When validating signatures (including the UR3 signature) it is necessary
to confirm that the byte range ends just past an instance of %%EOF. Any
byte range that is longer than the file is an indication that someone
did a Full Save (rather than an Incremental Save) some time after the
first signing. If you insist on proceeding, you should ignore all
invalid signatures.
Note that a signature can be deleted, which is indicated by that
signature widget not appearing in the latest AcroForm/Fields array.
That's OK, but don't consider it for DSS. There is no requirement that
signatures appear "in order" in the Fields array. If you must order the
signatures, do it in order of increasing last byte, as that indicates
the order of incremental saves.
Marc
On 9/1/2025 5:53 AM, Tilman Hausherr wrote:
Sadly, the length 144951 does NOT confirm what I expected. The "bad"
byte range (offset1 len1 offset2 len2) is [0 1569 11103 160382], so
the second segment is longer than the original file. This means that
this isn't an "old" value, it was created at some time during the
signing process. The code has "if (br2 + br3 >
incrementalInput.length())" which avoids messing with old signatures.
What happens if you don't use DSS to sign, but the CreateSignature
example of PDFBox?
Tilman
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
