issue with signature validation

Pablo Rodríguez oinos at web.de
Sat Jun 22 13:03:18 UTC 2024


Dear list,

pdfsig-24.02 gives the following verification results from a digitally
signed PDF document:

  - Signing Hash Algorithm: SHA1
  - Signature Type: ETSI.CAdES.detached
  - Signed Ranges: [0 - 248], [54250 - 87428]
  - Total document signed
  - Signature Validation: Signature is Invalid.

Acrobat Reader had no problem with this signature (tested weeks ago).

MuPDF-1.24.4 (mutool sign -v) complains about the certificate, but not
about the signature:

  Certificate error: Self-signed certificate in chain.
  The document is unchanged since signing.

I guess signature verification is rejected because of SHA1.

If you allow me a suggestion (I can provide an MR myself), please
consider another message.

For most (non-tech) users, signature validity is mainly its correctness
(no digest mismatch).

Even some PDF viewers (I cannot remember Acrobat right now) use "invalid
signature" for digest mismatch.

I wonder whether the following wording would be better:

  Signature may be valid, but cryptographically insecure.

I know that the expression seems too complex at first, but I thinks it
dispels the misleading idea "the signature is wrong".

Many thanks for your help,

Pablo


More information about the poppler mailing list