PDF signature ignored by Acrobat but visible in other validation tools
We're making a webapp whose one of the functionalities is to make PaDES signature. The code is too big to share here, but here is how the workflow looks like:
- PDF is prepared for signing by doing all the necessary transformations in browser
- Digest is calculated using the chosen algorithm
- Digest is sent to the backend were the detached CaDES signature is made using the DSS library
- The detached signature that is generated on the backend is sent back to the browser to be inserted into the prepared PDF to make a PaDES signature
The solution is working good, for most of the PDF files. However, there are some files in which Acrobat doesn't display the signature as if it doesn't exist, but when trying to do the verification with our webapp (which uses DSS in the backend for verification) everything is displayed fine. It is also displayed fine when checking it with the DSS online verification tool.
Here are the most relevant parts of the signed PDF:
1 0 obj
<</AcroForm<</Fields[1057 0 R] /SigFlags 3>>/Type /Catalog /Pages 3 0 R
/Dests 8 0 R
/Metadata 1056 0 R
>>
.
.
.
1057 0 obj
<<
/FT /Sig
/Type /Annot
/Subtype /Widget
/F 132
/T (Signature1057)
/V 1059 0 R
/P 3 0 R
/Rect [335.17360432942706 796.500010172526 535.173604329427 746.500010172526]
/AP <<
/N 1060 0 R
>>
>>
endobj
.
.
.
1059 0 obj
<<
/Type/Sig
/Filter/Adobe.PPKLite
/SubFilter/ETSI.CAdES.detached
/Name (Name)
/ContactInfo ()
/Location (Location)
/Reason ()
/M (D:20200813165733+02'00')
/Contents <3082104b06092a864886f70d010702a082103c30821038020101310f300d06096086480165030402010500300b06092a864886f70d010701a0820d57308206e2308204caa003020102020944e5524cc00bede260300d06092a864886f70d01010b0500304a310b30090603550406130252533110300e06035504070c0742656f67726164310f300d060355040a0c064e65745365543118301606035504030c0f436c6f7564204341204e6574536554301e170d3139313231383133343231395a170d3232313231383133343231395a30819d310b3009060355040613025253310f300d06035504080c065365726269613111300f06035504070c0842656c6772616465310e300c06035504110c053131303730311a301806035504090c1150617269736b65206b6f6d756e652032343112301006035504040c095261646f7365766963310f300d060355042a0c064e696b6f6c613119301706035504030c104e696b6f6c61205261646f736576696330820122300d06092a864886f70d01010105000382010f003082010a0282010100cf2e36a81919b993cb52b88235a258b2b008a770862a42c1724e9652826a6394bf2426ca450946bb3726306162474e75003d532182b3fe492e099503a11e10429624611998ac2ff0942f729d3d275228bdcee172ffab42fb10509aa796cad95fd79a82fc8ee29f74c4ca0d76aa64f6f16d5b6f5c281eea870ea7054633a5b5b6eb06b7abbb60752f6cf5c17c3967e1d4b1a401d54d7579c256c04b9f7c293a7d9c8c566e4ad92c32574de1da9afcddb282506e2cf77de31c543f5291e439480705d246142d41e7566e92f1cf4115c286e88a7a3a564a9395cf64a2570fc691c74393907695d7c76a6317123a5342b0ea39239ba0e93a2c862e2eafe87a3064ad0203010001a38202753082027130090603551d1304023000300e0603551d0f0101ff0404030206c0301f0603551d2304183016801403e93e995d06eef7519b67deff9cea818009e456301d0603551d0e04160414e930d3083630ac3da05cefaf64efceb6256ddf5430400603551d1f043930373035a033a031862f687474703a2f2f7374617266697368746573742e6e6574736574676c6f62616c2e72732f636c6f756463612e63726c30819d06082b060105050701030101ff04818d30818a303a06082b06010505070b02302e060704008bec49010130238621687474703a2f2f63612e6e65747365