CIB pdf toolbox technical guide (EN)
6. PDF signature with certificate
6.1. General information for PDF signatures
Signing/verifying with the CIB pdf toolbox
Signing/verifying with the CIB pdf toolbox merge
Signing/verifying with the CIB pdf toolbox join
General
There are two types of PDF signatures.
A byte range signature is a signature that covers all bytes of almost the entire PDF.
There are two types of that:
- PDF 1.5: An "object digest" is a hash algorithm that will be executed when a subtree of the PDF objects is passed through.
- PDF 1.6 and onwards: The second type is recommended. The entries as in the first type are set, but without passing through a hash algorithm.
To verify the signature, the application has to compare the document at hand with the signed document and check whether changes have been made to objects that are not allowed by the signature entries.
Signing:
The CIB pdf toolbox supports both, the "DocMDP” (= Modification Detection Prevention) object digest signature as well as the "lock" object digest signature. Both are only allowed in a PDF file with a PDF version higher or equal to 1.5. An Adobe Reader version 7.0 or higher is required to read the “DocMDP” signature.
Verifiying the signature:
Currently, the CIB pdf toolbox only verifies if the PDF has been changed again after signing. If this is the case, the PDF is invalid.
It is not yet checked which change has been made and if this change may be permitted. A corresponding extension of the CIB pdf toolbox is planned.
Note: UR3 signatures will be verified and the result is written in the trace, but otherwise the result is ignored.Signing/verifying with the CIB pdf toolbox
PDFs can be signed both with the CIB pdf toolbox merge (-fm) and join (-fj) modules. In case of multiple output PDFs, each PDF is signed individually (by both modules).
Processing with the CIB pdf toolbox will invalidate any eventually contained signatures in the input PDFs. Therefore, they cannot be transferred to the output PDF because the internal structure of the PDF is changed during processing.
When signing the output PDF, all old signatures will be removed from the input PDFs. If the output is not signed, the old signatures can be removed from the input by setting the property “RemovePdfSignatures=1".
If the CIB pdf toolbox merge or join modules are to be used to verify PDF signatures, this has to be done explicitly by setting the property "CheckPdfSignatures=1". Then all signatures of all input PDFs will be verified.
Signing/verifying with the CIB pdf toolbox merge
Using CIB pdf toolbox merge (CIB runshell -fm), only a single input file is possible. If this input file contains a signature, it will only be verified if “CheckPdfSignatures=1” is set.
Using CIB pdf toolbox merge, one or more output files are possible. When signing, each output file will be given its own signature.
Signing/verifying with the CIB pdf toolbox join
Using CIB pdf toolbox join (CIB runshell -fj), one or more input files are possible. If one or more of these input files contain a signature, they will only be verified if “CheckPdfSignatures=1” is set.
Using CIB pdf toolbox join, one or more (SplitPages=1) output files are also possible. When signing, each output file will be given its own signature.