IJ
Irfana Jaffer Sadhik
Syncfusion Team
August 9, 2022 01:49 PM UTC
Hi Jacobs,
We have checked the reported issue with our test certificate on our end, but its working properly. We were unable to reproduce the reported behavior with the provided details on our end, since you said it is occurring randomly on your end. We suspect that the issue may be due to the particular certificate file. We request you to share the certificate file with the password, complete code snippet, environmental details (Bit version, culture settings, RAM etc), input pdf document to reproduce the issue in our end. So that it will be helpful for us to assist with you further on this.
Regards,
Irfana J.
JA
Jacobs
August 10, 2022 08:37 AM UTC
Thanks for your reply... as i mentioned it is occurs randomly with this code ... so i was asking if you have a certain function in syncfusion that i could use it instead.
i came across this function ValidateSignature() and the returned class PdfSignatureValidationResult which contains many helpful properties like IsValidAtCurrentTime / IsValidAtSignedTime / IsValidAtTimeStampTime
however some properties are not accurate like
IsSignatureValid always returns true however it is shown in adobe reader Invalid if signature is invalid.
SignatureStatus always returns unknown however if certificates chain are installed in user windows store(root/intermediate) and i set the adobe preferences to use windows integration in verification process the signature is shown verified instead of unknown see screenshot
Note that adding certificates chain in user windows store makes the .net chain build code build successfully with trusted root
RevocationResult.IsRevokedCRL it always returns false even when a pdf is signed by a revoked certificate token
the previous .net code chain.build works properly in this case and returns false build with error The certificate is revoked also adobe reader shows that it is indeed revoked .
see attached pdf document and screen shots
Attachment:
testrevoked_42069518.zip
IJ
Irfana Jaffer Sadhik
Syncfusion Team
August 11, 2022 12:39 PM UTC
Hi Jacobs,
We were able to reproduce the reported behavior with the provided details in our end. Currently we are validating on this and will provide the further details on August 16th, 2022.
Meanwhile, we request you to share the revocation certificate that you use in your end in order to provide you the most precise solution and this will help us to assist with you further on this.
Regards,
Irfana J.
JA
Jacobs
August 11, 2022 01:38 PM UTC
Thanks for your reply,
i am not sure of what you need but the pdf is an old file singed with a revocated usb token for testing that requires a physical hardware for digital signing but what i do to validate the signature is ... i just export the root and intermediate certificates from the pdf file using the adobe reader ... then i import them into user windows store in root and intermediate store .. and that lets the adobe verifies the signature in the pdf after setting the windows integration settings as i previously described and tells me if it revocated or not.
And it uses the crl file published online in the link the appears in the CRL distribution points per certificate in the certificate chain in order to check if each certificate
and i think if the CRL is embedded in the document .. it performs the validation using the embedded crl instead of online.
IJ
Irfana Jaffer Sadhik
Syncfusion Team
August 12, 2022 01:06 PM UTC
Hi Jacobs,
Thanks for the details,
We have tried to replicate the reported
problem on our end with provided details by exporting the certificate and
install into the windows store as you mentioned. But we regret to let you know
that we are unable to meet the reported problem as you mentioned in this
ticket. The shared PDF document shows signature is valid. Also, we could not
find any intermediate certificates as you mentioned in the shared PDF document.
We request you to share the below details to investigate the problem further on
end.
- Document generation code
- Root and intermediate
certificates.
- Windows store
configuration
|
SignatureStatus always returns unknown however if certificates
chain are installed in user windows store(root/intermediate) and i set the
adobe preferences to use windows integration in verification process the
signature is shown verified instead of unknown see screenshot
|
The signature status API will be
“valid” when passing the root certificate during the signature validation.