742e72732f646f6b756d656e746163696a613008060604008e4601013008060604008e4601043016060604008e460102300c1303657572020100020203e8300b060604008e4601030201143013060604008e4601063009060704008e4601060130819806082b0601050507010104818b308188303b06082b06010505073002862f687474703a2f2f7374617266697368746573742e6e6574736574676c6f62616c2e72732f636c6f756463612e637274304906082b06010505073001863d687474703a2f2f706b7363612e6e6574736574676c6f62616c2e72733a383038302f6f6373702f726573706f6e6465722f706b73636c6f75646f6373703081960603551d2004818e30818b3027060604008b300101301d301b06082b06010505070201160f687474703a2f2f657473692e636f6d3027060604008b300102301d301b06082b06010505070201160f687474703a2f2f657473692e636f6d300b060704008bec4001023000302a06092a817a01690a040103301d301b06082b06010505070201160f687474703a2f2f6e656b692e636f6d300d06092a864886f70d01010b05000382020100269f2baeed5bc772c3606da57ebba2b4ef6a715d82c2018d5973edd74cc08bf9f266363f1ef3289e34060bce9b52463210cc36d5c8d87c7742b3c04b5227792391db8f686d19866f457c7e47a722d279619b35d7bf569cc2cf599fd13c81f938ce8b08f2d1eb2613e7259b8f59c0e34b5403246e94ef891b4293762677ccd9516f5e2ca36f4b7827f671b2463785bf8804454f2fc2a7de84114cf602d241040aad943d991198a3858a65acf1b468a9b006dc859ffaa46510d16253e72385d57535802288c9ddeb8114ebecdbc4e267d17e188c9cf4d7180b79a4b8bab89d03d6a5011e601f12fc2c132f33e8b872092a4dff6182e0b45536a23dfb2b7eeeffb34540e306c4d1e6e4d595086f76ecf5e2e1ab713a87a5785aea9eea518d391b8982893f2bae03a14ed13cbff25494713c1b79e6dbcdc50059f9df92b4000c597c499b0e654e7defb348ddcf35cb3f51ebb4d934b0395dcd7952a2ac1c1ab5dcc8271b21f54276c0da3a91a54dcf68d9b30c274e968c467d5b3f188535987ed8898444bc8779b405889c54960681863986ebccd4266ae3de4cebc0bf15f7d91bfb41708df87a95a6da46fb951b7b9aaffee53b38e75f582f9b851ea61685f1e60014264fc8bfcb31697653fa68c997cacb033fd4cafdffdfd9fb6d6a52027cc6680c1418d7902ddb11245cc006df2332234740d7d4579f56733308d97d9208e1803082066d30820455a003020102020917664a8436102867b6300d06092a864886f70d01010b05003049310b30090603550406130252533110300e06035504070c0742656f67726164310f300d060355040a0c064e65745365543117301506035504030c0e526f6f74204341204e6574536554301e170d3139313231373038343234355a170d3434313231363137333034355a304a310b30090603550406130252533110300e06035504070c0742656f67726164310f300d060355040a0c064e65745365543118301606035504030c0f436c6f7564204341204e657453655430820222300d06092a864886f70d01010105000382020f003082020a0282020100b47b0b9d976f18457719af6a147880e006ec1cd472bacc31a58327eb2aa7e162e0e113128b0a0bed1950a8ae0bff962f132928bd434a7e0c887c17e610f243ebda0419fa4b2fba4bda643796cf7d97a7e8e0b0828b383c850e95d87210dee367f64520ffbc093720658a899f9f988eb7a08d8bca0615e1b6e4fa058d0c1f00b7b2c09b05099aa193aec4e989bae4d59bfc9d044e281927fbb88e9d23cf9676c75b27890cf04de07a38b0d129fa1de1fd10cc360757738adc9bd9677bfea812aa8611729cf3a114cd6233ed9c4c705a10e5c6f03f7117bfeb04988c3d96a193e18506ddc44819db7d083bc0cdad8335bae0a7a44b2a56c404bb43c87673e9ab9ec321f341cbad17176ad77db663a20b676cc338c6b36e58aa13f1e61ad596ed176d9d2b0bdd36c3cabab22410607d62f97c8349877efabdaf16dce49ef4a67c7780b1bb30b9250bdb5fbdad84d56d43be3484ca6e5bdec3666a230ab5fec46b056beedc8b2e43bb6106f682d5026d3393d73f652f2a83db15d3ad4a5be9b7df0d04d8a0bcbbabc2f791c72ece6d3911936a9c3ea99d4b7f6f101d15ab45032f693fbef1a78d90b48de23ef3b70148c1833e563bcc9259677ed15f869dff111492bd986221082abdac1d0ce1d2c5683a25e4db27c849a818d8fe1