Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Removing signatures in a digital signature field

Avatar

Former Community Member

[Thread Edited By Adobe]

/*Don’t forget to meet and greet your fellow peers virtually by telling them about yourself here

Go ahead and to it now: https://adobe.ly/3eDnB4v */

 

Actual Question:

Hi all, I have a question relating to the topic above that i hope
you guys can help me with;

 

1) Is it possible to remove digital signatures from form? For instance
if you have a form going thru several approval steps that requires
signatures, and then one step happened to reject, it would be nice to
remove the previous signatures so that they could be re-signed.

 

2) And finally is there a simpler way to combine digital signatures
and rights management then what was listed in the pdf provided by
Duane (second post from the bottom of the thread)? When creating a policy there is

a checkbox for "Filling in form fields and signing". Is this forsomething else?

 

Thanks!
Billy 

1 Accepted Solution

Avatar

Correct answer by
Former Community Member

1)  Is it possible to remove digital signatures from form?

ANSWER:  A signature can only be removed ("unsigned") if the system or user has access to the "private" key used to generate the signature in the first place.  For example, let's say User A signs a PDF... Only User A can unsign that PDF.  If you were to use LC Digital Signatures ES to "unsign" a PDF, you would need to have all of the potential user "Credentials" and Credential passwords stored in the Trust Store so LC would have access to the private keys to be able to unsign a signature field.  This is not very feasable if the number of potential signers is large.

2) Is there a simpler way to combine digital signatures and rights management

ANSWER: Combining Digital Signature and Rights Management is not complicated.  You just need to be aware of the "Order of Operations" required.  Always "Encrypt" first (Rights Mgt, Certificates, and Password can be used for encryption) then "Certify" (assuming you are Certifying the PDF), then add Reader Extension rights (assuming you want to extend functionality of the document for Reader)

The reason the above order is required...  When you sign a document, a hash is generated based on the document, if you then encrypt that signed document, you are modifying the document which in turn causes a different hash to be generated... this breaks the signature.

As for the "Filling in form fields and signing" option in a policy, this is a "permission" that you can allow or disallow for PDF forms with a policy applied by RM.  For example, A PDF has a policy applied where User A has the "Filling in form fields and signing" permission enabled andf User B does not.  User A can open the form and interact with it by filling it in and or sign the form.  User B would only be able to "view" the form.  This permission is only relevant what using RM to protect fillable PDF forms.  Also, it shouldn't be confused with the Reader Extensions permission of allowing Digital Signatures in Reader.

For example, If you wanted a "Certified" form to be filled in and signed by User A with Adobe Reader, you would need to:

Apply a policy to the PDF where User A had the "Filling in form fields and signing" permission enabled, then apply a "Certify" signature which had the "Allow Form Fill and Signing" permission enabled, then Reader Extend the PDF form that enables the "Digital Signatures" permission which activates the Digfital Signatures functionality in Reader for that particular form.

It may sound complicated, but it really isn't

Regards

Steve

View solution in original post

32 Replies

Avatar

Correct answer by
Former Community Member

1)  Is it possible to remove digital signatures from form?

ANSWER:  A signature can only be removed ("unsigned") if the system or user has access to the "private" key used to generate the signature in the first place.  For example, let's say User A signs a PDF... Only User A can unsign that PDF.  If you were to use LC Digital Signatures ES to "unsign" a PDF, you would need to have all of the potential user "Credentials" and Credential passwords stored in the Trust Store so LC would have access to the private keys to be able to unsign a signature field.  This is not very feasable if the number of potential signers is large.

2) Is there a simpler way to combine digital signatures and rights management

ANSWER: Combining Digital Signature and Rights Management is not complicated.  You just need to be aware of the "Order of Operations" required.  Always "Encrypt" first (Rights Mgt, Certificates, and Password can be used for encryption) then "Certify" (assuming you are Certifying the PDF), then add Reader Extension rights (assuming you want to extend functionality of the document for Reader)

The reason the above order is required...  When you sign a document, a hash is generated based on the document, if you then encrypt that signed document, you are modifying the document which in turn causes a different hash to be generated... this breaks the signature.

As for the "Filling in form fields and signing" option in a policy, this is a "permission" that you can allow or disallow for PDF forms with a policy applied by RM.  For example, A PDF has a policy applied where User A has the "Filling in form fields and signing" permission enabled andf User B does not.  User A can open the form and interact with it by filling it in and or sign the form.  User B would only be able to "view" the form.  This permission is only relevant what using RM to protect fillable PDF forms.  Also, it shouldn't be confused with the Reader Extensions permission of allowing Digital Signatures in Reader.