Otherwise, the signature status is marked as “Unknown” for a signature valid
document.
|
Please refer to the UG documentation
about signature validation,
https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature?cs-save-lang=1&cs-lang=csharp#digital-signature-validation
However, we can have a web meeting to directly investigate the issue in your machine to reproduce the issue with proper files and provide a solution at the earliest. Please let us know your availability for a web meeting at next week, we will make every effort to have this scheduled at a time of your convenience.
Note: We work in IST hours.
Regards,
Irfana J.
JA
Jacobs
August 12, 2022 02:46 PM UTC
yes sorry , i tried this file on another pc which does not have the certificates in windows store and the root and intermediate certificate does not appear in the adobe reader certificate path and shows only the signer's certificate. (the pdf was signed by adobe reader not through developed code)
so i attached the root ca to be imported in user certificate (Trusted Root Certification Authority folder)
no need to import any intermediate certificates
Regarding the screen shot you add with verified signature in adobe please don't add the signer's certificate to adobe trust center as it will not check for revocation and it will show the signature as verified.
if you already added it you can remove it from adobe preferences .. see screen shots below.
Also i didn't try passing root ca to validatesignature function ... so i will try it and inform you if any\all the properties are retrieved correctly.
please check if you need anything else.
before importing root ca
remove trusted certificate if you added it from adobe
after importing root ca
Attachment:
Egypt_RootCA_G1_387427f.zip
JA
Jacobs
August 14, 2022 01:05 PM UTC
i tested the validatesignature function and passed the root certificate as you suggested and the results did not change.
JA
Jacobs
August 14, 2022 01:14 PM UTC
Also note that the chain build code does not need the root certificate to be passed in the code for a successful result , it just need the whole chain to be imported in windows user certificate store
kindly find all certificates attached
1.Egypt_RootCA_G1 (Trusted Root Certification Authorities)
2.Egyptian GOV-CA Intermediate CA (Intermediate
Certification Authorities)
3.Egyptian GOV-CA Issuing CA
(Intermediate Certification Authorities)
Attachment:
CertificateChains_4438276e.zip
MK
Moorthy Karunanithi
Syncfusion Team
August 15, 2022 02:08 PM UTC
Hi Jacobs,
Thanks for the details and the certificates,
We were able to reproduce the reported problem after
importing root and intermediate certificates into the Trusted Root Certification
Authorities and Intermediate Certification Authorities as you mentioned.
Currently, we are analyzing this behavior and will update the further
details on August 17th, 2022.
Regards,
Moorthy K
GK
Gowthamraj Kumar
Syncfusion Team
August 17, 2022 11:27 AM UTC
Hi Jacobs,
We confirmed the issue “PdfSignatureValidationResult
and RevocationResult returned incorrect results for the signed Pdf document”
as a defect in our product. We will include the fix for this issue in our
weekly NuGet release, which will be available on August 30th, 2022.
Please use the below feedback link to track the status
of the reported bug.
https://www.syncfusion.com/feedback/37096/pdfsignaturevalidationresult-and-revocationresult-returned-incorrect-results-for
Note: If you require a patch for the
reported issue in any of our Essential Studio Main or SP release versions, then
kindly let us know the version, so that we can provide a patch in that version
based on our SLA policy.
Please let us know if
you need any further assistance in this.
Regards,
Gowthamraj K
JA
Jacobs
August 18, 2022 04:42 AM UTC
Thanks
I also want to highlight that if crl is embedded inside the document ... the crl revocation checking should be done offline not online... will that be possible?
GK
Gowthamraj Kumar
Syncfusion Team
August 18, 2022 09:03 AM UTC
Hi Jacobs,
Thank you for your update.
|
I also want to highlight that if crl is embedded inside the
document .... the crl revocation checking should be done offline not
online.... will that be possible?
|
Yes, we provided initial priority to verify the revocation
offline.
if the CRL/OCSP is embedded inside the document, then the
revocation will be verified offline.
if the CRL/OCSP is not embedded, then the revocation will be
verified online.
|
Please refer to the code example to get the CRL embed details
below,
|
// Loads an existing document
PdfLoadedDocument document = new PdfLoadedDocument(fileName);
// Gets the signature field
PdfLoadedSignatureField signatureField =
document.Form.Fields[0] as
PdfLoadedSignatureField;
// Validate signature and get validation result
PdfSignatureValidationResult result =
signatureField.ValidateSignature();
// Gets the LTV verification Information.
