Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Signature valid or invalid

Avatar

Former Community Member

[Thread Edited By Adobe]

/*Don’t forget to meet and greet your fellow peers virtually by telling them about yourself here

Go ahead and to it now: https://adobe.ly/3eDnB4v */

 

Actual Question:

How to tell if a Signature is valid or not?

 

I have a process/workflow, at the end of the workflow, it saves the PDF form in the ContentSpace.

The form has Signature fields.

Server is LiveCycle ES 2.5, Turnkey.  Windows/JBoss/MySQL.

Client computer has the latest Acrobat Reader X (10.0).

 

After the form is saved in the ContentSpace,

I download the .pdf form file from the ContentSpace into a folder on the C: drive,

open the file with Reader,

and there's a Green checkmark on the top,

it says everything is valid.

All looks good.

 

Then I log out of Windows,

log back in on the same computer, using a different Windows account,

open the same .pdf file with Reader,

this time, there's no green checkmark

instead, there's a warning message on the top of the Reader window

that says: at least one Signature has problems.

 

Why is that?

How to tell which one is correct?

 

thanks

1 Accepted Solution

Avatar

Correct answer by
Former Community Member

First off, if you see a green check mark, the signature is valid. 

The behaviour you are experiencing is due to the configuration (or misconfiguration) of the "Trusted Identities" in Reader.  For a signature to show a green check mark, the signer must be valid, and the signer must be trusted.

For Acrobat or Reader to "trust" a signers certificate you need to configure a "trusted identity" by importing the signers public key. 

Right click on the signed signature field

Select "Validate Signature"

Click "Signature Properties" button

Select the "signer" tab (see screen shot)

Click "Show Certificate" button

Select the "Trust" tab

Click the "Add to Trusted Identities" button

Set the desired "trust" settings

Click OK

Right click on the signed signature field

Select "Validate Signature" - you should now get the green check mark.

Trusted identities in Acrobat\Reader are tied to the Windows account profile, this explains why when logged onto the system as user1, the signature shows a green check mark (the trusted identity is configured), and when  logged onto the system as user2, the signature shows a a different status, because the signers certificate has not been trusted under this profile.  If you were to look at the details about the signature (in the signatures pane) you will see that is will say the signature is trusted, but the signer is unknown (not trusted).

Hope this clears things up.

Steve

View solution in original post

10 Replies

Avatar

Correct answer by
Former Community Member

First off, if you see a green check mark, the signature is valid. 

The behaviour you are experiencing is due to the configuration (or misconfiguration) of the "Trusted Identities" in Reader.  For a signature to show a green check mark, the signer must be valid, and the signer must be trusted.

For Acrobat or Reader to "trust" a signers certificate you need to configure a "trusted identity" by importing the signers public key. 

Right click on the signed signature field

Select "Validate Signature"

Click "Signature Properties" button

Select the "signer" tab (see screen shot)

Click "Show Certificate" button

Select the "Trust" tab

Click the "Add to Trusted Identities" button

Set the desired "trust" settings

Click OK

Right click on the signed signature field

Select "Validate Signature" - you should now get the green check mark.

Trusted identities in Acrobat\Reader are tied to the Windows account profile, this explains why when logged onto the system as user1, the signature shows a green check mark (the trusted identity is configured), and when  logged onto the system as user2, the signature shows a a different status, because the signers certificate has not been trusted under this profile.  If you were to look at the details about the signature (in the signatures pane) you will see that is will say the signature is trusted, but the signer is unknown (not trusted).

Hope this clears things up.

Steve

Avatar

Former Community Member

Yes it worked just like what you described.  Thanks.

May I ask a follow-up question?

Do I have to do this for each and every .pdf file?

(suppose I received 1000 .pdf files from 1000 different people... can I add 1000 trusted identities in one shot?)

Avatar

Former Community Member

If you are receiveing signed PDFs, where the signature has been created using a "self signed" certificate, then you must configure a trusted identity for each and every signature.  (1000 signatures = 1000 trusted identities)

If you are  receiveing signed PDFs, where the signature has been created using a certificate issued by a certificate authority (such as VeriSign), then you must configure a trusted identity for the certificate authority's certificate, then signatures created using certificates that were issued by the certificate authority will be implicitly trusted.  (1000 signatures = 1 trusted identity)

You can use the Acrobat to create a "security settings” file that contains all the trusted identities, place it on a server and then set the preferences of Reader\Acrobat 9.x or 10 to download the file, thereby automatically configuring security, including trusted identities.  (see screen shots).

Regards

Steve

Avatar

Former Community Member

Thank again for quick response.  Appreciate it very much!

Avatar

Level 1

I have created a "security settings" file according to the instructions above, placed it on a server, and set Reader preferences to download the file. I still receive the "Singer's Identity Unknown' message when hovering over a signature field.

Does the URL for the Server Setting need to be formatted in a particular manner? I've tried every variation that I can think of.

Thanks,

Rob

Avatar

Former Community Member

Was the security settings file created from a system where the signature showed signer's identity correctly? Did you include the "Trust Settings" and "Signature Validation Settings" in your security settings file?

Have you validated if the "Trusted Identities" on the system that you imported the security settings is configured to trust the signer of the document?

By the way, this question should really be a new post as it is a different topic that this thread originally started as.

Regards

Steve

Avatar

Level 1

Fair enough.

I'll present my question in a new post and I'll provide the information that you requested in your reply.

Thanks.

Rob

Avatar

Former Community Member

Maybe this should be a new question but,

Are any certs built-in trusted by Reader?

By that I mean, similar to most web browsers, who automatically trust the top level certificates from Verisign ( and all the other large major cert providers )

Does adobe have built-in trust?

I'm getting this error on a lower level certificate that has been signed by a verisign top-level cert.

Just wondering whether I NEED to add trust, or whether trust for the major players is already built in.

Avatar

Former Community Member

There is one built-in cert that is trusted by Reader and Acrobat, this is Adobe's root certificate.  It is used to "sign" the root certificate of credentials issued by our Certified Document Service partners.  For more info on CDS please see: http://www.adobe.com/security/partners_cds.html

You will need to configure the trust for any root certificates issued by certificate authorities where the credentials were used to simply sign the document.

Regards

Steve

The following has evaluated to null or missing: ==> liqladmin("SELECT id, value FROM metrics WHERE id = 'net_accepted_solutions' and user.id = '${acceptedAnswer.author.id}'").data.items [in template "analytics-container" at line 83, column 41] ---- Tip: It's the step after the last dot that caused this error, not those before it. ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: #assign answerAuthorNetSolutions = li... [in template "analytics-container" at line 83, column 5] ----