cc01207345653305749878c6d09db0e3f04bdae444046a8294c640eafff35114b9f71a1e874750203010001a38201553082015130120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106301f0603551d23041830168014e265e5d9a4b6b03700cd20a6d65b7140f1be4e5b301d0603551d0e0416041403e93e995d06eef7519b67deff9cea818009e456303f0603551d1f043830363034a032a030862e687474703a2f2f7374617266697368746573742e6e6574736574676c6f62616c2e72732f726f6f7463612e63726c304a06082b06010505070101043e303c303a06082b06010505073002862e687474703a2f2f7374617266697368746573742e6e6574736574676c6f62616c2e72732f726f6f7463612e637274305e0603551d200457305530530604551d2000304b302e06082b060105050702011622687474703a2f2f6e65747365742e72732f646f6b756d656e746163696a612e706466301906082b06010505070202300d0c0b4e657453657420646f6373300d06092a864886f70d01010b050003820201001ac4e839342cc09ec23dbb6f4e325b6e2f494d502fd6bda7095e4699f4b477464fb10898eff7a09d40c51fc9e3ad67f08ca9762955ce89b9d6076551618d665b65532b426c2101abad0f528a19aa9c18d99f71dbd8c9299cbb50b610867af26c3a59e9ed995677ab490a75d88fd2452dacfcb88b7520b500f54ab66eba612c082448dd51202cce3ea5084a8ccf8045dea6804d6a9d399414f2c86a012aa9beb5773d88e67056023e203a006e93080805ee3d7b57c8537217145be51c3c96583e981a0f10a3f31ffa914ea531caa3960baf02336a9ccf271439057217899e77d7d86b46bf02354abb7ba18578434a20918b4eb1d4b753947c07457a682d69f8938c5c25d80bc0cd24fc2b41bbe4ecb8ccbecdab68755706c9f9df462fe3266f1c1c6cbc405587db22e210d847c19210bfe1cbda5af5994a6651527a819ae27bd09de8359c50a7c80155978e17c32e64e6e191c3ee39f92e82699457b644a4b36e26bbfd803fc37b15d41f3bb855c3e199d01a26d6d6b97ea1b9fbc50964246449c6c580299884e741656ac907dc44f348b171b581ffd23bfd962ba42e7c89876ee3c5212a5dd1046ad5a5547fd762881b3045b809bc492317d73e9ebd9788028ab428a2178db972466c16b595002670f089154516f0cc17f6352575fe8d314b17fee1aa610c5e2a70c7c9f8f9880b1dc99a50d9ba9f4db469f7bc2c61af90ae4d318202b8308202b40201013057304a310b30090603550406130252533110300e06035504070c0742656f67726164310f300d060355040a0c064e65745365543118301606035504030c0f436c6f7564204341204e6574536554020944e5524cc00bede260300d06096086480165030402010500a0820132301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3230303831333134353830325a302d06092a864886f70d0109343120301e300d06096086480165030402010500a10d06092a864886f70d01010b0500302f06092a864886f70d01090431220420e1e4ce48e389182ecc1ea924190b2ac21fe9a967542fd3d86db0ae1f63019575308197060b2a864886f70d010910022f318187308184308181307f04201e7237e91573f4cd8f76c4c57f2db25be8efe728f4f916cebee707c3bd23f512305b304ea44c304a310b30090603550406130252533110300e06035504070c0742656f67726164310f300d060355040a0c064e65745365543118301606035504030c0f436c6f7564204341204e6574536554020944e5524cc00bede260300d06092a864886f70d01010b050004820100c4d080863e1edce5cd5d7d8634e477ac6697e9e881b21fa4b6033a5b0d1fa8adf2afab5d972e4637bda97b49017308f78ff2329fbd16e31642d5f38f4fa27f44fbb50725c76bfb951cbd8f3b0a492bee6f0d9e7bc2ea41a7c67e97c3ea58deabcb5799d558c350822b4a2689ed1ff2991d9322a0b66574aa83e0d16607adff088a11723eff1ef0c5505e7f98b57ddbe3bb66b2cd94d1ab62b3f32cb8af80f3dcb6a13aeca316f0ac7c448884fa77fb01bf67be38fab46f9b40fe08202d118e56a1b5c0db45a4cf368aa3f586b585fd63805ec316b338498d8873be2c9e2663f880e48b99993ade775d3584d412222ae5014bdf064d83715cfb90d40be20aba910000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000>
/ByteRange [0000000000 0000220234 0000236618 0000022770]>>
endobj
.
