Participant

Answered

Comment causes signature validation failure

Forum|Forum|9 years ago
September 27, 2016
4 replies
2108 views

Hi all,

I am writing a C++ signature library which works fine so far, what means that Adobe Reader 2015.017.20053 shows the signature toolbar, including the green sign and "Signed and all signatures are valid".

Now, I add a comment line to the document before signing it with my library.

The signing algorithm and calculation of input data for the signature calculation stays as-is (so the comment is included in that data).

The comment breaks the signature verification, because now Adobe reader says "At least one signature is invalid", and in the signature panel it says "There are errors in the formatting or information contained in this signature (The signature byte range is invalid)".

Is there a special rule how to handle comments in signature calculation?

Or does Adobe reader verify those documents differently? Is there maybe a bug?

This topic has been closed for replies.

Correct answer Test Screen Name

Aha! The insertion of comments between the startxref lines and %%EOF is specifically forbidden by a very specific rule that describes exactly what the two lines before %%EOF must be (see the Syntax > File Structure > File Trailer section of the spec). Of course not all readers will verify that this is done exactly right.

T

Test Screen Name

Legend

Years ago, Acrobat would detect and report certain kinds of error from which it could recover (like bad page streams). For some reason, it now just stops processing the page with no error message at all, perhaps showing partial content. I don't like that. Certainly, Acrobat isn't any kind of validator (except, of course, of signatures).

T

Test Screen NameCorrect answer

Legend

Aha! The insertion of comments between the startxref lines and %%EOF is specifically forbidden by a very specific rule that describes exactly what the two lines before %%EOF must be (see the Syntax > File Structure > File Trailer section of the spec). Of course not all readers will verify that this is done exactly right.

A

alex_schmidAuthor

Participant

You´re great!

Placing the comment BEFORE the trailer block did the trick. Now Adobe reader reports 'signature valid' again.

It´s a pity that Adobe reader does not tell the user that there is a violation of the PDF standard when it is confronted with the comment before the %%EOF mark...

I will do a try-out to see whether it also works when I insert the comment e.g. at the beginning of the document or inside an object.

T

Test Screen Name

Legend

1. The key thing would be to ensure that the file does NOT need to be repaired. Open it in Acrobat (NOT READER). Immediately close. If there is a save prompt, it needed repairing. However, I suggest this test on the file you present for signing - the unsigned file as well as on the signed file. If the file needs repairing, the repair will invalidate all the hashes.

2. This worries me. It does not sound viable, even though I know comments are permitted in the standard. Normally I'd just say it isn't viable because any editing tool may delete them - even a Save as will do so. But, coupled with the signature, that's detectable. Just seems unsafe to do that rather than use the object tree in the approved way.

A

alex_schmidAuthor

Participant

I opened both documents with Adobe Acrobat X and there´s no save prompt when immediately closing them.
So I suppose the files are OK.
Well, I currently have to fulful a requirement which explicitly requires the usage of comments. So I cannot choose a different solution.
On the other hand, comments are part of the standard so why should using them break something.
I have the suspicion that comments may be handled differently on signature validation than other parts of the document.
For example, chapter 7.2.3 of the PDF standard v.1.7 says:
'A conforming reader shall ignore comments, and treat them as single white-space characters'
So maybe the reader uses a whitespace instead of the comment for signature validation?
Unfortunately, there´s no documentation on this topic which would either approve or disapprove this suspicion.
Do you have any knowledge about how validation, especially of comments, works?
Are you aware of any tracing/debug output that can be enabled in Acrobat or Adobe Reader that will reveal more detailed info why it thinks the signature is invalid?

T

Test Screen Name

Legend

Have you confirmed that the commented PDF is error free? What technique do you use to add the comment?

A

alex_schmidAuthor

Participant

Hi TestScreenName,

thanks for your quick response. About your questions:

How could I confirm that the commented PDF is error free?
At least, it´s displayed by Adobe Reader without further comments/warnings (except that its signature is invalid).
About the technique:
I let my library print the PDF document to a temporary buffer
Then the comment is inserted into this buffer (before the %%EOF mark). The comment is about 90 chars long, one line, delimited by the newline character
The signature is calculated afterwards over the temporary buffer.
This mechanism works fine when I do not add the comment line.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded