IText7 PDF SignDeferred Mystery - Signed and All Signatures are Valid but with Unsigned Changes

Question

Using the MySigner.SignedDeferred method (MySigner extends the PdfSigner class as described here) I am able to digitally sign the document with an invisible signature which Adobe Reader validates in the signature panel.

However, when I try to attach an in-document signature visualization to an existing signature as described here, The generated pdf then has a signature panel banner that reads "Signed and all signature are valid but with unsigned changes".

I find this perplexing since before signer.SignExternalContainer is called I do not change the Certification Level, thus ensuring it defaults and thus is Not at a level of certified with no changes allowed.

pdf screenshot in Adobe Reader

Also the original stamping properties to generate the unsigned PDF (source) uses AppendMode.

Here is the relevant C# code:

PdfReader readerPrepped2 = new PdfReader(pathDestination);

PdfWriter pdfWriter2 = new PdfWriter(pathDestination2);
                           
PdfDocument pdfDocument = new PdfDocument(readerPrepped2, pdfWriter2, new StampingProperties().UseAppendMode());

SignatureUtil signatureUtil = new SignatureUtil(pdfDocument);
PdfAcroForm acroForm = PdfAcroForm.GetAcroForm(pdfDocument, false);

foreach (String name in signatureUtil.GetSignatureNames())
{
    PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(name);
    X509Certificate signerCert = x509Certificate3;

    String signerName = CertificateInfo.GetSubjectFields(signerCert).GetField("CN");
    String issuer = CertificateInfo.GetIssuerFields(signerCert).GetField("CN");                                
    var date = pkcs7.GetSignDate().ToString();
    
    PdfFormField field = acroForm.GetField("Signature");
    PdfFont font = PdfFontFactory.CreateFont(StandardFonts.HELVETICA);
    field.SetFont(font);
    field.SetFontSize(5);
    field.SetModified();
    field.SetVisibility(4);
    
    foreach (PdfWidgetAnnotation pdfWidgetAnnotation in field.GetWidgets())
    {
        pdfWidgetAnnotation.SetRectangle(new PdfArray(new Rectangle(36, 348, 236, 428)));
        // pdfWidgetAnnotation.SetColor([])

        PdfFormXObject form = new PdfFormXObject(new Rectangle(200, 80));
        // form.SetModified();

        Canvas canvas = new Canvas(form, pdfDocument);

        //canvas.SetStrokeColor(ColorConstants.RED);
        canvas.SetFontSize(6);
        canvas.Add(new Paragraph().SetItalic().Add("Signed by:"));
        canvas.Add(new Paragraph()/*.SetBold()*/.Add(signerName));
        canvas.Add(new Paragraph().SetItalic().Add("Date:"));
        canvas.Add(new Paragraph()/*.SetBold()*/.Add(date));
        canvas.Add(new Paragraph().SetItalic().Add("Issuer:"));
        canvas.Add(new Paragraph()/*.SetBold()*/.Add(issuer));
                                                                                                        
        pdfWidgetAnnotation.SetNormalAppearance(form.GetPdfObject());


     }


}



pdfDocument.SetCloseWriter(true);
pdfDocument.SetCloseReader(false);
pdfDocument.Close();

I tried extending the PDFSigner class with a new class called MySigner so as to avoid adding entries to the structure tree. I also tried explcitly designating the CERTIFICATION_LEVEL as PdfSigner.CERTIFIED_FORM_FILLING_AND_ANNOTATIONS (to no avail as Adobe does not recognize the pdf as digitally signed at all in this scenario). I also tried toggling .SetModified on form and field.

