Reader will not validate EU qualified signature after update

New Here ,
Dec 20, 2019 Dec 20, 2019

Copy link to clipboard

Copied

Hi all, hope you can help me!

So I have this PDF signed with a EU qualified certificate. In my Mac, Reader will confirm the validity fine, but when I made an update on one of the PC:s it will not validate. It seems it wont even validate against EUTL anymore? Pic: PC efter uppdatering - läser enbart AATL.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The other PC is still fine, even after update. Both are about a year old and have the same settings as far as I can tell:

PC - läser EUTL och AATL.png

 

What is wrong? I know the certificate is valid, why wont Reader validate agains EUTL all of a sudden? 😞

TOPICS
Security digital signatures and esignatures

Views

1.0K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 21, 2019 Dec 21, 2019

Copy link to clipboard

Copied

Go to Edit - Preferences - Trust Manager and click both Update Now buttons.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 29, 2019 Dec 29, 2019

Copy link to clipboard

Copied

Hi try67, sadly that did nothing for us.

Adobe (DC) still says it Validates toward AATL only!

 

Any other ideas to solve that issue?

 

It also seems that computers using Adobe Reader before September do not have this issue but computers that get PDF's with this certificate after September for the forst time almost always get this problem.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 10, 2020 Jan 10, 2020

Copy link to clipboard

Copied

Does anyone have any solution to this problem?

That Adobe Reader does not validate toward EUTL at all? (See orignial post for details)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 11, 2020 Oct 11, 2020

Copy link to clipboard

Copied

I am experiencing the same issues on Win 10 with Acrobat Reader DC v2020.012.20048 as well with Adobe Acrobat Pro 2017 v2017.011.30175.

 

I have tried updating both AATL and EUTL without success.

 

Any other suggestions? Or could this be an issue in Acrobat?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 25, 2021 May 25, 2021

Copy link to clipboard

Copied

I managed to find a workaround for this.

However this is still a bug that needs fixing by Adobe.

 

  1. Close Adobe Reader
  2. Delete addressbook.acrodata from
    C:\Users\<username>\AppData\Roaming\Adobe\Acrobat\DC\Security
  3. Launch Adobe Reader and go to
    Edit > Preferences > Trust Manager
  4. Update the EUTL list and wait for the confirmation message.
    If you do AATL first the error in OP occurs and addressbook.acrodata needs to be deleted again.
  5. Update the AATL list.
  6. Open or refresh the signed document.
    Both the certificate and the signature is now marked as valid and the signature panel shows that the certificate is validated against both AATL and EUTL.

 

The settings in Preferences > Signatures > Verification > Windows Integration doesn't seem to have any impact on this. I have tried the above steps with these settings disabled and enabled and the result is the same.

 

I have tried this several times on different computers(and clean VMs). The result is always the same. If you update AATL first Reader doesnt use EUTL to verify.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 26, 2021 May 26, 2021

Copy link to clipboard

Copied

I have also reported this as a bug on the Adobe Acrobat UserVoice:

BUG: EUTL corrupted by default – Share your feedback on Acrobat DC (uservoice.com)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 24, 2021 Aug 24, 2021

Copy link to clipboard

Copied

Thanks! This did help!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 05, 2021 Oct 05, 2021

Copy link to clipboard

Copied

The problem here is, that certificate issuer "I.CA Qualified 2 CA/RSA 02/2016" is registered both in AATL and in EUTL, but the registrations are not identical.

 

When you first load EUTL, addressbook.acrodata contains:

/Country(CZ)/Editable true/Enabled true/ID ..../Source[(EUTL)(AATL)]/

and the signature is verified according to EUTL.

 

However, the default is to load AATL first, which results in addressbook.acrodata containing:

/Editable true/ID ..../Source[(AATL)(EUTL)]/

and the signature fails verification with Invalid policy constraint

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 05, 2021 Oct 05, 2021

Copy link to clipboard

Copied

I see! So, who did something wrong? Is it Adobe or the TSP who manages the registrations in AATL?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

I think the same TSP should not be registered in both AATL and EUTL, this is useless. Out of 1220 TSPs in EUTL, only 9 have duplicate registration also in AATL: 5 from Italy, 2 from France and 2 from Czech republic. This is probably some historical relict.

 

I'll recommend to contact I.CA and notify them about this problem

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

Thank you so much, I will do that!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

Well, there might be reasons for registering via both TLs as it is conceivable that in some environments Acrobat is configured to work with only one of those lists.

But even in that case it should work if one keeps the registration identical on both lists...

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 08, 2021 Oct 08, 2021

Copy link to clipboard

Copied

According to this:

 

https://community.adobe.com/t5/acrobat-discussions/previously-valid-signing-certificate-shows-invali... 

 

AATL now requires specific policies to be set on root certificates, but this is not compatible with EU requirements based on eIDAS regulation.

 

So it seems the solution is indeed to remove "I.CA Qualified 2 CA/RSA 02/2016" from AATL and keep it only on EUTL.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 11, 2021 Oct 11, 2021

Copy link to clipboard

Copied

LATEST
quote

So it seems the solution is indeed to remove "I.CA Qualified 2 CA/RSA 02/2016" from AATL and keep it only on EUTL.

 

Indeed.

Essentially this is an Adobe Acrobat bug: If you have two trust lists, it has to suffice to be able to establish trust via one of them.

As Adobe has not gotten around to fix this bug for more than two years, they appear not to be interested in fixing it at all.

So this is one more reason not to trust Adobe Acrobat validation results, in particular in the context of eIDAS.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines