You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Tilman Hausherr (JIRA)" <ji...@apache.org> on 2018/07/07 13:19:00 UTC
[jira] [Comment Edited] (PDFBOX-4261) Invalidated signature signing
pdf twice
[ https://issues.apache.org/jira/browse/PDFBOX-4261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16535024#comment-16535024 ]
Tilman Hausherr edited comment on PDFBOX-4261 at 7/7/18 1:18 PM:
-----------------------------------------------------------------
can confirm that the problem happens when signing 92752146_noSign_anonymous.pdf twice with 1.8.
The signatures are OK, i.e. the ShowSignature example doesn't show any errors. The problem seems to be related to one of your / your team's earlier issues (e.g. PDFBOX-3114), where it came out that Adobe looks whether some "tree structures" were changed, e.g. indirect vs. direct objects.
Some observations:
- the object numbers of the pages are 4 and 42, /Pages is 3
- the object numbers of the pages in the "bad" document are 55 and 50, /Pages is 59
- in the "bad" document, one of the signatures is invisible but has an annotation entry. That is allowed, but PDFBox stopped doing this at some time.
- I tried handling it like in 2.0, i.e. not changing the page and not marking them for update, but the objects changed anyway.
- doing the PDFBOX-3631 change (avoid reusing the highest XRef stream object number) doesn't solve it
- the signature problem also happens with earlier 1.8.* versions
- the signature problem doesn't happen with any 2.0.* versions, although below 2.0.2 no signatures are shown
I'll look more at a later time but I can't guarantee that I'll find it and that it will be corrected. Your client should really update to jdk 1.7, 1.8 or 1.9. Alternatively, try building the 2.0 version with 1.6 and correct what doesn't work. If you're only doing signing, then it is less to do.
was (Author: tilman):
can confirm that the problem happens when signing 92752146_noSign_anonymous.pdf twice with 1.8.
The signatures are OK, i.e. the ShowSignature example doesn't show any errors. The problem seems to be related to one of your / your team's earlier issues (e.g. PDFBOX-3114), where it came out that Adobe looks whether some "tree structures" were changed, e.g. indirect vs. direct objects.
Some observations:
- the object numbers of the pages are 4 and 42, /Pages is 3
- the object numbers of the pages in the "bad" document are 55 and 50, /Pages is 59
- in the "bad" document, one of the signatures is invisible but has an annotation entry. That is allowed, but PDFBox stopped doing this at some time.
- I tried handling it like in 2.0, i.e. not changing the page and not marking them for update, but the objects changed anyway.
- doing the PDFBOX-3631 change (avoid reusing the highest XRef stream object number) doesn't solve it
I'll look more at a later time but I can't guarantee that I'll find it and that it will be corrected. Your client should really update to jdk 1.7, 1.8 or 1.9. Alternatively, try building the 2.0 version with 1.6 and correct what doesn't work. If you're only doing signing, then it is less to do.
> Invalidated signature signing pdf twice
> ----------------------------------------
>
> Key: PDFBOX-4261
> URL: https://issues.apache.org/jira/browse/PDFBOX-4261
> Project: PDFBox
> Issue Type: Bug
> Components: Signing
> Affects Versions: 1.8.15
> Reporter: Claudio Tortorelli
> Priority: Major
> Attachments: issue_data.zip
>
>
> A customer sent us a pdf that has this problem: when it is signed twice by *pdfbox 1.8.x* the second signature invalidates the first one.
> If we apply the same procedure using *pdfbox 2.0.x* the problem doesn't occur, but the customer required java 1.5 so we can't switch to the new version in this case.
> For +privacy purposes+ we had anonymized the original PDF file by editing 3 stream inside the pdf, without altering the original structure. So the file "92752146_noSign_anonymous.pdf" you can find in attachement has not the original text/image streams, but reproduces the problem as the original one.
> Thank you in advance
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org