How to tell if a Signature is valid or not?
I have a process/workflow, at the end of the workflow, it saves the PDF form in the ContentSpace.
The form has Signature fields.
Server is LiveCycle ES 2.5, Turnkey. Windows/JBoss/MySQL.
Client computer has the latest Acrobat Reader X (10.0).
After the form is saved in the ContentSpace,
I download the .pdf form file from the ContentSpace into a folder on the C: drive,
open the file with Reader,
and there's a Green checkmark on the top,
it says everything is valid.
All looks good.
Then I log out of Windows,
log back in on the same computer, using a different Windows account,
open the same .pdf file with Reader,
this time, there's no green checkmark
instead, there's a warning message on the top of the Reader window
that says: at least one Signature has problems.
Why is that?
How to tell which one is correct?
First off, if you see a green check mark, the signature is valid.
The behaviour you are experiencing is due to the configuration (or misconfiguration) of the "Trusted Identities" in Reader. For a signature to show a green check mark, the signer must be valid, and the signer must be trusted.
For Acrobat or Reader to "trust" a signers certificate you need to configure a "trusted identity" by importing the signers public key.
Right click on the signed signature field
Select "Validate Signature"
Click "Signature Properties" button
Select the "signer" tab (see screen shot)
Click "Show Certificate" button
Select the "Trust" tab
Click the "Add to Trusted Identities" button
Set the desired "trust" settings
Right click on the signed signature field
Select "Validate Signature" - you should now get the green check mark.
Trusted identities in Acrobat\Reader are tied to the Windows account profile, this explains why when logged onto the system as user1, the signature shows a green check mark (the trusted identity is configured), and when logged onto the system as user2, the signature shows a a different status, because the signers certificate has not been trusted under this profile. If you were to look at the details about the signature (in the signatures pane) you will see that is will say the signature is trusted, but the signer is unknown (not trusted).
Hope this clears things up.
Yes it worked just like what you described. Thanks.
May I ask a follow-up question?
Do I have to do this for each and every .pdf file?
(suppose I received 1000 .pdf files from 1000 different people... can I add 1000 trusted identities in one shot?)
If you are receiveing signed PDFs, where the signature has been created using a "self signed" certificate, then you must configure a trusted identity for each and every signature. (1000 signatures = 1000 trusted identities)
If you are receiveing signed PDFs, where the signature has been created using a certificate issued by a certificate authority (such as VeriSign), then you must configure a trusted identity for the certificate authority's certificate, then signatures created using certificates that were issued by the certificate authority will be implicitly trusted. (1000 signatures = 1 trusted identity)
You can use the Acrobat to create a "security settings” file that contains all the trusted identities, place it on a server and then set the preferences of Reader\Acrobat 9.x or 10 to download the file, thereby automatically configuring security, including trusted identities. (see screen shots).
I have created a "security settings" file according to the instructions above, placed it on a server, and set Reader preferences to download the file. I still receive the "Singer's Identity Unknown' message when hovering over a signature field.
Does the URL for the Server Setting need to be formatted in a particular manner? I've tried every variation that I can think of.
Was the security settings file created from a system where the signature showed signer's identity correctly? Did you include the "Trust Settings" and "Signature Validation Settings" in your security settings file?
Have you validated if the "Trusted Identities" on the system that you imported the security settings is configured to trust the signer of the document?
By the way, this question should really be a new post as it is a different topic that this thread originally started as.
Maybe this should be a new question but,
Are any certs built-in trusted by Reader?
By that I mean, similar to most web browsers, who automatically trust the top level certificates from Verisign ( and all the other large major cert providers )
Does adobe have built-in trust?
I'm getting this error on a lower level certificate that has been signed by a verisign top-level cert.
Just wondering whether I NEED to add trust, or whether trust for the major players is already built in.
There is one built-in cert that is trusted by Reader and Acrobat, this is Adobe's root certificate. It is used to "sign" the root certificate of credentials issued by our Certified Document Service partners. For more info on CDS please see: http://www.adobe.com/security/partners_cds.html
You will need to configure the trust for any root certificates issued by certificate authorities where the credentials were used to simply sign the document.