Adding second signature invalidates the first one

[peteris-zealid]

With my limited experience with pdfs I will write my observations on a pdf generated with google docs and how signing it twice with pyhanko leads to a validation error in acrobat reader. This might be a bug in acrobat, but might also be pyHanko I am not sure.

In this pdf /Annots is an indirect reference to object number 9.
Object 9 is a list with one harmless /Type /Annot /Subtype /Link dict.
When signing the document object 9 is "replaced" with the incremental update.
The first element is the same one as in the body but the semantics are different
The second element is an indirect reference to the signature annot and is most likely not the problem.

Original (whitespace removed for readability)

9 0 obj
[ <<
/Type /Annot
/Subtype /Link
/Rect [ 108.627014 203.10419 165.04262 218.7042 ]
/Border [ 0 0 0 ]
/A <<
/Type /Action
/S /URI
/URI (#)
>>
>>
]

Incrementally updated

9 0 obj
[ <<
/Type /Annot
/Subtype /Link
/Rect [ 108.627014 203.10419 165.04262 218.7042 ]
/Border [ 0 0 0 ]
/A <<
/Type /Action
/S /URI
/URI (\043)
>>
>> 28 0 R ]

The difference in particular is in whitespace and that # is written as \043
Could this be a bug in adobe or is there something I do not know about pdfs.
I hope you could have a look please.

I also tried replacing the offending annot with empty spaces and sign that. Acrobat then says both sigs are ok, but the first one has "1 Miscellaneous change". I also tried adding more incremental signatures and then only the last one is valid and all previous have problems (invalid or 1 Miscelaneous change respectively).

When signing the offending pdf with the ascertia product. The result reported by adobe is also invalid.

The link annotation might be somehow related to the stream in object 6 but I did not investigate further.

Adding pdfs for reference.
kinda_bad.pdf
kinda_good.pdf

[MatthiasValvekens]

Excellent question and good job investigating this. First off, the array you mention has to be reserialised to add an extra annotation to accommodate the new signature (to be fair, that's one of those hidden "it's not in the spec but it breaks stuff in Acrobat if you don't" kind of rules).

I'm not sure if that's what causing validation to fail, but it could be related. I'll need some time to investigate that. If this is the cause, though, then there's a nonzero chance that making all annotations indirect objects prior to adding the first signature is enough to get this working... Will get back to you once I've had the chance to properly dissect your documents.

[showbit01]

Any solution ?

[peteris-zealid]

We tried to sign the offending pdf with adobe-sign and their own product also outputs invalid signatures. But comparing Is probably useless, because they do modify the original pdf to a great extent. So this is a bug with adobe validation I would say.

[candrawardana]

same problem, sadly there is no solution for this