0

I am working on adding signature timestamp support using external TSAs while digitally signing the PDF. I am using PDFBox for my signature implementation. My steps are:

  1. Creating PDDocument and PDSignature instance.
  2. Adding appearance to the signature field as per my requirements.
  3. Configuring PDSignature with values like sub-filter and signDate.
  4. Adding PDSignature to the PDDocument.
  5. Generating Hash of the PDF and getting it signed.
  6. Using this signed digest for getting timestamp token and adding it as unsigned attribute.
  7. Generating the output PDF.

I need to set date in signature appearance(in step 2) and also I need to set PDSignature.signDate in step 3. But I am getting timestamp token in step 6. As per my knowledge, I cannot modify PDSignature.signDate and date in signature appearance after step 6. As per my requirements, the signature time should be consistent for a PDF in unsigned attribute, PDSignature.signDate and in appearance of signature field.

Is there a way to make the signature time consistent in the entire signed PDF?

Qazazazaz
  • 11
  • 4
  • @mkl any comments? – Qazazazaz Aug 14 '23 at 11:20
  • *"As per my requirements, the signature time should be consistent for a PDF in unsigned attribute, PDSignature.signDate and in appearance of signature field."* - That's unfortunate because - as you noticed yourself - the signature appearance is part of the signed content and, therefore, is created before signing and in particular before creation of the signature time stamp. If your signing and time stamping processes are fairly quick, you can try to time the calls accordingly which is may be likely to work as intended quite often. – mkl Aug 14 '23 at 13:12
  • Another option would be to update the signature appearance in an incremental update. But that only works for a certification level with allowed annotation changes. Furthermore, validators will likely report changes after signing. Many years ago I played around with that option with iText, see [this old answer](https://stackoverflow.com/a/37070234/1729265) for a first impression. – mkl Aug 14 '23 at 13:18
  • 1
    Also consider _not_ including the signing time in the signature appearance. Users should look for reliable information about the signature in the signature panel and signature properties anyways, not in the document. The signature appearance is only there to look nice. – mkl Aug 14 '23 at 13:24
  • Thanks @mkl. It's not just about signature appearance, If I change the my local server time, Two different times are visible on the same signature panel, one is signing time which is local signing server time and other is trusted embedded timestamp token. But I think there is no option to make it consistent. User will need to understand that only trusted embedded timestamp should be considered reliable. User should not rely on other timestamp for validity of the document as it can be changed by changing local server's time. – Qazazazaz Aug 14 '23 at 20:08
  • 1
    You can try to make them very similar by requesting 2 time stamps - one at the start of which you only use the date time value to initialize `PDSignature` with, and one later for embedding. This should make the times differ only slightly. – mkl Aug 15 '23 at 04:46
  • Yes @mkl, that is one of the way but I heard timestamp requests are bit costly. And I would prefer to use local timestamp rather than making an unnecessary requests. Acrobat also works same way. – Qazazazaz Aug 16 '23 at 06:41

0 Answers0