LtvVerificationInfo ltvVerificationInfo =
result.LtvVerificationInfo;
// Checks whether the signature document has CRL
embedded.
bool isCrlEmbedded = ltvVerificationInfo.IsCrlEmbedded;
// Close the document
document.Close(true);
|
Regards,
Gowthamraj K
JA
Jacobs
August 18, 2022 01:05 PM UTC
Thanks ... waiting for the new release on August 30th, 2022 😊
JA
Jacobs
August 24, 2022 04:09 PM UTC
Dear team,
can you add a parameter to ValidateSignature function in order to check revocation either by ocsp or crl or both or none
as i have some certificates that have issue in ocsp url and it takes a long time while using the function the first time it is called and gives error see screen shot below
so i want to check only using crl and skip ocsp .
GK
Gowthamraj Kumar
Syncfusion Team
August 25, 2022 12:46 PM UTC
Hi Jacobs,
Currently, we are analyzing your requirement on our end and we
will update the further details on August 29th, 2022.
Regards,
Gowthamraj K
JA
Jacobs
August 28, 2022 01:41 PM UTC
Hello
i have another issue with crl revocation
pdf was signed with a certificate that was revoked today 28.8.2022 but it was valid and not revoked at the time of signing 22.09.2021
adobe shows that the signature is valid ... however syncfusion ValidateSignature function shows
SignatureStatus Invalid
SignatureValidationErrors
The certificate is considered invalid because it has been revoked as verified using CRL that was embedded in the document
and also the crl is not embedded in document
see below screenshots and attached pdf and certificate chain
import certificates to current user windows certificates store
1.Egypt_RootCA_G1 (Trusted Root Certification Authorities)
2.MCDR 2019.cer (Intermediate Certification Authorities)
Attachment: files_e3314250.zip
GK
Gowthamraj Kumar
Syncfusion Team
August 29, 2022 01:17 PM UTC
Hi Jacobs,
|
can you
add a parameter to ValidateSignature function in order to
check revocation either by ocsp or crl or both or none
as i have
some certificates that have issue in ocsp url and it takes a long time while
using the function the first time it is called and gives error see screen
shot below
so i want
to check only using crl and skip ocsp .
|
We have planned
to implement the "Support to get specific revocation status with
signature validation options." in our weekly NuGet release on
September 13, 2022.
Kindly use the
below feedback link to track the status of the feature,
https://www.syncfusion.com/feedback/37381/support-to-get-specific-revocation-status-with-signature-validation-options
|
|
pdf was
signed with a certificate that was revoked today 28.8.2022 but it was valid
and not revoked at the time of signing 22.09.2021
adobe
shows that the signature is valid ... however syncfusion ValidateSignature function
shows
SignatureStatus Invalid
SignatureValidationErrors
The
certificate is considered invalid because it has been revoked as verified
using CRL that was embedded in the document
and also
the crl is not embedded in document
see below
screenshots and attached pdf and certificate chain
import
certificates to current user windows certificates store
1.Egypt_RootCA_G1 (Trusted
Root Certification Authorities)
2.MCDR
2019.cer (Intermediate Certification
Authorities)
|
We are analyzing this behavior on our
end and we will update the further details on September 1st 2022.
|
Regards,
Gowthamraj K
GK
Gowthamraj Kumar
Syncfusion Team
August 30, 2022 02:24 PM UTC
Hi Jacobs,
Sorry for the
inconvenience caused.
