It would be great to have abilite to check digital signature in pdf -> Like in Adobe it should show that pdf is signed and with what signature, and who signed that digital signature.
In version 3.0 it don't show anything about digialy signed pdf, but opening it with adobe give information about it
I will revive this. Any news @kjk any chance for this ?
No news on this. I think latest mupdf has support for verifying signatures but upgrading to it is a large task.
thats probably true, but also vulnerabilities are fixed and a lot have change since 2014 - there are more and more signed pdfs. and this getting more and more demanding thing ;-)
Certificate signed documents have become de facto in a lot of use cases. From invoices and quotes, to contracts and public documents. I very much would like to see this implemented.
The code to sign and read signed files is waiting for exploitation, files can be very easily decrypted and forged signatures can be added as if from a trusted party, agreed they will show evidence of tampering when inspected but many users simply just trust the fact they are "signed" no matter by who.
Personally I prefer a PDF Reader without Javascript, Now I wonder which one that might be?
To put my statements in context from other sources. First generally from a study of PDF security.
"Besides its portability, it provides its own security features such as encryption and digital signature and it is regarded as a secure document standard if compared to other popular document file formats. The paper discusses that the reputation of secure format for the PDF documents is not completely right and shows that the standard is not immune to some privacy issues that affect its competitors. Given a PDF file, it is possible to retrieve a previous version of the document and display information not meant to be published. The authors developed some simple tools that can provide sensitive document information as well as any version of the document, from its creation to its most up-to-date version. Another security issue, is the possibility to trigger events when a PDF document is opened, printed, etc.
The experiments showed that it is possible to trace the reader of a PDF document any time it is accessed, provided that the device where the file is read is connected to the Internet."
Secondly from forum discussions by Adobe MVPs
"It is indeed easy to set up a digital ID in an attempt to impersonate anyone. But it would only be successfully if the recipients don't bother to validate the signatures and/or choose to trust certificates that they should not be trusting. So it takes an understanding of the trust model and putting certain procedures into practice."
My observation is it will only take time for one to compromise the other.
signed by Me Dateline1918. P.S. I predict this will happen in about 95 years
Adobe Advisory 2013 "We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate … This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform "
This is relevant info on pdf signing and encryption:
https://media.ccc.de/v/36c3-10832-how_to_break_pdfs
No news on this. I think latest mupdf has support for verifying signatures but upgrading to it is a large task.
Does pdf-signature.c file mean that the update has been done? =)
@lapo-luchini
I would question the value of falsly endorsing signatures see
https://forum.sumatrapdfreader.org/t/new-shadow-attack-can-replace-content-in-digitally-signed-pdf-files/3191
adding signature support opens many cans or worms to what is a document reader with few security flaws
https://bugs.ghostscript.com/buglist.cgi?quicksearch=signature etc. etc.
Most helpful comment
Certificate signed documents have become de facto in a lot of use cases. From invoices and quotes, to contracts and public documents. I very much would like to see this implemented.