EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signing PDF twice with two certificates

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#5180
Posted: 02/26/2008 20:41:16
by Ben Loomis (Basic support level)
Joined: 08/18/2006
Posts: 9

I have a program which signs a PDF using SecureBlackBox, and the generated signature the first time is completely valid.

If I sign the document again with a different certificate, the details for the first signature says: "The revision of the document that was covered by this signature has not been altered; however, there have been subsequent changes to the document."

The second signature does not say this. Is there any way to sign a document twice without this warning?
#5181
Posted: 02/27/2008 01:35:36
by Eugene Mayevski (EldoS Corp.)

Do you need to sign once with two certificates, or you need to make sign the already signed file? And what is the exact reason (and meaning) of the second approach? Maybe you need to countersign the file, instead of signing it. These are differnt things ...


Sincerely yours
Eugene Mayevski
#5184
Posted: 02/27/2008 03:17:58
by Ben Loomis (Basic support level)
Joined: 08/18/2006
Posts: 9

Yes, I need to countersign the file. Is there a different way of doing that rather than calling the same signing code twice?
#5186
Posted: 02/27/2008 09:18:56
by Ken Ivanov (EldoS Corp.)

PDF specification does not define a way for countersigning existing signature. Have you encountered some tools that do support PDF countersigning (i.e., the tools that can re-sign documents without invalidating the original signature)?
#5254
Posted: 03/03/2008 06:40:22
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

I enter on this discussion as i am going to need double signing (in different moments) of a PDF document sonner than latter... and i do know applications that do exactly this (the director signs and pass the doc to a second one who also sign the already signed PDF and so on), so i knew it could be done.

I found a PDF (of course!) document from adobe talking about how to sign an already signed document WITHOUT invaliding the original document, it is done via an update in the file that contains no change to the document it self, but a new signature. Also says than previous version of PDF "compiled" the updates inside the main body of the document invalidating previous signgs, may be it is now, when they fixed it -they don't do like this anymore on signed docs- that it is feasible to double sign a document and not before.

The file is here: http://www.adobe.com/devnet/acrobat/pdfs/DigitalSignaturesInPDF.pdf

And talks about it in page 5 and 6.

Also state that a signed doc can be CHANGED and signed again, so you end up with a non-updated version with its valid sign, plus a second version (with updates applied) with it's second sign also valid... nice idea.
#5255
Posted: 03/03/2008 07:26:38
by Ken Ivanov (EldoS Corp.)

SecureBlackbox supports multiple signatures in exactly the same way you have mentioned. However, the original problem has been stated as
Quote
"The revision of the document that was covered by this signature has not been altered; however, there have been subsequent changes to the document." Is there any way to sign a document twice without this warning?


And the answer to the original question is "No, it is not possible to sign a document twice and make Adobe Reader display it without the warning".
#5256
Posted: 03/03/2008 07:38:40
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

..except if the update added to the pdf file changes the version to +1 and then add the 2nd signature... then, version 1 was signed with 1st certificate, and revision 2 (that is the same one) with 2nd certificate, and acrobat will be happy to show both signatures as valid... well, I hope, may be it will show 2nd revision with only 2nd signature, I can't test it my self.
#5257
Posted: 03/03/2008 07:50:17
by Ken Ivanov (EldoS Corp.)

1) There's no concept of "PDF file version", so it is not possible to change it.
2) Both signatures are actually shown as valid, however, there's a warning displayed for the first signature. There's no way to bypass this warning.
#5260
Posted: 03/03/2008 10:29:59
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

revision i meant. Reader is saying "the same revision", so may be there is some way to change it to revision +1 so the warning goes out. Just an idea, may be there is no way, but in this case, reader is a little dumb!
#5264
Posted: 03/03/2008 18:13:57
by Ben Loomis (Basic support level)
Joined: 08/18/2006
Posts: 9

Thanks for the responses.
Here's the relevant bit of that pdf:
Quote
The purpose of the warning is to alert the recipient that the document was modified
after the signature was applied, but that modification may well be only a second
signature that was intended by the originator, and which is fully valid. Adobe
recommends that the recipient use the View Signed Version command or the Compare
Signed Version to Current Version command to see what was signed or what has
changed since signing.
Naturally, a second signature on a document is done using the incremental update
facility. So a first signature will be flagged with the yellow triangle once a second
signature has been applied. The minimum difference between the signed version and
the current version is, of course, the application of the second signature.


Then it says:
Quote
This problem of the Yellow Triangle alert can be avoided if the author
certifies the document, as explained below in “The Need for Certified
Documents” on page 8.

It looks like that method would be to create the signature field, then sign the document with a certification signature and only allow that field to be filled in, then the document could be signed again and there wouldn't be a warning.
From the SBB documentation for the values of the SignatureType:
Quote
Certification (MDP signature). This signature type is outdated and is not recommended for use.

Is that correct? I can't find anything about it being not recommended on Adobe's documentation.

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 11872 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!