2

I'm trying to figure out how to detect if a document has been changed after it has been signed. I can't seem to find a good solution of this.

Anyone know about this?

EDIT
Did some additional testing using only the "ShowSignature.java". Here is what I found so far. If I change the document through PDFBox, both Adobe Reader & PDFBox will detect the broken signature. If I change the document with an Adobe product (Adobe Illustrator in this case) Adobe will report signature as broken, "ShowSignature.java" will not. Subfilter is ETSI.CAdES.detached
Links to both working and broken:

Anders Andrén
  • 41
  • 3
  • What kind of changes do you mean? Changes changing the document hash value in the signature or changes that don't? – mkl Jan 04 '18 at 19:31
  • I actually used ShowSignature.java as a base. Here is what I did: Load a signed version "PDDocument.load" then "PDDocumentInformation info = document.getDocumentInformation();" "info.setCustomMetadataValue("NewMeta", "Dummy");" "document.setDocumentInformation(info);" document.save... When I look at the document in Adobe PDF view it tells me signature is broken but when I run the updated document trough ShowSignature code all is fine. What am I missing? Thanks – Anders Andrén Jan 08 '18 at 15:37
  • 1
    If you do `PDDocument.load` on a signed PDF and later `document.save`, the signature is broken for sure. Please share the PDF in question, though, for which `ShowSignature` thereafter still says "all is fine" because it should not. A note on the side: If you provide additional information for your question on stack overflow, in particular if it's a lot or if it's code, please edit that information into the question text; there is an [edit](https://stackoverflow.com/posts/48096684/edit) link right underneath it. – mkl Jan 08 '18 at 17:45
  • @Anders Andrén Unfortunately both the provided signature links are now broken... – user2677034 Feb 05 '20 at 00:37

1 Answers1

2

If I change the document through PDFBox, both Adobe Reader & PDFBox will detect the broken signature. If I change the document with an Adobe product (Adobe Illustrator in this case) Adobe will report signature as broken

This happens because there are two fundamental ways to re-save an existing PDF with changes:

  • you can save all the objects of the changed PDF in a new file as-is; or
  • you can append only the changed objects to (a copy of) the original file.

(For more details, also actual some seldom-used in-between technique, confer this answer.)

In the former case a signature from the original file is broken for good, it usually is not at the same offset in the PDF anymore and the signed bytes definitively have changed.

In the latter case such a signature still mathematically correctly signs the signed bytes as nothing has changed in the first part of the file (the copy of the original file). In such a case, though, only certain changes are considered allowed, cf. this answer.

(For some backgrounds on signing, incremental updates, and revisions confer this answer.)

PDF files changed by PDFBox (at least if saved as you do) are an example of the former case.

PDF files changed by Adobe Illustrator (at least if originally signed) are an example of the latter case.

The ShowSignature class only checks whether the signature still mathematically correctly signs its signed bytes. It signals the existence of changes as added in the latter case by an output of

Signature does not cover whole document

but it does not analyze whether those added changes are allowed or not.

Adobe Reader checks both the signature for mathematical correctness and the added changes for being allowed.

Consequently ShowSignature will not complain (merely hint at the existence of changes) while Adobe Reader will complain when confronted with your tampered.pdf file.

The reason why PDFBox (just like most (all?) other non-Adobe PDF libraries) don't check for allowed and disallowed appended changes is that this is highly non-trivial:

If you read the answer on allowed and dis-allowed changes already referenced above, you'll see that the descriptions are fairly abstract, they deal with visible objects presented by PDF viewers and not with data objects inside PDFs. Unfortunately, though, there are many different ways (in terms of data objects inside PDFs) to do the allowed changes (expressed in terms of visible objects presented by PDF viewers), so it's extremely difficult to judge in general whether a given change is allowed.

Even the analysis of changes in Adobe Reader is not perfect: Adobe for some changes only considers them allowed if they are done similarly as Adobe software would have done them.

mkl
  • 90,588
  • 15
  • 125
  • 265
  • OK, I guess using "*Signature does not cover whole document*" as a marker I can figure something out. Looks like the last signature should cover entire document in order to consider the document to be intact. In terms of signatures. Thanks! – Anders Andrén Jan 10 '18 at 11:40
  • *"Looks like the last signature should cover entire document in order to consider the document to be intact."* - unfortunately it's not that easy. In particular if you have to deal with PAdES signatures (and as you have a Subfilter **ETSI.CAdES.detached**, you do), there is yet another type of changes allowed to signed files: Validation related information may *always* be appended to PDF (even to those certified with "no changes allowed"), and these VRI not necessarily are "signed" by a document time stamp. – mkl Jan 10 '18 at 11:44
  • So no foolproof way then. Got it. Again, thanks for the info and your time. – Anders Andrén Jan 10 '18 at 11:53
  • Hi AndersAndrén, @mkl, is there any solution for this? I also face with this problem. If any good news please tell me. Thank you – SoT Dec 29 '20 at 10:55
  • It can be solved, but solving it requires a lot of work, clearly beyond the scope of a stack overflow answer. As far as I know this has not been done as a free, open source project yet. – mkl Dec 29 '20 at 12:24