How to add a watermark in a digitally signed pdf using iText library without making signature invalid

Question

I would like to ask if someone could provide a sample c# app using itext library in order to add a watermark to a digitally signed document without making the signature invalid. I have read that some libraries in order to achieve this they use incremental update to the pdf and I wonder if there is a feature like this in the iText library.

Thank you

iText can easily be used to add changes to a PDF in an incremental update (simply look for `append mode` and `iText`). The actual problem for your task is, though, that even in incremental updates only certain changes are allowed, see [this answer](https://stackoverflow.com/a/16711745/1729265). In particular changing page content is strictly forbidden; this disallows the most common ways for adding watermarks. In case of PDFs signed using the most liberal certification signature type or only with approval signatures, though, you still have the option to add a watermark annotation. — mkl, Jul 04 '23 at 13:10
PdfDocument pdfDoc = new PdfDocument(reader, writer, new StampingProperties().UseAppendMode()) . I tried to use append mode to a digitally signed document to add a stamp but the signature changes to invalid — Nick Lazidis, Jul 05 '23 at 07:40
*"I tried to use append mode to a digitally signed document to add a stamp but the signature changes to invalid"* - Then the code you use to add the watermark does something disallowed. For example, your PDF may be certified not to allow any changes. In that case adding a watermark, no matter how you do it, should invalidate the signature. As you neither provide source nor example PDF (before and after watermarking), this is difficult to tell from afar. — mkl, Jul 05 '23 at 10:10
In the following github repository is a console app that takes a digitally signed pdf and creates a new one with a stamp. The signature is made invalid . Please modify the app so that signature is still valid https://github.com/nickosl50/itext_valid_sign — Nick Lazidis, Jul 05 '23 at 13:03
The code in your repository adds content to the static page content. Compare the answer I linked in my first comment: _Changing page content_ of a signed document is _always_ considered **disallowed**. As you apply a disallowed change to a signed document, the signature gets invalidated. — mkl, Jul 05 '23 at 15:43
As far as I can see in the link https://stackoverflow.com/questions/16710439/how-to-add-blank-page-in-digitally-signed-pdf-using-java/16711745#16711745 under the title **Certified with annotations, form fill-in, and digital signatures, allowed** it is mentioned that **Adding or editing annotations** is allowed. Therefore I would like to ask what changes can I make to my project in github so that I can add an image annotation to the odf without making the signature invalid. Thank you very much for your help — Nick Lazidis, Jul 06 '23 at 07:55

score 0 · Answer 1 · answered Jul 06 '23 at 13:54

As already explained in comments, your code

Document doc = new Document(pdfDoc);

// Load the image
iText.Kernel.Pdf.Canvas.PdfCanvas canvas = new iText.Kernel.Pdf.Canvas.PdfCanvas(pdfDoc.GetFirstPage(), true);
iText.Layout.Element.Image image = new iText.Layout.Element.Image(ImageDataFactory.Create(imagePath));

...

// Add the image to the document
doc.Add(image);

adds the image to the static page content. Compare this answer: Changing page content of a signed document is always considered disallowed.

What you may do as long as the signature certification level is annotations, form fill-in, and digital signatures allowed, though, is adding a watermark annotation. You can do so like this:

// Load the image
ImageData imageData = ImageDataFactory.Create(imagePath);

PdfFormXObject appearanceXObject = new PdfFormXObject(new Rectangle(width, height));
PdfCanvas canvas = new PdfCanvas(appearanceXObject, pdfDoc);
canvas.AddImageAt(imageData, 0, 0, false);

PdfDictionary watermarkDictionary = new PdfDictionary();
watermarkDictionary.Put(PdfName.Type, PdfName.Annot);
watermarkDictionary.Put(PdfName.Subtype, PdfName.Watermark);

PdfAnnotation watermark = PdfAnnotation.MakeAnnotation(watermarkDictionary);
watermark.SetRectangle(new PdfArray(new[] { x, y, x + width, y + height }));
watermark.SetFlags(PdfAnnotation.LOCKED | PdfAnnotation.LOCKED_CONTENTS | PdfAnnotation.PRINT);
watermark.SetNormalAppearance(appearanceXObject.GetPdfObject());

var page = pdfDoc.GetFirstPage();
page.AddAnnotation(watermark);

(WatermarkSigned test WatermarkImproved)

It seems working. Thank you very much – Nick Lazidis Jul 10 '23 at 08:31 — Nick Lazidis, Jul 10 '23 at 08:31
Great! You may want to mark the answer as accepted then... – mkl Jul 10 '23 at 12:40 — mkl, Jul 10 '23 at 12:40

K J · Answer 2 · 2023-07-08T00:22:02.287

Beware that when adding over (or under annotations) they are simply file additions that do not have to be printed or protected from removal.

They will not affect the underlying validity of the file it will simply show additional object(s) were appended

The concept of "Signing a file ONCE" (such as used with software applications) is to highlight subsequent changes, thus to confirm there has been no tampering by adding say an alternate signatory or exploit, nor adding anything such as convert the content nor add stamps or other overwriting the original.

How to add a watermark in a digitally signed pdf using iText library without making signature invalid

2 Answers2