Signature error: The validity of the document certification is UNKNOWN. The author could not be verified.

[marcelf]

Hi, I generated a PDF with a valid SSL certificate, but the signature isn't valid:

What could be wrong?

Thanks, Marcel

[marcelf]

ps: the example pdf also is unknown: https://tcpdf.org/examples/example_052/ Is it a library problem?

[pr-apes]

@marcelf, I think there may be two different issues here.

1. https://tcpdf.org/files/examples/example_052.pdf contains what seems to be a self-signed certificate. At least, there is no certificate chain to validate the user certificate.

   There is no attached document, but if the signature is similar to a digitally signed sample act from the Brazilian official journal, there may be some issue with the certificate. I think they are missing the certificate hierarchy. BTW, root certificates from the Brazilian public CA lack any form of hashing to verify integrity.

   Certificates issued by the Brazilian public CA may have some problem. Either certificate hierarchy is simply missing or not included in a way that Acrobat may handle it. This is shown in the first signature from this publicly available document from the Instituto Nacional de Tecnologia da Informação.

2. It seems that TCPDF may be making signatures (from certificates with full hierarchy info) that cannot be verified. I received a document with such a signature, but I'm afraid I cannot share it. In that case, I'm afraid TCPDF is buggy.

In order to sort out the issue you are experiencing with TCPDF, could you use the same certificate to sign a PDF document with Acrobat and test whether you get the same result?

Many thanks for your help.

[pr-apes]

@marcelf,

this is a tricky issue because of the trust given to the root certificate when it is added to Acrobat.

With approval signatures (the standard ones), you may expect this:

With certification signatures, you get this:

The problem is that you don't get that by default, because when you import the root certificate (from the CA) default trust is set to approval signatures only, not to certification signatures.

Once you enable the extra validation for document certification and install the intermediate certificates again, certification signatures are fine with Acrobat (as displayed in the image above).

Since all the signed documents I have contain personal data, I cannot provide any sample.

@williamdes, would you be so kind to check whether my explanation makes sense (I mean, you may verify what I tell here) and close the issue?

Many thanks for your help.

[williamdes]

Sorry about that but I am running low on free time I did overview the comments and could not come to a conslusion. Please note I have no powers to manage issues (close them for example)

[pr-apes]

Sorry, @williamdes,

I hope now it is clearer.

Validation for certification signatures in Acrobat depends on allowing this extra step.

Imagine a root certificate (such as https://www.mozilla.org/certs/mozilla-root-sha2.crt).

Open preferences (with Ctrl+K) and select the installation:

Import the certificate and then add trust:

By default, certification signatures need the extra green activation (not only the red one):

Since intermediate certificates inherit trust, they may have to be erased and imported again (since trust inheritance may happen only once [when the intermediate certificate has been originally imported]).

This is the main reason why validity for signatures with TCPDF is unknown.

I hope it is clearer now. Many thanks for your help.

[pr-apes]

@nicolaasuni,

the original report may be caused by the way the root certificate is installed in Acrobat (it requires explicit trust for certification signatures when the root is installed),

At least, when installing the root certificate explicitly granting trust for certification signatures, validation is perfectly fine (sorry, but since it contains personal data, I cannot share the document).[^sample-certs]

Because of that, I think that the issue may be safely closed.

[^sample-certs]: In any case, this link may explain how to generate sample root, intermediate and user certificates.