For example, If you wanted a "Certified" form to be filled in and signed by User A with Adobe Reader, you would need to:

Apply a policy to the PDF where User A had the "Filling in form fields and signing" permission enabled, then apply a "Certify" signature which had the "Allow Form Fill and Signing" permission enabled, then Reader Extend the PDF form that enables the "Digital Signatures" permission which activates the Digfital Signatures functionality in Reader for that particular form.

It may sound complicated, but it really isn't

Regards

Steve

Avatar

Former Community Member

Hi all, came accross a few other problems and hopefully someone can
help me out,

I've managed to place digital signatures on a form and I used a custom renderer to apply a policy for rights management. I used a Document
Form type variable in the process and specified that the form should only be rendered once. Now at some point in my process I wanted to
remove a signature so I tried to use the Clear signature field service. When i run it however i get a stall and an error in my logs
saying "The input PDF is encrypted using APS and could not be opened, hence the operation clearSignatureField can not be performed on Signature Field ConsultantSig. (in the operation : clearSignatureField)"

So figure, ah well, thats cool, i'll just remove the policy as I figured thats what was encrypting it. So i threw in a Remove Policy service and then i get another error in my logs saying that

*******************************************************

Cannot coerce object:

<document state="passive" senderVersion="3" persistent="true"
senderPersistent="false" passivated="true" senderPassivated="true"
deserialized="true" senderHostId="127.0.0.1/10.37.129.2/192.168.0.143"
callbackId="0" senderCallbackId="54" callbackRef="IOR:
000000000000002849444C3A636F6D2F61646F62652F6964702F49446F63756D656E7443616C6C6261636B3A312E30000000000200000000000000D8000102000000000E3139322E3136382E302E313433000DC8000000114A426F73732F00160C034D230F2B012B02000000000000050000000000000008000000004A414300000000010000001C00000000000100010000000105010001000101090000000105010001000000210000005000000000000000010000000000000024000000200000007E00000000000000010000000E3139322E3136382E302E313433000DC9000000000000000000000000000000000000000000000000000000000000002000000004000000000000001F0000000400000003000000010000002000000000000000020000002000000004000000000000001F0000000400000003"
isLocalizable="true" isTransactionBound="false"
defaultDisposalTimeout="600" disposalTimeout="600"
maxInlineSize="65536" defaultMaxInlineSize="65536" inlineSize="0"
contentType="null" length="85284"><cacheId/><localBackendId/

><globalBackendId><DocumentFileID fileName="C:\Adobe\LiveCycle8.2\jboss

\server\all\svcnative\DocumentStorage
\docm1247766543265\66d5bdad216c55badc57fc5b86f44086"/><globalBackendId/

><senderLocalBackendId/><senderGlobalBackendId/><inline/
><senderPullServantJndiName>adobe/idp/DocumentPullServant/

adobejb_server1</senderPullServantJndiName><attributes/></document> of
type: com.adobe.idp.Document to type: class
com.adobe.idp.taskmanager.form.impl.binarycontent.BinaryContentFormInstance

:
ALC-DSC-119-000: com.adobe.idp.dsc.util.InvalidCoercionException:
Cannot coerce object: <document state="passive" senderVersion="3"
persistent="true" senderPersistent="false" passivated="true"
senderPassivated="true" deserialized="true"
senderHostId="127.0.0.1/10.37.129.2/192.168.0.143" callbackId="0"
senderCallbackId="54" callbackRef="IOR:
000000000000002849444C3A636F6D2F61646F62652F6964702F49446F63756D656E7443616C6C6261636B3A312E30000000000200000000000000D8000102000000000E3139322E3136382E302E313433000DC8000000114A426F73732F00160C034D230F2B012B02000000000000050000000000000008000000004A414300000000010000001C00000000000100010000000105010001000101090000000105010001000000210000005000000000000000010000000000000024000000200000007E00000000000000010000000E3139322E3136382E302E313433000DC9000000000000000000000000000000000000000000000000000000000000002000000004000000000000001F0000000400000003000000010000002000000000000000020000002000000004000000000000001F0000000400000003"
isLocalizable="true" isTransactionBound="false"
defaultDisposalTimeout="600" disposalTimeout="600"
maxInlineSize="65536" defaultMaxInlineSize="65536" inlineSize="0"
contentType="null" length="85284"><cacheId/><localBackendId/
><globalBackendId><DocumentFileID fileName="C:\Adobe\LiveCycle8.2\jboss
\server\all\svcnative\DocumentStorage
\docm1247766543265\66d5bdad216c55badc57fc5b86f44086"/><globalBackendId/
><senderLocalBackendId/><senderGlobalBackendId/><inline/
><senderPullServantJndiName>adobe/idp/DocumentPullServant/

adobejb_server1</senderPullServantJndiName><attributes/></document>

of type: com.adobe.idp.Document to type: class com.adobe.idp.taskmanager.form.impl.binarycontent.BinaryContentFormInstance

*******************************************************

Oh great, a conversion problem when i try to remove the policy! Incidently i get this same conversion problem when i try to remove a signature using the Clear Signature on a form that has NOT had any policy placed on it at all.

