Signature verification/validation

Hello,

We are currently evaluating Aspose.Total for few ongoing projects and try to understand more about how PdfFileSignature.VerifySignature(signName) and PdfFileSignature.VerifySigned(signName) validation works. We went through the documentation and found no specific details except the usage of those two methods.

For testing purposes I created a PDF document and signed it using a self-signed cerficate which I created on the same machine. The PdfFileSignature class was able to read all the required information, and the VerifySigned and VerifySignature methods both returned true.

Then I removed the cerficate which I used to sign the document. As a result, Adobe Reader reported an issue with the signature saying that it cannot verify its validity, and thus the signature validity status became UNKNOWN. When running the same test again, however, both the VerifySigned and VerifySignature methods return value was still true.

So if possible, please help us clarfying these topics:

  1. The difference between VerifySignature and VerifySigned methods of the PdfFileSignature class.
  2. What does a true return value of any of the above methods say about the verified signature, in terms of validity? Is the validity of the certificate also verified (expiration date, etc) or the methods just check if the document contains a signature having the provided name?

Thank you in advance,
Daniel

@daniel.vlasceanu

We are checking for related information at our side. In the meanwhile, could you please share the source PDF document along with the certificate file that you have used.

Hello,

We are also evaluating ASPOSE for VerifySignature porpuses and found this case that is quite similar to the one we need to implement, it is to verify that a PDF signed with a 509 certificate is valid and unaltered, as it does the Adobe Reader.

I am wondering if there is any update from Aspose on the situation reported by Daniel.

Thanks in advance!
Alberto

@betovillalobos

It seemed like an issue in the API which is why we also requested for a sample file so that it can be investigated accordingly and consolidated feedback can be shared. Nevertheless, we will soon be updating this forum thread with the technical details against posted inquiries about certain API methods. Please give us some time.

Is there any update from Aspose on this?

@betovillalobos

We have been busy finalizing the new upcoming release of the API and were unable to gather technical details against this scenario. We will soon inform you about it. Please give us little time.

@betovillalobos

Research results has shown that:

  1. VerifySignature and VerifySigned methods of the PdfFileSignature class do not differ. Functionally they are identical.
  2. Methods do not check the expiration date or any other dates. It throws an Exception if field is not found.
  3. Methods say that documents are unaltered(return true) by checking hex codes, as it does the Adobe Reader.