10.11.6 CAC signing not working with 11.0.17 Acrobat

Report · Jul 20, 2016

I have verified that I can sign on a 10.11.5 mac but when the OS is updated to 10.11.6 with the same Acrobat installation signing fails. The certificates show as valid and are used for login so I know they are valid. Any solutions so far?

Report · Oct 21, 2016

Dear CAC and PIV card users on MacOS computers, here’s an update on our progress to solve the issue that many of you are facing when signing in Adobe Acrobat and Reader after updating Mac OSX to version 10.11.6 or 10.12.

I will provide some technical details at the end if you’re interested, but first we have some important news. We have been working closely with Apple and especially with Kenneth Van Alstyne, the developer who manages the Mac OSX port of the open source CACkey driver, to understand and solve this issue.

Kenneth has just released a new version 0.7.8 of the CACkey driver that should solve this issue and includes several fixes.

It is already available for Download from here: Index of /download/0.7.8

Please give it a run and let us know if it works for you.

Note: this update is specific to CACkey driver users. We heard that some users of the Centrify driver have been impacted as well. We need more help to investigate about it, as it may also require an update to work again. Please consider using CACkey version 0.7.8 until we have more to share on Centrify.

Best regards

Andrea Valle, Sr. Product Manager, Adobe Document Cloud

And now some technical details…*

Adobe Acrobat adopts SHA256 as the default digest algorithm for digital signatures since version 9.1 (2009). However, CACkey drivers before v.0.7.8 don’t support SHA256 when used via Apple Keychain/tokenD, but only the deprecated SHA1 algorithm. To make the signature possible when SHA256 is not supported, Acrobat adopts a fallback mechanism to SHA1.

Apple Mac OSX update 10.11.6 made SHA-2 (which was previously unsupported) as the default hashing algorithm, due to which the behavior of certain crypto API in OSX have changed. For this reason Acrobat started to fail signing: the SHA1 fallback mechanism is impacted by these crypto API changes and fails.

CACKey 0.7.8 for Mac OSX now includes a new PKCS11.tokend module that adds SHA-2 support (SHA256, SHA384, and SHA512), so Acrobat does not have to fallback to SHA1 anymore.

Adobe is working to fix the fallback mechanism in Acrobat due to OSX 10.11.6, but this has no more impact on signing with CACkey driver after the user updates to version 0.7.8.

* Thanks to Kenneth Van Alstyne and Adobe’s Krishna Kumar Pandey for working hard at solving this issue.

View solution in original post

Report · Jul 24, 2016

I've had the same issue. Doesn't matter if it's Adobe Reader or Adobe Reader DC. Seems to be an issue with 10.11.6.

For the record, I'm using a SCR331 card reader with the most recent version of CACKey as the middleware. I can still sign emails with the CAC--just can't sign a PDF.

Report · Jul 27, 2016

Hi Jeffrey/Greg,

Can you please try to upgrade the CAC Reader driver using details in link MilitaryCAC's Apple / OS X 10.11 (El Capitan) Resource page and let me know if issue is resolved/still reproducible?

If you've just updated your Mac OS from 10.11.3 to 10.11.6 and your SCR 331, 3310, 3300v2, or 3500 model reader has stopped working, you may need to update the driver per https://forums.developer.apple.com/message/127598# You'll see in epeterso's 29 March reply where it has a link to the scmccid_mac_5.0.35.zip file

Thanks,

Shakti K

Report · Jul 27, 2016

I too am having this issue as well. Per Shakti's write up above I attempted to do the following:

1- I have attempted the removal and reinstall of my CAC Enabler. Restart Mac; Issue Persists

2- I have installed the epeterso 29 March scmccid_mac_5.0.35 update. Restart Mac; Issue Persists

Note: The error received when attempting to sign = "credential selected for signing is invalid"

Any fix known for this issue?

As FYI: I also have a secondary system and I found this issue is resolved if I roll back my system to OS X 10.11.5; unfortunately my primary systems most recent 10.11.5 backup is too far in the past for me to roll back without a ton of work and time. I hope a fix is found soon.

