Re: [SignServer-develop] PDF 2.0

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 1/8/20 2:46 PM, Kevin DG wrote:
> I checked to sign a PDF in version 2.0
> (https://github.com/pdf-association/pdf20examples/blob/master/Simple%20PDF%202.0%20file.pdf)
> with worker pdf signer.
> 
> It's works but ... there is always a "but" :-).
> 
> This is a pdfinfo result before the signature:
> 
> 
>     pdfinfo Simple\ PDF\ 2.0\ file\ \(1\).pdf
>     Tagged:         no
>     UserProperties: no
>     Suspects:       no
>     Form:           none
>     JavaScript:     no
>     Pages:          1
>     Encrypted:      no
>     Page size:      612 x 396 pts
>     Page rot:       0
>     File size:      5207 bytes
>     Optimized:      no
>     PDF version:    2.0
> 
> 
> This is a pdfinfo result after the signature:
> 
>     ▶ pdfinfo Simple\ PDF\ 2.0\ file\ \(1\)\ \(1\).pdf
>     Producer:       iText 2.1.7 by 1T3XT
>     ModDate:        Wed Jan  8 14:04:29 2020 CET
>     Tagged:         no
>     UserProperties: no
>     Suspects:       no
>     Form:           AcroForm
>     JavaScript:     no
>     Pages:          1
>     Encrypted:      no
>     Page size:      612 x 396 pts
>     Page rot:       0
>     File size:      37897 bytes
>     Optimized:      no
>     PDF version:    1.6
> 
> 
> The PDF version is downgrade from 2.0 to 1.6, so it's works but it can
> be i think generate problem or lost functionality linked to 2.0 format.
> 
> When we review signserver code, we understand why the downgrade is
> processed. Signserver use an old version of iText.
> iText handle the PDF version detection in the form of integer (0 => 1.0,
> 6 => 1.6, 7 => 1.7), so the PDF in version 2.0 is detected to 0.... 
> Signserver upgrade the PDF in 1.6 also to handle the digest algorithm
> (in my case SHA256).
> 
> Any ideas about that ?

Hi Kevin,

It is correct that so far only PDF version up to 1.7 is supported and
that an older version of iText is used as a base for the signer.

Without checking the code now, from your description about it, it sounds
to me like maybe we could adjust the PDF version detection to also
support version 20 + if needed also the upgrade logic.

I have not read up enough on the 2.0 spec to know if anything else
changed regarding the signatures or if the above change would be enough.
Could be worth trying out at least.

Cheers,
Markus
PrimeKey Solutions