Multiple signatures applied to a PDF invalidates early signature

PDF format supports multiple digital signatures. When applying multiple signatures with Aspose PDF, I run into this “sigdict contents illegal data” error.

In summary, here’s how to reproduce the bug:

  • Sign signature field #1
  • fill or change any form field on the document
  • Sign signature #2
  • Save output

Inspecting the output file, Acrobat reader is supposed to render a version after each signature is placed. But the resulting output file shows an invalidated signature instead. The full error goes like this:

error during signature verification

signature contains incorrect, unrecognized, corrupted or suspicious data.
Support Information: SigDict/Contents Illegal data

Here’s the c# code and the sample PDF is uploaded.


using System.Reflection;
using Aspose.Pdf;
using Aspose.Pdf.Facades;
using Aspose.Pdf.Forms;
using Aspose.Pdf.Optimization;
using Microsoft.VisualStudio.TestTools.UnitTesting;

Aspose.Pdf.License license = new Aspose.Pdf.License();
license.SetLicense("aspose-license.lic");

multiple_signatures("dcaa7530-1.pdf");

void multiple_signatures(string pdfPath)
{
    var pdfContent = File.ReadAllBytes(pdfPath);
    pdfContent = SignSingle(pdfContent, "Requestor_Sig");
    pdfContent = Fill(pdfContent, "RequestFrom", "my requestor");
    pdfContent = SignSingle(pdfContent, "Receiver_Sig");
    File.WriteAllBytes($"{Path.GetFileNameWithoutExtension(pdfPath)}-multiple-signature.pdf", pdfContent);
}

byte[] Fill(byte[] pdfContent, string fieldName, string value)
{
    
    using (var ms = new MemoryStream(pdfContent))
    {
        using (var doc = new Document(ms))
        {
            (doc.Form[fieldName] as Field).Value = value;
            using (var ms2 = new MemoryStream())
            {
                doc.Save(ms2);
                return ms2.ToArray();
            }
        }
    }

}

byte[] SignSingle(byte[] pdf, string sigFieldName)
{
    using (var ms = new MemoryStream(pdf))
    {
        using (var doc = new Document(ms))
        {
            using (PdfFileSignature signature = new PdfFileSignature(doc))
            {
                if (signature.GetSignNames(true).Contains(sigFieldName))
                {
                    signature.RemoveSignature(sigFieldName, false);
                }

                var pkcs = new PKCS7("cert.pfx", "test");
                SignatureCustomAppearance appearance = new SignatureCustomAppearance()
                {
                    FontSize = 7,
                    UseDigitalSubjectFormat = true,
                    DigitalSubjectFormat = new SubjectNameElements[] { },
                    ForegroundColor = Color.DarkBlue,
                    DigitalSignedLabel = $"signed by [real name]",
                    ShowContactInfo = false,
                    ShowLocation = false,
                    ShowReason = false
                };

                pkcs.CustomAppearance = appearance;

                signature.Sign(sigFieldName, pkcs);
                using (var rv = new MemoryStream())
                {
                    signature.Save(rv);
                    return rv.ToArray();
                }
            }
        }
    }
}

sample.pdf (34.8 KB)

@hao.deng
Do I understand correctly that you trying to change document content after signing it with digital signature?
Usually digital signatures verify that data remains in fixated state and thus are considered invalid if content is somehow changed
You can try to use following order and see if issue will be relevant

 pdfContent = Fill(pdfContent, "RequestFrom", "my requestor");
 pdfContent = SignSingle(pdfContent, "Requestor_Sig");
 pdfContent = SignSingle(pdfContent, "Receiver_Sig");

Also, could you please provide “cert.pfx” mentioned in your code so we can test it in our environment?

hello, here’s my cert. It’s a self signed cert anyhow.
cert.pfx.zip (2.6 KB)

I understand your reasoning about change invalidating a signature. But in this case I am placing a new signature to “notarize” the change. This is a pretty common use case. If I go through this multiple-signing process manually with acrobat reader, acrobat’s signature panel would show 1 version of the form for each signature placed on the pdf document.

thank you for looking

@hao.deng
it seems that something is wrong with zip archive - it says that it’s broken
Could you please try to reupload it or send to Ilya.Zhuykov@aspose.com

In regards to you response - I’ll investigate then what’s happening and write you back soon

Here’s the pfx file. I just put .zip extension in the file name to allow the uploader to accept it.

Thank you!

~WRD0002.jpg (357 Bytes)

cert.pfx.zip (2.56 KB)

@hao.deng
thank you, I’ll write you as soon as investigate

@hao.deng
It seems that currently we doesn’t support such function
And it seems that according to description from here in Limitations entry, it doesn’t work with digital signatures at least directly and relies on some external API - " Digital signatures are not supported in transactions that include notarization."

I checked both your code and my suggested code snippet, in second one both signatures are valid
Do I understand correctly that you want to store each version of signed document’s changes?

also, could you send us a version of document with several notarized changes so we can investigate possibility of implementig such feature?

@ilyazhuykov
sample-2-sigantures.pdf (50.3 KB)

I might have used the wrong technical word “notarize”.

What I really meant was, change indeed should invalidate a signature because that’s it’s purpose. But what AsposePDF does is after invalidating a signature, is that it seems to plant a wrong flag in the document that would trigger acrobat reader to report a "Support Information: SigDict/Contents Illegal data error. If asposePDF doesn’t render a version for each signature, at least it should properly preserve all the important bits so that the document doesn’t look like it’s corrupt.

Attached is a sample of the PDF signed by acrobat reader (v2024.001) twice. Inspecting it you can see that the signature panel retains something like a change log history. And it’s able to do that while maintaining document size at 50kb, where as AsposePDF would reach 1.1mb by this point.

@hao.deng
I don’t quite understand what’s issue with acrobat reader showing that signature is invalid due to change in state of document data
It seems that acrobat just check if signature is still relevant according to current fields state and show that it no longer corresponds to expected result
what exactly do you mean here in regards to preservation of important bits of information and what is the behaviour you expect here?
thank you for provided example of document

@ilyazhuykov

I ran through the same scenario with itext7, it looks like they also cause acrobat reader to throw up a similar error message (not exactly the same). I guess acrobat reader is unique in handling multiple signatures as separate versions. Forget what i say about document bits I am completely ignorant of the PDF format. thank you for going through this with me.

@hao.deng
It’s okay - at least now we know a bit more)
thanks you too for providing this information