Report · Jul 27, 2016

I updated the driver as you suggested and still have the same issue. I can't digitally sign PDFs with my CAC.

One item of note: checking "Lock after signing" will appear to sign the document after you push save, in that the digital signature shows up in on the document. However the "invalid credential" dialog box still shows up, and dismissing it makes the signature vanish.

Report · Jul 28, 2016

Shakti -- Please see screenshot for additional debugging information. This artifact was created by signing a file and then while the "invalid credential" error was on the screen, copying the file in the background off to a new file to preserve its state, and then opening that copy. It would appear to implicate changes to the BER encoding in OSX or BER decoding handling in Acrobat as the source of the issue. Let me know if a sample file would be of value and I'll generate something which I can share.

Report · Jul 28, 2016

Hi Sean,

The issue seems to be due to MAC OS Upgrade to 10.11.6.

Please send the sample file. We can try something here to debug the issue.

Thanks,

Shakti K

Report · Oct 16, 2016

This is waht mine looks like too

Report · Jul 27, 2016

I too have this issue on about 200 Mac systems. I have tried all of the following and the issue is unresolved:

roll back Acrobat to previous version
reinstall CAC software (using full Centrify client)
reinstall CAC drivers (SCR3310 v2)
issuers roots and certificates are in System Keychain and trusted
issuers roots and certificates are in Adobe and trusted
unchecked "require certificate revocation checking to succeed whenever possible during signature verification" in Signature Verification Preferences
completely removed Adobe and all associate files and started with a fresh install
tried smart cards using SHA1 encryption versus SHA256 encryption

This definitely seems to be from the OS X upgrade , but any help would be greatly appreciated!

Report · Jul 28, 2016

Hi,

As stated above By Alain that issue got resolved when he rolled back his syetm to MAC OS 10.11.5 .

Thanks,

Shakti K

Report · Jul 28, 2016

Shakti,

Surely Adobe is not meaning to advise users to roll their systems back to a known-vulnerable operating system version? As also documented by Alain and others, nearly every other application is behaving normally and appropriately under 10.11.6 - only Acrobat is giving users fits.

Seeing your second message, I'll generate and attach a sample file to this thread shortly.

We collectively appreciate yours and the team's efforts to solve this issue expeditiously - for many teams, this has resulted in a considerable work blockage which needs to be resolved soonest.

Thanks.

Sean

Report · Jul 28, 2016

Hi Sean,

No , it is not advisable to roll the system back to a vulnerable version.

Please provide the file to debug.

Does signing works perfectly fine using Adobe Acrobat/Reader when signed using any other smart card other than CAC or any other certificate ?

Report · Jul 28, 2016

Shakti,

Appreciate the clarification and fully agreed!

Attached is a test document which will display a signature, but which obviously fails validation with the aforementioned BER decoding error.

Regarding other smartcards, my only other are at home presently so those will have to wait until end of day at least before I can try to test. Does anyone else reading have a non-CAC smartcard with which they might be able to test? I'm inferring that PIVs have already been tried (and failed), but it's a valid point that we need to provide that information explicitly to the engineers.

And regarding Acrobat Reader, it also fails to sign the document, providing the same error message, although it also adds another to say that the signature could not be applied.

Please let us know what else we can do to assist with getting this fixed.

https://drive.google.com/open?id=0BwLXdbqvRdLQVzFwWkNKRUJyeEk [Sample document]

Sean

Report · Aug 01, 2016

Shakti, et al,

Any progress or update on this? Our users continue to experience considerable frustration with the Adobe platform in the wake of this, as they see all their other tools working except these. Please advise if we can provide additional information or assistance in the diagnostic process.

Sean

Report · Aug 18, 2016

I'm having the same issue with PIV signing.

Report · Aug 18, 2016

We are using Centrify and PIV. I was able to fix two machines with Acrobat Reader DC doing the following...

I didn’t need to mess with the permissions. So I don’t think executable permission are actually required thus the instratuctions are just…

· In Adobe Reader DC, open Preferences, then go to Signatures --> Identities & Trusted Certificates --> More...

