Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature validation failure for european commission DSS #147

Closed
hemil opened this issue Apr 19, 2023 · 6 comments
Closed

Signature validation failure for european commission DSS #147

hemil opened this issue Apr 19, 2023 · 6 comments

Comments

@hemil
Copy link

hemil commented Apr 19, 2023

We came across an issue when using endesive to sign a pdf. When trying to validate a signature here for a european commission DSS, it throws an error:

The certificate chain for signature is not trusted, it does not contain a trust anchor.
The signed attribute: 'signing-certificate' is absent!

These are the sample files I used:
original_file

file_with_signatures

On looking further into the endesive code, I could see that this commit adds the signing-certificate attribute but it isn't there in the latest release.

I wanted to ask regarding your release plan for this commit above.

Please let me know if you could think of an alternate solution to this.
@m32
Copy link
Owner

m32 commented Apr 19, 2023

Somehow I procrastinated with the next version and I don't know why. Version 2.0.16 generated and uploaded to pypi.

@hemil
Copy link
Author

hemil commented Apr 19, 2023

Thanks @m32 Let me try it again with the new version.

@hemil hemil closed this as completed Apr 19, 2023
@hemil hemil reopened this Apr 19, 2023
@hemil
Copy link
Author

hemil commented Apr 19, 2023
edited
Loading

We tried it with the new version. We're no longer getting the The signed attribute: 'signing-certificate' is absent! part of the error, but the validation is still failing due to

        Unable to build a certificate chain up to a trusted list!
        The signature/seal is an INDETERMINATE AdES digital signature!

The error:
image

Do you have an idea regarding the cause of this?

The v16 signed pdf file

@m32
Copy link
Owner

m32 commented Apr 19, 2023

$ ./pdf-verify-xx.py test_hemil_europa_certs-1.pdf

test_hemil_europa_certs-1.pdf

failed certificate verification: The path could not be validated because the end-entity certificate expired 2022-03-18 02:57:35Z

cert.issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Entrust, Inc.'), ('organizational_unit_name', ['See www.entrust.net/legal-terms', '(c) 2015 Entrust, Inc. - for authorized use only']), ('common_name', 'Entrust Class 3 Client CA - SHA256')])
cert.subject: OrderedDict([('country_name', 'IN'), ('state_or_province_name', 'Haryana'), ('locality_name', 'Gurgaon'), ('organization_name', 'Draftspotting Technologies Private Limited'), ('common_name', 'Draftspotting Technologies Private Limited'), ('email_address', 'signingops@spotdraft.com')])

** signature no: 0 **
signature ok? True
hash ok? True
cert ok? False

@hemil
Copy link
Author

hemil commented Apr 20, 2023
edited
Loading

My bad. We updated the certificate and tested it. It's throwing the same error.

test_hemil_europa_certs_v16-valid_cert.pdf

image

@m32
Copy link
Owner

m32 commented Apr 20, 2023

It seems to me that the dss demo does not have up-to-date root certificates. I signed the document with acrobat reader and got the same errors.
pdf-1.pdf
pdf.pdf

@hemil hemil closed this as completed Apr 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m32 @hemil