'sigandcertify': True results in invalid signature

[Wason1797]

Hi, I was having some problems with cms.sign. I tried running the example with my own cert file which resulted in an invalid signature due to changes to the document.

but if I set sigandcertify to False then the signature is perfectly fine:

Is there something I am doing wrong?
Or I am not understainding the usage of sigandcertify ?

Thanks a lot

[m32]

The document can be certified or only signed, sigandcertify enables document certification. From what I read in the documentation, a pdf document can only be certified once and signed multiple times. Maybe there is some nuance I don't know about. Send me the pdf document you want to certify, I will look for the reason for the error.

[Wason1797]

Thanks for the reply.

The issue appears with any pdf I've tried. In the case of the example was a blank pdf created with Nitro pro 10.
It also appears when I try with examples/demo2_user1.p12 so I don't think it is the certificate.

In any case here is the file.
Untitled1.pdf

and the parameters I used

dct = { "aligned": 0, "sigflags": 3, "sigflagsft": 132, "sigpage": 0, "sigbutton": True, "sigfield": "Signature1", "sigandcertify": True, "signaturebox": (470, 840, 570, 640), "signature": "Wason1797", "signature_img": "examples/logo.png", "contact": "wbrborich@gmail.com", "location": "lol", "signingdate": date, "reason": "testing", }

The error in particular states that some changes have been made to the document after signing, could it be that the process is adding data afterward with sigandcertify?

[m32]

My experience with acrobat reader shows that an invalid file after signing generates strange problems in this program.

Untitled1.pdf is not valid, error (s):
8.1: A Mandatory element is missing, Unable to process an element if it is null.
7.2: Error on MetaData, CreatorTool present in the document catalog dictionary can't be found in XMP information (Property is not defined)
7.11: Error on MetaData, PDF / A identification schema http://www.aiim.org/pdfa/ns/id/ is missing

[m32]

pdf-sign-cms.py has created the file and my acrobat reader is reading it without problems
Untitled1-signed-cms.pdf

[Wason1797]

I have checked your file and it gives me the same error with Nitro pro 10.

Could be that Nitro is the main culprit?

[m32]

Maybe it (nitro) is just not able to check the certificate and therefore gives error messages - unfortunately I don't understand them, are they in Spanish? Can you translate them?

[m32]

The same document but signed by certificate issued by actalis
Untitled1-signed-cms-m32.pdf
for pdf verification use https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation

[Wason1797]

In this case Nitro reports signature validity is unknown this document has not been changed since it was signed or it has changes that were allowed by a previous signee

Maybe is just a quirk of the program

The previous errors where: the revision of this document covered by the signature is unchanged, but there where changes made to the document afterwards

[m32]

Both documents signed with the same program but with different certificates, and one is marked as a modified document, and the other only unknown signature value?
For me it is definitely not an endesive problem.