· Cick "PKCS#11 Modules and Tokens"

· Click "Attach Modules"

o Enter path to your PKCS#11 module; for Centrify this is /usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so

· Click "OK"

· Click the little triangles to open up the module until you see the card

· Click the card

· Click on the email signing certificate (look for one that says Intended Usage: Digital Signature, Non-Repudiation)

· Click the "Usage Options" popup menu and select "Use for Signing"

· Click Close, then Click OK.

Report · Aug 18, 2016

If you do the above and it doesn't fix it look at the Certificate details and make sure your validation path looks good. (For me it's good when there are no triangles and only one path found. If it shows any errors try updating the Adobe Approved Trust List (AATL) under Preferences -> Trust Manager.

Report · Aug 22, 2016

Thank you for the instructions. I got a licensed copy of Adobe Acrobat Pro DC and now I can sign PDF documents with my CAC again!

Report · Jul 28, 2016

Hi everyone,

Please check the site MilitaryCAC's Ask your Mac specific question page and verify anything is missing in your case as suggested in the site.

Thanks,

Shakti K

Report · Jul 28, 2016

Shakti,

I have used other certificates with success. This appears relegated to CAC signing so far (No real isolation performed. This is strictly deductive). I utilize an SCM3310 cac reader.

For whatever that is worth...

Report · Aug 03, 2016

PLEASE help us figure this out! I have the exact same problem. After upgrading to 10.11.6 I can no longer sign documents.

Report · Aug 03, 2016

This is the solution: it assumes you are using CACKey, but can probably be translated to other middleware:

Verify permissions of /Library/CACKey/libcackey.dylib are correct; they should be -rwxr-xr-x (755) and owned by root, group admin. If they're not, change them using Terminal.app:
- sudo chown root:admin /Library/CACKey/libcackey.dylib
- sudo chmod 755 /Library/CACKey/libcackey.dylib
In Adobe Reader DC, open Preferences, then go to Signatures --> Identities & Trusted Certificates --> More...
Cick "PKCS#11 Modules and Tokens"
Click "Attach Modules"
Enter path to your PKCS#11 module; for CACKey this is /Library/CACKey/libcackey.dylib
Click "OK"
Click the little triangles to open up the module until you see the card
Click the card
Click on the email signing certificate (look for one issued by DOD EMAIL CA-xx and includes Intended usage of Digital Signature)
Click the "Usage Options" popup menu and select "Use for Signing"
Click Close, then Click OK.

The above steps will need to be repeated for each user account on the machine.

If you're using something other than CACKey, then you'll need to determine the path for your PKCS#11 module. If you have Firefox or Thunderbird installed, then it's the same as the one you have configured in those applications in order to use your CAC.

Once this configuration change has been made, the signature dialog box will change slightly to include a field to enter your PIN (or as Adobe calls it, "certificate password"), as shown in the screen shot below. You'll need to enter your PIN here, rather than clicking Sign and then getting the standard OS X dialog to enter your PIN.

Report · Aug 03, 2016

Thanks for posting such a great set of instructinos sillybaku.

But I have to parse that and call it a workaround vs a solution. Those steps are unnecessary for Safari, Chrome, Apple Mail, and all other (non-Mozilla) tools to maintain their interoperability with CACs on OSX, before and after 10.11.6.

Adobe still need to return to this with a solution to which can restore the functionality and ease of configuration & use which users have been relying on for years.

Report · Aug 03, 2016

Oh, I agree with that! But at least this will get the functionality back.

Report · Aug 04, 2016

I agree with seanb51854381, while these instructions are great for many users a permanent solution needs to be provided by Adobe or Apple. We utilize Centrify in our environment and unfortunately the steps above do not resolve the issue here. Installing CACKey will break the Centrify application.

When I try to apply a similar solution by pulling this file /usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so into the "PKCS#11 Modules and Tokens" in Adobe I get the error "Could not load the PKCS#11 module."

I think this is the correct location to obtain the PCKS#11 module but I may be mistaken. From what I have read, Adobe doesn't like the .so extension but I cannot seem to locate a .dylib that will work. If anyone has a suggestion I would be grateful for the input.

10.11.6 CAC signing not working with 11.0.17 Acrobat

Photos