I'm using Acrobat Reader DC for digital signature. Signature format CAdES equivalent. I have also activated the option for automatically adding verification information when the PDF is saved. I am also using external timestamps.
When I create a digital signature with my certificate, it is displayed as verified. Now I save the document and open it again. The advanced properties dialog of the signatures says that it is a PAdES B-T signature. Shouldn't it be a PAdES B-LT signature if the verification information is saved with PDF?
Now I can manually add the verification information via the context menu of the signatures in the bar to the left of the document. Now the signature is PAdES B-LT.
Why isn't the signature immediately and without manual interaction PAdES B-LT if the corresponding option to add verification information when saving activated?
You are aware that there are different profiles for embedded digital signatures in PDFs, the good ol' ISO 32000-1 interoperable signatures and the ETSI EN 319 142 / ISO 32000-2 PAdES signatures. Both profiles allow validation related information (VRI) to be stored in the signed PDF for validators to use during signature validation. But the profiles differ in details, in particular where and when such information are to be stored:
In case of ISO 32000-1 interoperable signatures that information is stored in a signed attribute in the embedded CMS signature container. As it's a signed attribute, the information must already be present before signing to be embedded.
In case of PAdES, in particular PAdES BASELINE signatures, such information must be embedded in an incremental update of the signed document, i.e. after signing.
Most likely "the option for automatically adding verification information when the PDF is saved" refers to the former profile and the adding of VRI in a signed attribute. For a signature to be consideredPAdES B(ASELINE)-LT, though, the VRI must be present as specified for the latter profile. Adobe Acrobat as a validator accepts VRI according to either profile, even a mixture thereof, but (if I remember correctly) it only declares a signature PAdES B-LT if the VRI are present according to the latter profile.
Option "Automatically add verification information when saving signed PDF document" works only for previous signatures, i.e. if you're the second or third person signing the same document, this option will add VRI data for all previous signatures, but not for the last signature (yours). Thus it's better to turn it off, since it doesn't help for documents signed by single person and produces mixed results for documents signed by multiple persons.
To be PAdES compliant, it's also necessary to turn off option "Include signature's revocation status" as this adds Adobe-proprietary revocation data not compliant with PAdES - see