So basically, to sum up these are the main issues

1) Can digital signatures be removed from a form that has a policy placed on it, or do i have to remove the policy first?

2) Why am i getting these coercion errors? As i understood it using a Document Form variable is the correct way to go. What should i do to resolve this?

So can anyone shed a little light on this?

Thanks

Billy

Avatar

Former Community Member

Billy

You don't need\want to Remove the policy to be able to sign the document.  Use the "Unlock Policy Protected PDF" operation, this temporarily decrypts the document so you can work with it (i.e. sign it).  When the work is done the PDF remains protected with the policy.  "Remove Policy" does just that, it removes the encryption.  You would nned to then reapply the policy to get the encryption back, which is problamatic in your case as the document will be signed, therefore you will not be able to apply a policy to it.

There are a couple of things that you need to know for this to work...

1)  The process that contains the "Unlock Policy Protected PDF" operation must be "Short-Lived"  Typically you would create a seperate process to do this and call is as a subprocess from the main one

2)  The process that contains the "Unlock Policy Protected PDF" operation must be executed in the *context of a user or account that has permissions to view the document (the user is a member of the policy)

* to set this, access the Admin UI and set the "Run As" property (Home > Services > Application and Services > Service Management > you service name > Security (tab)

As for your variable type, you can use a "document" variable if you are dealing with a PDF.  The type "Document Form" is used to hold PDFs that are loaded into the Workspace application that is part of the Process Management ES solution component.

Regards

Steve

Avatar

Former Community Member

Again, thx for the quick reply Steve, just a few follow up questions;

>  Use the "Unlock Policy Protected PDF" operation, this temporarily decrypts the document so you can work with it (i.e. sign it)

Could you explain how the document becomes encrypted afterwards? If this temporarily decrypts the document, does it mean that it automatically puts the encryption back on?

> The process that contains the "Unlock Policy Protected PDF" operation must be executed in the *context of a user or account that has permissions to view the document (the user is a member of the policy)

Would system be good enough for this?

>The type "Document Form" is used to hold PDFs that are loaded into the Workspace application that is part of the Process Management ES solution >component

Which is what i'm trying to do, so i'm guessing i use the setvalue to convert the Document Form to document, and vice versa?

Billy

Avatar

Former Community Member

Billy

Could you explain how the document becomes encrypted afterwards? If this temporarily decrypts the document, does it mean that it automatically puts the encryption back on?

ANSWER:  Basically, the document or parts of it is "decrypted" and stored in memory.  The encryption is automatically re-applied by RM when the process is complete.

The process that contains the "Unlock Policy Protected PDF" operation must be executed in the *context of a user or account that has permissions to view the document (the user is a member of the policy)

Would system be good enough for this?

ANSWER:  You cannot use the system context for the Unlock Policy Protected PDF operation as there is no way to add "System" as a user to the policy.  This is the reason that the "Run As" functionality was introduced in LiveCycle ES Update 1 (ver 8.2x)

The type "Document Form" is used to hold PDFs that are loaded into the Workspace application that is part of the Process Management ES solution >component

Which is what i'm trying to do, so i'm guessing i use the setvalue to convert the Document Form to document, and vice versa?

ANSWER:  You can access the "document" (PDF) stored in a Document Form variable by using XPath.  Use the XPath builder to navigate to the document, i.e.  /process_data/DocumentFormVariableNameHere/object/@document  You could map this into a document variable, but you shouldn't have to.

Regards

Steve

Avatar

Former Community Member

Ok, i have feeling if i get past this last bit i'll be in the clear. Right now I'm getting a "No view permission(error code bin: 770, hex: 0x302)" error in my log, and I'm assuming its related to setting the invoke as setting.

I created a seperate process that contains the unlock service. I made that service short lived. I specified run as to be a specified user to be the policy set coordinator who also has rights to see the form.

Is there anything you can see thats missing out?

Thanks,

Billy

Avatar

Former Community Member

Billy

Is sounds like you have everything configured correctly... but it would work if everything was correct!  The error you are getting typically means that the user attempting to open the PDF is not included as a member in the policy.