We are unable to
include the fix for the reported issue in our today weekly release. Currently,
we are working on this “PdfSignatureValidationResult and RevocationResult returned incorrect
results for the signed Pdf document” and we will include the fix in our upcoming weekly NuGet release,
which will be available on September 6th, 2022.
Please use the below
feedback link to track the status of the reported bug,
https://www.syncfusion.com/feedback/37096/pdfsignaturevalidationresult-and-revocationresult-returned-incorrect-results-for
Regards,
Gowthamraj K
JA
Jacobs
August 30, 2022 02:41 PM UTC
GK
Gowthamraj Kumar
Syncfusion Team
September 1, 2022 02:10 PM UTC
Hi Jacobs,
|
i
have another issue with crl revocation
pdf was signed with a certificate that was revoked today
28.8.2022 but it was valid and not revoked at the time of signing 22.09.2021
adobe shows that the signature is valid ... however
syncfusion ValidateSignature function shows
SignatureStatus Invalid
import
certificates to current user windows certificates store
1.Egypt_RootCA_G1 (Trusted Root
Certification Authorities)
2.MCDR 2019.cer (Intermediate Certification
Authorities)
|
On our last analysis, we found that online retrieved CRL
data was revoked. Now we found that the online retrieved CRL data is not
revoked anymore and is working as expected.
The default signature status is unknown without passing
the root certificates. When we pass the root certificate, the status show be
valid. Kindly use the following code changes for reference.
|
PdfLoadedDocument document = new
PdfLoadedDocument("MCDR valid.pdf");
PdfLoadedSignatureField signatureField =
document.Form.Fields[0] as PdfLoadedSignatureField;
PdfSignatureValidationOptions options = new
PdfSignatureValidationOptions();
X509CertificateCollection collection = new
X509CertificateCollection();
collection.Add(new X509Certificate2("1.Egypt_RootCA_G1.cer"));
collection.Add(new X509Certificate2("2.MCDR
2019.cer"));
PdfSignatureValidationResult result =
signatureField.ValidateSignature(collection, options);
SignatureStatus status = result.SignatureStatus;
bool isCRLRevoked =
result.RevocationResult.IsRevokedCRL;
document.Close(true);
|
|
|
SignatureValidationErrors
The certificate is considered
invalid because it has been revoked as verified using CRL that was embedded
in the document
and also the crl is not embedded in document
|
We have confirmed that the issue with “Revocation error
message is not updated properly.” is a defect. The fix for this issue
will be available in our weekly NuGet release on September 12, 2022.
Kindly use the below feedback link to track the status of
the reported bug, https://www.syncfusion.com/feedback/37461/revocation-error-message-is-not-updated-properly
|
Regards,
Gowthamraj K
GK
Gowthamraj Kumar
Syncfusion Team
September 1, 2022 02:12 PM UTC
Hi Jacobs,
Please ignore the previous reply.
|
i
have another issue with crl revocation
pdf was signed with a certificate that was revoked today
28.8.2022 but it was valid and not revoked at the time of signing 22.09.2021
adobe shows that the signature is valid ... however
syncfusion ValidateSignature function shows
SignatureStatus Invalid
import
certificates to current user windows certificates store
1.Egypt_RootCA_G1 (Trusted Root
Certification Authorities)
2.MCDR 2019.cer (Intermediate Certification
Authorities)
|
On our last analysis, we found that online retrieved CRL
data was revoked. Now we found that the online retrieved CRL data is not
revoked anymore and is working as expected.
