There was a problem with the PAdES signing code sample.

[projackRK]

I have tested this code from Document

but i got this error
"pyhanko.sign.general.SigningError: Attempting to sign document with hybrid cross-reference sections while hybrid xrefs are disabled"
My Pdf is version 1.7 and 1.6
FullCode
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter
from pyhanko.sign import signers, timestamps
from pyhanko.sign.fields import SigSeedSubFilter
from pyhanko_certvalidator import ValidationContext

Load signer key material from PKCS#12 file

This assumes that any relevant intermediate certs are also included

in the PKCS#12 file.

signer = signers.SimpleSigner.load_pkcs12(
pfx_file='test.pfx', passphrase=b'BvYYCHURjG97'
)

Set up a timestamping client to fetch timestamps tokens

timestamper = timestamps.HTTPTimeStamper(
url='https://tsa.xxxx.ac.th/tsa/get.aspx'
)

Settings for PAdES-LTA

signature_meta = signers.PdfSignatureMetadata(
field_name='Signature', md_algorithm='sha256',
# Mark the signature as a PAdES signature
subfilter=SigSeedSubFilter.PADES,
# We'll also need a validation context
# to fetch & embed revocation info.
validation_context=ValidationContext(allow_fetching=True),
# Embed relevant OCSP responses / CRLs (PAdES-LT)
embed_validation_info=True,
# Tell pyHanko to put in an extra DocumentTimeStamp
# to kick off the PAdES-LTA timestamp chain.
use_pades_lta=True
)

with open('test.pdf', 'rb') as inf:
w = IncrementalPdfFileWriter(inf)
with open('output.pdf', 'wb') as outf:
signers.sign_pdf(
w, signature_meta=signature_meta, signer=signer,
timestamper=timestamper, output=outf
)

[MatthiasValvekens]

Hi @projackRK, this is a standard safety measure to disallow signing hybrid xref files by default, since those files can be parsed in more than one way, leading to ambiguity (and therefore potential security issues). Unfortunately, some software still regularly produces such files (MS Word, for example). If you don't care about this, simply pass strict=False to the IncrementalPdfFileWriter.

(I should probably reword that error message to make that a bit more obvious)

[projackRK]

Enough to give an example of using signer_key_usage? I still don't understand how to use this param.><"

[MatthiasValvekens]

Try passing in

signer_key_usage={'digital_signature'}

as a parameter to PdfSignatureMetadata.

[projackRK]

Have this Error
pyhanko_certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate contains the following unsupported critical extension: 1.3.6.1.4.1.311.21.10
From "signer_key_usage={'digital_signature'}"

[MatthiasValvekens]

Ah, that's a different issue. Your certificate contains a proprietary Microsoft extension that pyHanko does not support (seems to be something policy-related according to a quick google search). The extension is marked as critical, so pyHanko's validator rejects the certificate (as it is required to do per RFC 5280).

Currently there's no easy way to hook into the validator to implement support for custom extensions, but you can cheat by adding it to the list and replacing this constant: https://github.com/MatthiasValvekens/certvalidator/blob/1c82ddf645a70ecd6871f54c6ef01f6935e28157/pyhanko_certvalidator/validate.py#L920-L937 (don't do that unless you know what you're doing, though). Perhaps disabling validation data embedding is the easiest way forward. You can still fetch OCSP responses manually, if necessary.

[projackRK]

Oh, I get it. thank you very much.