1)  Can you open the PDF manually in Reader or Acrobat using the same user you have set as the "Run As" account?

2)  Is the user who is the Policy Set Coordinator also a member of the policy that is applied to the PDF you are testing with?

The user account that is specified in the "Run As" setting must be a member of the policy that was applied to the PDF that you are using.

Regards

Steve

Avatar

Former Community Member

Yes on both counts. The user is able to pass the login when prompted by the rights management, and i set all the users of the domain as members of the policy. I just went and specified the user specifically as well, but still no go

Avatar

Former Community Member

Billy

Can you post a screen shot of the "Security" tab and the settings for your service that you created to unlock the PDF?  Also, if possible could you export your process and post it as well?

Thanks

Steve

Avatar

Former Community Member

Sure thing, I appreciate you taking the time. I've attached a screen shot of the securities tab of the subprocess (RemovePolicyAndSignature), and you can see that I've set the "invoke as" setting to the user gjames.

I've also included a screenshot of the policy "Consultant" in the policy set "Exp" to show that Glenn James (gjames) is a member of the policy as well as the policy set administrator.

I've also included the lca file which has the main process (ExpenseSheet), the subprocess (RemovePolicyAndSignature), and the rendering service (RenderExtendedPolicyPDF) which applies the policy and reader extension.

Thank,

Bilen

Avatar

Former Community Member

The LCA file did not make it.  Rename the file with a .TXT extension so it will not be blocked.

Thanks

Steve

Avatar

Former Community Member

The screen shots look like the correct configuration.  I made a few changes\corrections to your "RemovePolicyAndClearSignature" process, tested and got it working on my system.  I attached the new version.  By the way, prior to making the changes, I tested and duplicate your coercion error, it was caused by the fact that your "list" variabe had a subtype of document, you were trying to put an object of type "PDFSignatureField" into a "document" variable, therefore the corecion error.

Changes I made included:

1)  Changing the "sigLst" variable to have a subtype of "PDFSignatureField"  (You had used "document")

2)  Created a variabe of type PDFSignatureField, named "objSignatureField"

3)  Added a "Set Value" step to map the "PDFSignatureField" object from the "sigLst" variable into the "objSignatureField" variable, and a second mapping to map the "name" attribute of the "objSignatureField" (which hold the PDFSignatureField") into the "signatureName" variable of type string

I set the service security to "RunAs" a named user, this named user was a member of the policy, and had "Modify" permissions.  I invoked the process from Workbench and was able to see that the resulting PDF file had the signature cleared from the field.

Hope this helps.

Regards

Steve

Avatar

Former Community Member

hmmm, i'm still having the No View Permission when trying to invoke the subprocess through the expensesheet process. Just out of curiosity does the policy get imported as well when with th e lca? Did you get the No View Permission when you ran it on your system for the first time?

Thanks,

Billy

Avatar

Former Community Member

Policy Set and Policies do not come across as part of an LCA (neither do trust Store settings either)

I created my own test policy and did not get the "No View Permission" error.  Can you test the process I posted (invoke from Workbench, with the "Run As" set to your user) with your policy and document to see if you get the error.

Regards

Steve

Avatar

Former Community Member

No, i still have problems, I tried setting the user to various different users in the policy. I'm guessing its just the way that I'm setting the policy, though for the life of me i can't imagine what i'm doing wrong. Is there an online resource somewhere that goes step by step on how to create a policy?

I'm also wondering though, I'm getting a Not Serializable error coming up as well, can this have anything to do with it?

Avatar

Former Community Member

I'll take a look at your other processes.  I'll let you know what I find shortly.

Are you using "Record and Playback"?  What step in the process is causing the Not Serializable error?

Regards

Steve

Avatar

Former Community Member

I get the not serializable error when i run the process, but when i play it back it only shows the no view permission. I included a screenshot to show what i mean.

Thanks

Billy

Avatar

Former Community Member

Billy

I tested everything again (including your render service, and your Expense process), ands was able to run the process(es) successfully, with no errors.

I did however create my own policy set and policy which I set in your render service.

On your end, it has to be an issue between the policy and the user that you are defining as the "Run As" account.

Can you now post a screen shot of the Policy configuration, including the specific permission details for the user "glennj".

Regards

Steve

The following has evaluated to null or missing: ==> liqladmin("SELECT id, value FROM metrics WHERE id = 'net_accepted_solutions' and user.id = '${acceptedAnswer.author.id}'").data.items [in template "analytics-container" at line 83, column 41] ---- Tip: It's the step after the last dot that caused this error, not those before it. ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: #assign answerAuthorNetSolutions = li... [in template "analytics-container" at line 83, column 5] ----