The default signature status is unknown without passing
the root certificates. When we pass the root certificate, the status show be
valid. Kindly use the following code changes for reference.
|
PdfLoadedDocument document = new
PdfLoadedDocument("MCDR valid.pdf");
PdfLoadedSignatureField signatureField =
document.Form.Fields[0] as PdfLoadedSignatureField;
PdfSignatureValidationOptions options = new
PdfSignatureValidationOptions();
X509CertificateCollection collection = new
X509CertificateCollection();
collection.Add(new X509Certificate2("1.Egypt_RootCA_G1.cer"));
collection.Add(new X509Certificate2("2.MCDR
2019.cer"));
PdfSignatureValidationResult result =
signatureField.ValidateSignature(collection, options);
SignatureStatus status = result.SignatureStatus;
bool isCRLRevoked =
result.RevocationResult.IsRevokedCRL;
document.Close(true);
|
|
|
SignatureValidationErrors
The certificate is considered
invalid because it has been revoked as verified using CRL that was embedded
in the document
and also the crl is not embedded in document
|
We have confirmed that the issue with “Revocation error
message is not updated properly.” is a defect. The fix for this issue
will be available in our weekly NuGet release on September 13, 2022.
Kindly use the below feedback link to track the status of
the reported bug, https://www.syncfusion.com/feedback/37461/revocation-error-message-is-not-updated-properly
|
Regards,
Gowthamraj K
GK
Gowthamraj Kumar
Syncfusion Team
September 6, 2022 02:18 PM UTC
Hi Jacobs,
Sorry
for the inconvenience caused.
We are
unable to include the fix for the reported issue in today's
weekly release. Currently, we are working on this “PdfSignatureValidationResult
and RevocationResult returned incorrect results for the signed Pdf document” and we will include the fix in our upcoming weekly
NuGet release, which will be available on Sep 13th, 2022.
Please
use the below feedback link to track the status of the reported bug,
https://www.syncfusion.com/feedback/37096/pdfsignaturevalidationresult-and-revocationresult-returned-incorrect-results-for
Regards,
Gowthamraj K
JA
Jacobs
September 6, 2022 03:04 PM UTC
Thanks ... but for the case scenario i described before .. it should be fixed in next release .. right?
The signature should be valid(revocation date should be compared with to the time of signing not the current time)
"PDF was signed with a certificate that was revoked today 28.8.2022 but it was valid and not revoked at the time of signing 22.09.2021 ... adobe reader shows that the signature is valid ... however syncfusion ValidateSignature function shows SignatureStatus Invalid"
GK
Gowthamraj Kumar
Syncfusion Team
September 7, 2022 01:36 PM UTC
Hi Jacobs
On our analysis with the provided document "MCDR
valid.pdf". We found that the online retrieved CRL data is not revoked
anymore and is working as expected. So we were unable to reproduce the reported
behavior from our side. We have already shared these details in our previous
update http://www.syncfusion.com/forums/176704/digital-signature-certificate-build-chain?reply=SfkQKL
Kindly provide us with a similar CRL revoked document which
is valid in Adobe and invalid in Syncfusion PDF to analyze further on this.
Regards,
Gowthamraj K
IJ
Irfana Jaffer Sadhik
Syncfusion Team
September 8, 2022 12:44 PM UTC
Hi Jacobs,
We have analyzed the provided
CRL files “mcdrcrl2019.crl” and “mcdrcrl2019_crldownloaded28.08.2022.crl”, the
CRLs are valid (not revoked), So we were unable to reproduce the reported issue
in our end. By using the above CRL files the default signature status is
“Unknown” and if we provide the root certificates, then the status is “Valid”.
So, we request you to share the
revoked CRL files along with the signed document. Also, for checking the
behavior in Adobe, we required that type of PDF document to analyze further on
our end.
Regards,
Irfana J.
JA
Jacobs
September 8, 2022 01:03 PM UTC
What i mean is...
In my previous reply with the attachment the document was signed on22.09.2021 by a certificate with serialno = 7024
The crl downloaded on 28.08.2022 contained a list of revoked certificates including serial no 7024 with revocation date = 28.08.2022
The adobe shows the signature is valid which is correct
While Syncfusion function showed in 280.08.2022 that it was invalid and the reason is revoked which is incorrect because the revocation date was after the signing date.
This what i described before in my previous reply with screen shots and all attached files.
