How to technically distinguish a digital signature and and a digital seal with pyhanko?

[tuelle]

Hi,
we are using pyhanko for quite some time now and it is a great library. That said, we encountered a problem when we started to certify official documents like Standard Operating Procedures or forms with Adobe Acrobat. After editing such a document, we certify it ("invisible certify" in Adobe Acrobat) based on a digital certificate. When opened in Acrobat Reader, a ribbon (like a seal) is displayed. So it is handled differently than a digital signature by Acrobat Reader.

Does anybody know how to distinguish a seal from a digital signature with pyhanko?

Use-case: We have a pyhanko bsed tool that coordinates the signing order of documents in our company. The tool checks if a certain person has already signed. If yes the next one is invited to sign. It might be that the author of a document, let's say a purchase form, applied a seal with his name/certificate before he published the new form. He might later sign a concrete purchase order with the same certificate. Now the order has a seal and a digital signature both based on the same certificate. We need to technically distinguish the seal and the digital signature so that our tool does not classify the seal as an approval signature.

Thanks for your support

[MatthiasValvekens]

Hi @tuelle

From your description, I assume that by "digital seal", you mean the thing that shows up with a blue "Certified by..." ribbon in Acrobat, and not the notion that is referred to as "electronic seal" in eIDAS.

The standard term for those in PDF-land is "certification signature". Here are two ways to identify those:

• The quickest way to figure out if a document contains such a signature is to check for the existence of root['/Perms']['/DocMDP']. This will be a reference to the signature dictionary of the certification signature. Note that the presence of this entry is strictly speaking not a requirement spelled out black-and-white in the standard, but it is "de facto" mandatory because many popular implementations (Acrobat, mainly) require it.
• If you're already enumerating signatures using pyHanko's embedded_signatures API, you can also check emb_sig.sig_object['/Reference'] and look for a dictionary with /TransformMethod /DocMDP.

It's also a requirement of the standard that a certification signature always come first. In other words, in any given document there can be at most one certification signature, and it must come before all approval signatures (if any).

Hope that helps. :)

[tuelle]

Thank you for the comprehensive answer! Informative and practical as always.
Thorsten