue occurs when a PDF is generated by merging multiple documents and at least one of those documents contains a comment or annotation.

Once I identified the problem, the only workaround I could find was to open the affected PDF (where signatures are shown as invalid), add a comment to a page, and then cancel it without filling it. Doing so prompts Adobe to revalidate the signatures, after which all signatures appear as valid. However, you must first manually click the Validate button for this to take effect.

I believe this is a bug.

Attached images (error_1, 2, 3, 4, 5)

Report · Feb 17, 2025

I would like to share some information regarding this issue.

In which way does your observation do so? The question was about a specific PDF after all which was not a merge...

Unexpected byte range values defining scope of signed data

Photos