GK
Gowthamraj Kumar
Syncfusion Team
September 9, 2022 02:32 PM UTC
Hi Jacobs,
We were unable to completely understand the issue with the
provided details. Kindly create a support ticket in this link. We can have a web meeting to
look into the issue directly in your machine and provide the solution at the
earliest.
Regards,
Gowthamraj K
JA
Jacobs
September 9, 2022 02:44 PM UTC
It is the same previous case but the certificate is not revoked anymore after 01.09.2022 in the crl online list
I will try to provide the same case again
"A signed document with a valid certificate then after that the certificate became revoked."
GK
Gowthamraj Kumar
Syncfusion Team
September 12, 2022 02:56 PM UTC
Hi Jacobs,
Thank you for your update. We will wait to hear from you.
Regards,
Gowthamraj K
GK
Gowthamraj Kumar
Syncfusion Team
September 13, 2022 12:53 PM UTC
Hi Jacobs,
We have included the fix for this reported issue with “PdfSignatureValidationResult and
RevocationResult returned incorrect results for the signed Pdf document”
in our latest weekly NuGet release (20.2.0.49). Please use the below link to
download our latest weekly release NuGet,
NuGet: https://www.nuget.org/packages/Syncfusion.Pdf.Net.Core/20.2.0.49
Please let us know if you have any concerns on this
Regards,
Gowthamraj K
IJ
Irfana Jaffer Sadhik
Syncfusion Team
September 13, 2022 01:04 PM UTC
HI Jacobs,
The fix for the reported issue “Revocation
error message is not updated properly.” has been included in our weekly
NuGet release v20.2.0.49.
We have provided the " Support to
get specific revocation status with signature validation options" in
our weekly NuGet release v20.2.0.49.
Kindly use the following code snippet for
reference,
|
// Loads an
existing document
PdfLoadedDocument
document = new
PdfLoadedDocument(fileStream);
// Gets the
signature field
PdfLoadedSignatureField
signatureField = document.Form.Fields[0] as PdfLoadedSignatureField;
// Signature
validation options
PdfSignatureValidationOptions
options = new
PdfSignatureValidationOptions();
// Sets the revocation validation type
options.RevocationValidationType =
RevocationValidationType.CRL;
// Validate
signature and get validation result
PdfSignatureValidationResult
result = signatureField.ValidateSignature(options);
// Close the
document
document.Close(true);
|
Note: We have not finalized the API “RevocationValidationType”. We will update you if
there is any API design or name changes.
Kindly use the following link to download
the NuGet package,
https://www.nuget.org/packages/Syncfusion.Pdf.Net.Core/20.2.0.49
Regards,
Irfana J.
JA
Jacobs
October 2, 2022 08:27 AM UTC
i am sorry to tell you that the revocation message is still incorrect in latest version
Latest Official Release : 20.3.0.47 (Volume 3 2022 - September 29, 2022)
please check again my previous reply in the link below which describes the issue ... you will find that adobe reader shows the signature certificate was revoked in CRL while syncfusion says that it is valid
https://www.syncfusion.com/forums/176704/digital-signature-certificate-build-chain?reply=SfgTVa
JA
Jacobs
October 3, 2022 02:51 PM UTC
Thanks it is working properly in the sample you sent
and i found the issue in mine i was calling the ValidateSignature two times
first time without root certificate ValidateSignature() which gives incorrect results and the second time with root certificates ValidateSignature(collection) which gives also the same incorrect results if it is called after the first one.
if it is called one time only with root it gives correct results.
GK
Gowthamraj Kumar
Syncfusion Team
October 4, 2022 06:40 AM UTC
Hi Jacobs,
Thank you for your update and confirmation. We are
glad to know that the reported problem is resolved.
We have to use
this ValidateSignature(collection) API to validate the signature. The Signature
will be validated one time only and the second time we do not perform
validation again. Message digest bytes will be changed if we validate the signature
again and document mark as changed. So we can verify the signature field only
one time.
