-
-
Notifications
You must be signed in to change notification settings - Fork 68
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ltvfix feature uses which PADes profile? #26
Comments
No PAdES profile in particular. It's intended to add required validation info to the document security store (DSS) for a given signature, nothing more, nothing less. In theory, if the initial signature is PAdES-B-T, However, in practice, things often aren't that simple:
Executive summary: the Hope that helps. EDIT: I just wanted to add that this is a very valid question, even though the answer probably isn't that satisfying. I'll try to do a better job of explaining these nuances in the documentation. |
Thank You for your reply.... But I have used Adobe Reader for validate the signature.. So please suggest me that which CLI commands and arguments must be use for a document signature, by which Adobe Reader can validate that signature until the end of world? |
Well, you can get Bear in mind that your operating system's trust settings aren't necessarily the same as those of Adobe's products---in fact, they almost certainly aren't. You may need to tweak the validation context in the configuration file to get the results you need. See here. Also, signatures require maintenance to remain validatable over long timescales, but that's usually not the signer's problem. |
Thank for your reply... It helps a lot... But, I am using PKCS11 token for signing a document, so how to setup the validation context in the configuration file to get the results I need? (You refer https://pyhanko.readthedocs.io/en/latest/cli-guide/config.html#config-validation-context) |
Whether you're using PKCS#11 or not shouldn't matter for setting up the validation context. By default, all certificates on the token will be read, and imported as untrusted certificates. The only situation where you have to do anything special is when you need to set up one of the certificates on your token as a trust root (e.g. because the root certificate you need is not in your system trust store). In that case, you have two choices:
Other than that, the validation config / PAdES compliance / revocation checker / ... don't care whether you're signing using a PKCS#11 token or using in-memory key material. EDIT: Of course, if you have to go through these steps, there's a chance that the root certificate isn't in Acrobat's trust store either. If you're signing with a government-issued ID, Acrobat probably trusts it (while your OS might not), but it's impossible to say for sure without trying. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions! |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
No description provided.
The text was updated successfully, but these errors were encountered: