"Miscellaneous change" in Adobe validation (present with staight python code, not present with CLI)

[KingCZE]

Hi, comparing the CLI results to the python code, I get slightly different results in Adobe validation. (Please be patient, I have almost no experience in coding and I am pretty sure there will be a lot of rubbish in my codes.) Would you know what the difference is and would you know how to achieve a PAdES B-LTA signature without the "Miscellaneous change" when using a python code instead of CLI?

When I sign it using the python code, I get a "Miscellaneous change" in the Adobe verification:

When I sign it with CLI, Adobe does not show any "Miscellaneous change":

The python code for the signature (resulting in "Miscellaneous change"):

from asn1crypto import x509, algos
from asn1crypto.pem import unarmor
from cryptography.hazmat.primitives import hashes

from pyhanko_certvalidator import context
from pyhanko_certvalidator.context import ValidationContext

from pyhanko import stamp
from pyhanko.pdf_utils import text, images
from pyhanko.pdf_utils.font import opentype
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter
from pyhanko.sign import fields, signers, pkcs11, PdfSigner, timestamps
from pyhanko.sign.fields import MDPPerm
from pyhanko.sign.pkcs11 import open_pkcs11_session, Mechanism
from pyhanko.sign.general import load_cert_from_pemder

signature_mechanism = Mechanism.SHA512_RSA_PKCS

pkcs11_signer = pkcs11.PKCS11Signer(
    pkcs11_session = pkcs11.open_pkcs11_session(
        lib_location = 'PKCS11 DLL', 
        token_label = 'TOKEN LABEL',
        user_pin = 'PIN',
        ), 
    cert_label = "CERT LABEL ON THE CARD",
    ca_chain = [load_cert_from_pemder('INTERMEDIATE CERT PEM'),
    load_cert_from_pemder('ROOT CERT PEM'),
    ], 
    prefer_pss = False, 
    bulk_fetch = True,  
)

with open('simple.pdf', 'rb') as doc:
    w = IncrementalPdfFileWriter(doc)

    mytimestamp = timestamps.HTTPTimeStamper('http://timestamp.apple.com/ts01')
    
    timestamper = mytimestamp

    meta = signers.PdfSignatureMetadata(
        docmdp_permissions = MDPPerm(1),
        validation_context = ValidationContext(
            crls = [
                unarmor(open('INTERMEDIATE-SIGNER CRL PEM','rb').read())[2],
                unarmor(open('ROOT-INTERMEDIATE CRL PEM','rb').read())[2],
            ],
            
            trust_roots = [
            load_cert_from_pemder('INTERMEDIATE CER - TRUST ANCHOR'),
            load_cert_from_pemder('TIMESTAMP ROOT PEM'),
            ],
            
            extra_trust_roots = [load_cert_from_pemder('ROOT PEM'),
            ],
            other_certs = [
                load_cert_from_pemder('ROOT CER AGAIN, RUBBISH'),
                load_cert_from_pemder('INTERMEDIATE CER AGAIN, RUBBISH'),
                load_cert_from_pemder('INTERMEDIATE TIMESTAMP CER'),
                load_cert_from_pemder('SIGNING TIMESTAM CER, RUBBISH'),
            ],
            allow_fetching = True
        ),
        field_name = 'Signature1',
        subfilter = fields.SigSeedSubFilter.PADES,
        location = 'LOCATION',
        reason = 'REASON',
        contact_info = 'CONTACT',
        md_algorithm = 'sha512',
        certify = False,
        embed_validation_info = True,
        use_pades_lta = True,
    )
    
    pdf_signer = signers.PdfSigner(
        meta, 
        signer = pkcs11_signer, 
        stamp_style = stamp.TextStampStyle(
                
                # the 'signer' and 'ts' parameters will be interpolated by pyHanko, if present
            stamp_text = 'Signed by: %(signer)s\nTime: %(ts)s',
            text_box_style = text.TextBoxStyle(
                font = opentype.GlyphAccumulatorFactory('PATH TO arial.ttf')
            ),
    #        background=images.PdfImage('stamp.png')
        ),
        timestamper = timestamper        
    )

    with open('simple_signed.pdf', 'wb') as outf:
        pdf_signer.sign_pdf(
            w, output=outf
        )

The CLI code resulting in pure signature without the "miscellaneous change":
pyhanko.yml:

logging:
    root-level: ERROR
    root-output: stderr
    level: DEBUG

pkcs11-setups:
    PS-QC:
        module-path: "PKCS11 DLL"
        token-criteria:
            label: "TOKEN LABEL"
        cert-label: "CERT LABEL"
        user-pin: "PIN"
        key-id: "KEY ID"
        key-label: "KEY LABEL"

validation-contexts:
    PS-QC:
        other-certs: 
        - "INTERMEDIATE PEM"
        - "TIMESTAMP INTERMEDIATE PEM"
        trust: 
        - "ROOT PEM"
        - "TIMESTAMP ROOT PEM"
        trust-replace: true

stamp-styles:
    more-complex-demo:
        type: text
        stamp-text: "Signed by ...\n%(ts)s"
        background: "BACKGROUNG PDF"
        background-opacity: 0.5
    noto-qr:
        type: qr
        stamp-text: "Signed by %(signer)s\nTimestamp: %(ts)s"

run with:
pyhanko --verbose sign addsig --field 1/40,700,150,750/Signature1 --style-name noto-qr --stamp-url "mailto:NAME< email >" --timestamp-url http://timestamp.apple.com/ts01 --with-validation-info --validation-context PS-QC --use-pades pkcs11 --p11-setup PS-QC blank.pdf blank_simple.pdf
and
pyhanko --verbose sign ltaupdate --timestamp-url http://timestamp.apple.com/ts01 --validation-context PS-QC blank_simple.pdf


Thanks a lot.