Please let us know if you need any further assistance in
this.
Regards.
Gowthamraj K
JA
Jacobs
October 23, 2022 12:50 PM UTC
Hi,
i have an issue with the attached file Valid_NOT_Modified.pdf ... syncfusion shows that document has been modified , however adobe shows that document has not been modified which is correct.
PdfSignatureValidationResult..IsDocumentModified True
PdfSignatureValidationResult.ValidationErrors[0] The document has been altered or corrupted since the signature was applied.
Also another file attached Invalid.pdf that is shown invalid in adobe due to document modification, and in syncfusion shown as valid signature and not modified.
Attachment: files_c80d9f6d.zip
IJ
Irfana Jaffer Sadhik
Syncfusion Team
October 26, 2022 01:59 PM UTC
Hi Jacobs,
We were able to reproduce the reported behavior with the provided details on our end. Currently, we are validating on this and we will provide further details on October 28th , 2022.
Regards,
Irfana J
AG
Aribalakrishnan Govindasamy
Syncfusion Team
October 28, 2022 02:18 PM UTC
Hi Jacobs,
Sorry
for the inconvenience caused.
Due
to complexity, we are still working on this we will update
further details on November 1st, 2022 without fail.
Regards,
Aribalakrishnan
G.
SS
Sarasilmiya Shahul Hameed
Syncfusion Team
November 1, 2022 01:35 PM UTC
On further analysis, we found that the provided document signature is valid in Adobe Reader XI and Foxit readers, and it is invalid on the Adobe Reader DC alone. So, we suspect the issue may in the Adobe Reader DC side. You can refer the following screenshot for further details.
Adobe Reader XI
Foxit Reader:
Actually i think that adobe reader has introduced a new security checking if document permissions was modified then the signature becomes invalid and it was introduced in adobe reader dc versions higher than
2021.011.20039
as it released many versions after this one and all shows the same invalid signatures
check below screen shots for another file with same issue
Other pdf viewers still didn't update their application to accommodate this case.
Also i didn't get a reply regarding the first file that i sent in my previous comment which has a different issue
Valid_NOT_Modified.pdf
IJ
Irfana Jaffer Sadhik
Syncfusion Team
November 2, 2022 12:55 PM UTC
We have confirmed this to be an issue on our end and the fix for this issue will be available on 8th November 2022.
We confirmed the issue “PdfSignatureValidationResult returned incorrect results for the signed Pdf document” as a defect in our product. We will include the fix for the reported issue in our upcoming weekly NuGet release once our Volume 3 SP1 is rolled out which we excepted on mid of November 2022 tentatively.
Note: The date and version will be updated later.
Please use the below feedback link to track the status of the reported bug.
https://www.syncfusion.com/feedback/38801/pdfsignaturevalidationresult-returned-incorrect-results-for-the-signed-pdf
JA
Jacobs
November 2, 2022 01:05 PM UTC
Thanks alot Irfana 😊
Will it fix both issues in Valid_NOT_Modified.pdf and
Invalid.pdf files?
Also this link shows access denied?
JA
Jacobs
November 9, 2022 09:15 AM UTC
IJ
Irfana Jaffer Sadhik
Syncfusion Team
November 10, 2022 02:52 PM UTC
Valid_NOT_Modified.pdf | The fix for the reported issue with “PdfSignatureValidationResult returned incorrect results for the signed Pdf document” will be available on our upcoming weekly NuGet release. |
Invalid.pdf | As we said before, the issue is occurring only on the Adobe Acrobat DC version. So, we could not proceed further on this. |
Actually i think that adobe reader has introduced a new security checking if document permissions was modified then the signature becomes invalid and it was introduced in adobe reader dc versions higher than 2021.011.20039
as it released many versions after this one and all shows the same invalid signatures
check below screen shots for another file with same issue Other pdf viewers still didn't update their application to accommodate this case. | Based on the screenshot we found that document signed twice but the previously(invalid.pdf) shared document signed only once. So we suspect this is not related to permissions, We request you to provide these twice signed documents and validate further on our end. |
JA
Jacobs
November 10, 2022 03:12 PM UTC
Thanks Irfana for your reply.
sorry about the invalid.pdf ,indeed it has one signature but it don't think also its an adobe issue... Adobe is the top program dealing with pdfs .. so we need to know what's wrong with this one as it shows the following error message and the document seems to be locked from further signing.
