Reader will not validate EU qualified signature after update

The problem here is, that certificate issuer "I.CA Qualified 2 CA/RSA 02/2016" is registered both in AATL and in EUTL, but the registrations are not identical.

When you first load EUTL, addressbook.acrodata contains:

/Country(CZ)/Editable true/Enabled true/ID ..../Source[(EUTL)(AATL)]/

and the signature is verified according to EUTL.

However, the default is to load AATL first, which results in addressbook.acrodata containing:

/Editable true/ID ..../Source[(AATL)(EUTL)]/

and the signature fails verification with Invalid policy constraint

I managed to find a workaround for this.

However this is still a bug that needs fixing by Adobe.

1. Close Adobe Reader
2. Delete addressbook.acrodata from
   C:\Users\<username>\AppData\Roaming\Adobe\Acrobat\DC\Security
3. Launch Adobe Reader and go to
   Edit > Preferences > Trust Manager
4. Update the EUTL list and wait for the confirmation message.
   If you do AATL first the error in OP occurs and addressbook.acrodata needs to be deleted again.
5. Update the AATL list.
6. Open or refresh the signed document.
   Both the certificate and the signature is now marked as valid and the signature panel shows that the certificate is validated against both AATL and EUTL.

The settings in Preferences > Signatures > Verification > Windows Integration doesn't seem to have any impact on this. I have tried the above steps with these settings disabled and enabled and the result is the same.

I have tried this several times on different computers(and clean VMs). The result is always the same. If you update AATL first Reader doesnt use EUTL to verify.

Go to Edit - Preferences - Trust Manager and click both Update Now buttons.