.
.
trailer <<
/Size 1064
/Root 1 0 R
/Info 2 0 R
/ID [<a48978cd2c166094b3e771ab606ea301><531ccc430c71ee517274ec4d5f6e2c34>]
>>
Everything seems fine, but for some reason Acrobat is ignoring the signature. Here's the whole file if you'd like to take a look: https://easyupload.io/2lrfg8
Solution
There are multiple errors in the signed PDF.
As @David in his answer mentioned, there are two Annots entries in the first page.
As I already wrote in a comment, the P entry of the signature (field and) widget object points to a Pages inner node of the page tree, not a Page leaf node.
The FRM form XObject has an error in its content stream:
q 1 0 0 1 0 0 cm /n2 Do Q\n(That "\n" is indeed a backslash and an 'n', not a newline character.)
There is a broken object 1062 containing stream content in the dictionary
1062 0 obj << /Length q 1 0 0 1 0 0 cm /img1 Do QThe cross reference offsets are incorrect, at least for the objects related to the signature.
If one fixes these issues by
- joining the two Annots entries into one,
- changing the P entry to point to the correct Page dictionary,
- removing that "\n" sequence,
- replacing the stream content in the dictionary by the actual stream length, and
- correcting the signature related cross reference entries,
Adobe Reader displays the signature; obviously as invalid, though, after all those repairs changed the file:
Thus,
Everything seems fine, but for some reason Acrobat is ignoring the signature.
as explained above there are many errors in the file, so Adobe Acrobat cannot be blamed for not showing your signature. So it's actually the other way around, any signature validation software that ignores that many errors and then still validates the signature without any warning, is buggy. Such errors might cause the file to display differently on different viewers, so the trustworthiness of the signature is limited. This could actually be used as another attack vector on PDF signature validation.
(Be aware, the errors mentioned above probably are not the only ones, merely those I stumbled over when analyzing the issue at hand.)
- How to associate search catalog file (.pdx) with PDF document
- Unable to make widget/field appearance showing in Acrobat(works with pdf-x change, foxit)
- How to Generate PDF in node.js
- Loop through folder and subfolders and merge pdf
- react-pdf text renders in different positions
- wkhtmltopdf --use-xserver option
- How to use ImageMagick to output the base64 from each pages of a PDF
- How can I extract separated content from questions in a PDF of the ENEM (brazilian exam)?
- insert a PDF with FPDF
- Display PDF within web browser
- Export Single Sheet to PDF in Apps Script
- Recommended way to embed PDF in HTML?
- PDF Signature Appearance is not Visible
- Download file or Open if file type is PDF
- A4 Template CSS: can't extend the div's height through the entire A4-page
- Set Paper Source of PDF page in ASP.NET Web Form Application
- Error using magick R to import PDF
- Are PDF headers all the same regardless of version
- Call to undefined method Dompdf\\FrameDecorator\\Page::add_line()
- Any Way to Reduce File Size Using wkhtmltopdf?
- DomPDF uses custom font on local server, but not in production
- Rendering PDF Jetpack Compose
- ICEpdf: PDF Printing corrupted second page
- Adding external images to PDF using iText
- Splitting PDF with PyPDF2 in Lambda function
- how do you open a PDF at a specific page from the command line? (OSX or Linux)
- Error while signing multiple signature fields using itext c#
- Using R Quarto to create PDF documents, how can I center code chunk output and add a background color?
- Importing a scatter plot from PDF into R
- Convert a PDF file to image