There have been changes made to this document that invalidates the signature
Also for the other issue that i mentioned earlier kindly find the file attached
invalidafterchangingpermissionandlock.pdf
which shows invalid due to document permission change.
"Actually i think that adobe reader has introduced a new security checking if document permissions was modified then the signature becomes invalid and it was introduced in adobe reader dc versions higher than 2021.011.20039
as it released many versions after this one and all shows the same invalid signatures,
Other pdf viewers still didn't update their application to accommodate this case.
error message is different
Document has been altered or corrupted since it was signed
Attachment:
invalidafterchangingpermissionandlock_ff6566c5.zip
AG
Aribalakrishnan Govindasamy
Syncfusion Team
November 15, 2022 03:47 PM UTC
|
Valid_NOT_Modified.pdf
|
We
have included the fix for this reported issue with “PdfSignatureValidationResult
returned incorrect results for the signed Pdf document" in our
latest weekly NuGet release (20.3.0.57). Please use the below link to
download our latest weekly release NuGet,
NuGet: https://www.nuget.org/packages/Syncfusion.Pdf.Net.Core/20.3.0.57
Please
let us know if you have any concerns on this
|
|
Invalidafterchangingpermissionandlock
|
Sorry for the inconvenience caused.
Due to complexity, we are still analyzing on this
requirement and we will update further details on November 17th without
fail.
|
JA
Jacobs
November 16, 2022 05:54 PM UTC
Thanks i will check the new update ... but still the second pdf invalid.pdf which i described above having an issue in adobe dc with this message
There have been changes made to this document that invalidates the signature... more details in my previous reply.
SN
Santhiya Narayanan
Syncfusion Team
November 18, 2022 11:02 AM UTC
Invalidafterchangingpermissionandlock.pdf
On our further analysis, the provided sample PDF document’s third
signature is signed with certified option with the document permissions. As per
the Adobe behavior, we could not add the certified signature on the already
signed document. So, the certificate signature is always on top of the list in
the Adobe acrobat. Based on this priority adobe validates the signatures.
Adobe also shows the first and second signature is valid when
viewing its version. You can refer the following screenshot for further details.
Signed version of first signature (First Approval):
Signed version of second signature (Second Approval):
Signed version of third signature (Third Approval):
Note: We can view the signed version by right click
the signature and choose View Signed Version option.
Based on the above screenshot all the three signatures are
valid but viewing all the signatures it shows the previous signatures are
invalid due to the last signature is certified with no changes allow.
As of now, we don’t have support to validate the signatures
based on the Adobe behavior and its need more analysis work from our end. So,
we have logged a feature request for this and this will be available in any of
our upcoming release. We will update you once the feature is implemented. You
can track the feature status using the following feedback.
https://www.syncfusion.com/feedback/39186/improve-the-validation-of-the-pdf-digital-signature-equivalent-to-adobe-acrobat
Invalid.pdf:
On our further analysis, we found that the signature is
applied using lock option with forbit changes. As of now we don’t have support
to validate the signature with this lock options. So we will also consider this
implementation on the time of implementing the above case. You can also track
the status of the feature using the following feedback.
https://www.syncfusion.com/feedback/39186/improve-the-validation-of-the-pdf-digital-signature-equivalent-to-adobe-acrobat
JA
Jacobs
November 18, 2022 11:55 AM UTC
Thanks alot for your interest in these cases ... really appreciate your efforts... and i will be waiting for the feature release once finished.
