java - 签署 PDF - 多个签名与一个修订版

Question

简单地说 - 我想在 PDF 上添加多个签名(使用 iText)，而不是为每个签名添加新的修订。

我读过 following thread ，这很有意义(因为布鲁诺写了答案)

很明显，如果文档有 2 个修订，第一个签名不会覆盖第二个修订。但是，是否有可能(根据 PDF 标准，在 iText 中)同一个修订版有两个签名？ (我已将认证级别设置为 CERTIFIED_FORM_FILLING_AND_ANNOTATIONS)。

重点是文档只创建一次，除了添加签名外，根本没有改变。而且由于签名的 PDF 将发送给非技术人员，看到“文档已更改”可能会引发一些“怀疑”(由于缺乏对 PDF 的了解，唉，我不能指望他们) .因此，再说一遍 - 可能在 1 个修订版中有 2 个签名，由不同的人在不同的时间添加。

Answer 1

我在 iText 邮件列表上得到了一个有用的答案，我将分享它。 Here ，一个绰号为 mkl 的人解释说，对于 Adob​​e 产品，这是一个鸡生蛋还是蛋生鸡的问题。

ISO 32000-1:2008, section 12.8.1 says: "A byte range digest shall be computed over a range of bytes in the file, that shall be indicated by the ByteRange entry in the signature dictionary. This range should be the entire file, including the signature dictionary but excluding the signature value itself (the Contents entry). Other ranges may be used but since they do not check for all changes to the document, their use is not recommended. When a byte range digest is present, all values in the signature dictionary shall be direct objects."

Thus, according to this norm, more piecewise byte ranges are permissible. Therefore, it especially is permissible to have multiple signature containers excluded from the bytes to sign.

BUT...

if you want Adobe products to accept your signatures out-of-the-box, you'll find that they expect a signature to sign everything in its revision but itself. For two signatures this would imply that each signature would have to sign a range that includes each other, a hen-or-egg problem.

If your signatures only have to be verifiable with you own software and Adobe products may mark your signatures as invalid, then you can quite easily create such independent double signatures. Cf.

http://old.nabble.com/Uncommon-ByteRange-entry-in-signature-dictionary-to23670277.html

for some inspiration. iText can be changed to do that without too much much trouble. But keep in mind Leonard's words there:

"Adobe Acrobat and Reader will IMMEDIATELY invalidate a ByteRange that is more than 2 pairs. So anything with multiple ranges won’t validate."

As a third way you may build a custom Adobe plugin which verify your custom signatures.

---

just one afterthought... if you seriously want to be in the signature business, you should not only keep in mind the current plain PDF standard (i.e. ISO-32000-1:2008) but also additional standards.

E.g., confer ETSI TS 102 778-1; section 4.1 in v1.1.1 says: "As with other CMS-based signature implementations, a digest is computed over a range of bytes of the file. However with PDF, as the signature information is to be embedded into the document itself, this range is the entire file, including the signature dictionary but excluding the PDF Signature itself. The range is then indicated by the ByteRange entry of the signature dictionary.

By restricting the ByteRange entry this way, it ensures that there are no bytes in the PDF that are not covered by the digest, other than the PDF signature itself.

NOTE: The profiles defined in part 2 and 3 make normative this requirement which is a recommendation in ISO 32000-1 [1], clause 12.8.1."

Therefore, as soon as you're into signatures seriously, the signed byte range simply has to cover all of the revision but the one signature container which signs this very byte range.

(来自 iText 邮件列表，2009 年 12 月 1 日)