Singing with PADES and certify=true

[DavidSanFer555]

Hello everyone,

I hope you are all doing well. I'd like to share an inquiry I have regarding an issue I encountered while using PyHanko with PADES and the certify=True option. I am facing a problem where Adobe Reader displays a change error when attempting to open the signed document.

Issue Description:

When using PyHanko to digitally sign a PDF document with the PADES profile and setting certify=True, all the process is ok and return success but the resulting signed document displays an error in Adobe Reader, indicating that changes were made to the document after signing. The error prompts the user to validate the signature, which can be misleading and inconvenient, as the document hasn't been altered.

This is my metadata configuration

signature_meta = signers.PdfSignatureMetadata(
        field_name='Signature',
        md_algorithm='sha256',
        subfilter=SigSeedSubFilter.PADES,
        validation_context=vc,
        embed_validation_info=True,
        use_pades_lta=True,
        reason=REASON_CERTIFICATE,
        docmdp_permissions=MDPPerm.NO_CHANGES
        certify=True
    )

and sign the document on one step:

    with open(pdf_path, 'rb') as inf:
        w = IncrementalPdfFileWriter(inf)
        with open(signed_path, 'wb') as outf:
            signers.sign_pdf(
                w,
                signature_meta=signature_meta,
                signer=signer,
                timestamper=timestamper,
                output=outf
            )

If remove certify=true, the sign is valid and without any problem, but not appear as certificate.

Expected Behavior:

Ideally, the document should be successfully signed using PyHanko with the certify=True option, and when opened in Adobe Reader, it should not show any change errors, ensuring a smooth and seamless user experience.

Possible Causes:

At this point, I suspect that the issue might be related to the specific configuration of PyHanko or how the certify=True option interacts with PADES. It could also be related to how Adobe Reader handles certified signatures and the associated trust chain.

Request for Assistance:

I would highly appreciate any insights, advice, or solutions you might have encountered to address this particular issue. If any of you have successfully implemented PyHanko with certify=True in the PADES profile without facing Adobe Reader change errors, kindly share your configuration or any relevant tips. Additionally, if you have identified the root cause of this issue or have any suggestions for troubleshooting, I would be grateful for your input.

Thank you all for your time and consideration. I'm looking forward to your responses and hope we can collaboratively find a resolution to this problem.

Best regards,
David

[MatthiasValvekens]

Will comment in detail (and with actual citations) once I'm back on my feet (currently recovering from illness), but this is a known issue in Acrobat. Adobe's implementation does not take into account the PAdES "DocMDP escape hatch" clause that defines post-signing PAdES-related changes as out of scope for the purposes of this validation.

All of this is arguably symptomatic of a design flaw in PAdES (or even PDF signing in general!), but either way it makes combining PAdES with certification signatures a bit painful. The reason why issues like this don't easily rise to the surface is because DocMDP validation is such a massive quagmire that very few implementers even bother with it in the first place. (For the record, there's some ongoing effort in the industry to do something about that, but it's a very slow process.)

Currently the most straightforward "workaround" is to use DocMDP level 2 (FORM_FILLING) for PAdES certification signatures instead of level 1 (NO_CHANGES).

EDIT: or, if you're willing to live with never being able to "upgrade" to PAdES-B-LTA, it's possible to put all the PAdES DSS changes in the signed revision in many cases... Kinda defeats the purpose of the DSS, but if it works...

[DavidSanFer555]

Thank you for responding so quickly. I hope you have a swift and full recovery. Your response, although not detailed, is very helpful to me as I am unfamiliar with these terms. Thank you very much for your work, it has been very useful to me.

Best regards