Digital Signature/ eSign verification fails
I have a eSigned / Digitally signed PDF, the document is signed using iText lib in detached signature. I am having issue while verifying the signature, getting message "signers identity is invalid because it has expired or not yet valid" and in signer info "There were errors building the path from signers certificate to an issuer certificate."
I have tried many ways to validate the signature but couldn't get any success. If I explicitly add signers certificate as trusted certificate then I get a green check and able to verify the signature but I think thats not the correct way to do it.
Adobe Signature setting are as follow:-
digitally signed pdf can be found heredigitally signed document
can anyone please help to resolve this issue.
I have tried many ways to validate the signature but couldn't get any success.
That is not surprising: Your signature is not valid. In the PDF signature field value there is a signing time 2020/06/11 09:28:35 GMT but your signer certificate is valid not before 2020/06/11 09:29:44 GMT and not after 2020/06/11 09:59:44 GMT. At the claimed signing time, therefore, your signer certificate was not valid yet and could not create a valid signature.
Apparently you sign using a signing service that creates a short-time certificate just in time when your signature request to it arrives. Unfortunately that is after the time iText stored as signing time in the PDF at the beginning of the signing process.
Thus, one way to resolve the issue is to tell iText to use a time slightly (e.g. two minutes) in the future.
You can do that by means of the PdfSignatureAppearance method setSignDate.
Your signature actually also violates a recommendation from the specification: The afore mentioned signing time stored in the signature field value dictionary should be used only when the time of signing is not available in the signature (the embedded signature container). In your case, though, the embedded signature container does contain a signingTime signed attribute with value 11/06/2020 09:29:44 GMT which is not before the start of certificate validity.
As that only is a recommendation, your PDF signature is not made invalid by having two signing time values. But as the values differ, this can result in different verification results by different validators, using either one or the other value.
Thus, another way to resolve the issue is to make sure no signing time value is added to the signature value dictionary at all. This additionally makes your signed PDF follow the recommendation above and so be more precise.
Unfortunately using the PdfSignatureAppearance method setSignDate to set a null value does not work, later on in the signing process this results in NullPointerException occurrence. But if you use a custom ExternalSignatureContainer implementation in your signing code (and not an ExternalSignature implementation), you can remove that entry in your modifySigningDictionary implementation. The key is PdfName.M.
As an aside, as your signing certificate is only valid for half an hour, validators may also reject it if their validation policy only trusts digital time stamps, not unsecured date-time values.
Thus, you should add revocation information and digitally time stamp the whole construct during the life time of the certificate to guarantee long term validation.
- Using PdfFileMerger in Python to merge PDFs with the same name, but different numbers
- pdf word count after specific word
- PDFBox 2 Column Issue How To Check Beads
- Set CMU Sans Serif font on pdf quarto
- How to correctly configure space between lines for PDF generated with text-pdf 8
- Extracting Text from a PDF with CID fonts
- PDF.js scale PDF on fixed width
- Wkhtmltopdf footer not rendering with position
- How to convert PDF files to images
- How to take snapshot of PDF file in linux?
- Pandoc - Markdown to PDF - Table columns overlap
- Python silent print PDF to specific printer
- Ghostscript pdf conversion makes ligatures unable to copy & paste
- How to render a pdf file as pdf in browser using django
- The signature byte range is invalid in Acrobat
- Generating a PDF file from React Components
- Extracting RFC 3161 timestamp from digitally signed PDF using Javascript
- PDF.JS Preview large pdf file (> 200MB) on client side, that was sent from server side
- PostScript - Preserve internal hyperlinks in PDF
- How to program a text search and replace in PDF files
- Loop to enter email address and attach applicable pdf
- 404 error when fetching PDFs in my github repository
- Combining PDF with GhostScript: Using Original Bookmarks with corrected page numbers
- Python string: extract duplicated and randomly merged substring
- Scale Quarto PDF table output to fit page
- Convert PDF page to image with PyPDF2 and BytesIO
- Apply PDFA Conformance Level using itext7 Unexpected end of file
- How to compare 2 pdfs and return true/false if they are the same (have same content) without using any pdf library?
- How to get a PDF/print version of kubernetes' docs?
- How to delete the hidden cropped elements from a pdf from the command line?