Why do you *find this perplexing*? It's simply true, isn't it? As I mention at the end of the answer you reference, I was surprised that there is a scenario in which the Adobe Reader of that time did _not_ mention the later changes. — mkl, Feb 10 '23 at 16:19
Thank you kindly for your reply mkl, you are obviously the subject matter expert around here on this stuff. I'm perplexed at the behaviour in Reader ... In the article referenced are you saying the only way to avoid the warning is to add a copy of the annotation to a different page while retaining the original invisible signature? — Evan Econo, Feb 10 '23 at 23:21
*"are you saying the only way to avoid the warning is to add a copy of the annotation to a different page while retaining the original invisible signature?"* - no. In combination with the Acrobat Reader **of that time** (2016) that was a case in which the additional annotations were not mentioned in the signature validation. But **now**, more than 6 years later, that may have changed. Strictly speaking there was a change after signing, so the signature validation should mention it. — mkl, Feb 11 '23 at 09:46
I see, but in your opinion may I ask is there any other possible way to avoid this "signed and with all signatures valid but with unsigned changes after the last signature" message in this type of situation? A "wet stamp" is now needed but SignDetached hasn't worked so I'm stuck with SignDeferred and I can't apply a "wet stamp" by defining an appearance object early because the signer details aren't retrieved until after the naked signature bytes are fetched back from the 3rd party service. — Evan Econo, Feb 11 '23 at 12:54
There is no sure way to avoid that. The reason simply is that the message is true. There may temporarily be exploits of weaknesses of the change analysis algorithms of Acrobat but as soon as such an exploit is publicly used, chances are that after a few months the weakness will be fixed. Of course you can add another, invisible signature after the appearance changes... — mkl, Feb 11 '23 at 18:50
thank you mkl for clarifying that, since this is the case I'm thinking I'll probably just define the wet stamp appearance early with an image and the signer's name (which is known in advance so it doesn't have to be gleamed off of the signing data returned from the service). The wet stamp won;t have the signing time stamp among other things but they can always click on it to see the signature details as per Adobe Reader. — Evan Econo, Feb 12 '23 at 13:29
It makes sense to do so. After all, users are expected to only trust the information in the signature panel, not anything printed in the signature appearance. — mkl, Feb 12 '23 at 13:41
Evan, shall I summarize these comments in an actual answer to your question? — mkl, Feb 15 '23 at 07:08
mkl, not just yet? sorry for the delay in replying something unexpected (a pleasant surprise) happened. I added a few tweaks and did revise the signature field (to give it a "wet stamp" appearance using the PDF widget annotation class. And for some reason my PDF is no longer displaying the above SignaturePanel message but is coming out as all Signatures are valid (with the green checkmark). The wetstamp/signature field is displaying as well. — Evan Econo, Feb 15 '23 at 23:09
Well, as mentioned, there may be ways to apply changes to the pdf after signing the current Adobe Reader does not report. I wouldn't count on future Adobe Reader versions to keep not reporting that, though. — mkl, Feb 16 '23 at 05:45
good point, using a relatively recent version of Adobe reader (version 22) but the thought of future versions not reporting that is disconcerting. I'm not even sure exactly which modification I did that was responsible for letting it slip through. I am going with the general approach of creating a visible signature before hashing the bytes though in append mode, signing deferred, and then adding the annotation after. Why it didn't work previously but does now will hopefully pin point soon. For now, I plan to leave it and cross the bridge when it comes (future versions impacting it). — Evan Econo, Feb 17 '23 at 13:01
If you shared earlier and current example files, we might help find the difference. — mkl, Feb 17 '23 at 17:28
ok, I will try to share soon, the code is a little bent out of shape, I'll try to clean it up first and get back to you — Evan Econo, Feb 20 '23 at 17:21
I thought I would mention, I did run some tests this morning, and in particular the following two commands I have isolated as responsible for causing the signature panel to read "signed and signatures are valid, but with unsigned changes". canvas.SetStrokeColor(ColorConstants.RED); canvas.SetBackgroundColor(ColorConstants.RED, flt2); When I remove these from the code that alters the signature appearance the signature panel message reverts to "Signed and signatures are valid" — Evan Econo, Feb 28 '23 at 15:14
*"two commands I have isolated as responsible"* - okay... weird. But entirely typical for the Adobe Acrobat code that checks the changes after signing. There often seems no rhyme or reason to allowed and disallowed changes there... — mkl, Feb 28 '23 at 15:30
Another thing is that the changes are being made on the Pdf after it has been signedDeferred. First the Pdf is signed externally, second signedDeferred (all pdf files are written to disk). That second Pdf is the one used to apply the signature appearance changes to. (the whole process involves three pdfs, the prepared one that the bytes get hashed, the second one that is signed deferred, and the third one that has the appearance changes applied). When I tried to apply the changes to the Pdf just before signDeferred (make it a two step process) it had the unwanted signaturepanel message . — Evan Econo, Mar 02 '23 at 13:52

IText7 PDF SignDeferred Mystery - Signed and All Signatures are Valid but with Unsigned Changes

0 Answers0