Signing with Swiss PostSuisseID no longer working on macOS

Report · Aug 09, 2018

Signing with PostSuisseID on macOS Acrobat worked until a while ago, but not any more.

The signing dialog appears in Acrobat (including password requests), but at the end of the process, the error message "The credential selected for signing is invalid" appears. The file is written, but without a signature.

Current installation:

macOS High Sierra 10.13.6

Adobe Acrobat Pro DC 2018.011.20055

PKCS#11 module and timestamp link are installed according to PostSuisseID support page (images missing, unfortunately).

The problem could have the same root case as described in a similar issue 10.11.6 CAC signing not working with 11.0.17 Acrobat, caused by changed SHA fallback logic and APIs.

Report · Aug 09, 2018

Hi Peter,

it seems like the PostSuisseID web page is not showing the screenshot images, so it does not help much understand what's going on.

Could you please try to capture the screenshot of the certificate details?

Open the Preferences > Signatures > Identities & Trusted Certificates [More]

Select your certificates from the list and click on Certificate Details.

Click on the Details tab and take a few screenshots of the certificate details, including Signature algorithm, Key usage, Extended Key usage.

Thanks

Andrea

Report · Aug 09, 2018

Due to missing screens on the Swiss Post support page, below are visualizations of current settings:

SuisseID is a hardware device with two certificates: One for signing (Qualified Signature, highlighted), the other one for authentication (log in). In my case, the hardware device has the form factor of a USB stick. The fact of the two certificates confuses some applications (certain browsers).

The signing certificate is set for non-repudiation.

Key usage details.

Issuer of the certificate is SwissSign (certificate service provider for Swiss Post), algorithm is SHA256.

Signature algorithm details.

As per Swiss Post support page, SwissSign certificate require installation of a dedicated PKCS#11 module.

Login to PKCS#11 module fails.

Report · Aug 10, 2018

One additional question to readers of this thread: Is there anybody who is able to successfully use PostSuisseID with Acrobat on macOS High Sierra?

If so: Which settings are used?

Without confirmed evidence my current assumption is that the PKCS#11 module needs to be amended due the fallback/API change described in the thread mentioned in my initial post.

Report · Aug 10, 2018

Hi Peter

thanks for sharing the screenshot. However you missed the one I asked showing Key usage and Extended Key usage.

Could you please add this one?

Also, are you able to login to the token from the PKCS#11 Modules panel?

- Plug the SuisseID device

- Click on "cv PKCS#11 module"

- On the right panel you'll see the device listed. Select it and click "Login"

- Enter the PIN

- Click on SuisseID on the left.

Can you see the two certificates listed?

Andrea

Report · Aug 10, 2018

Hi Andrea,

I have added the requested screens to the existing post. However I did not find an "Extended key usage" object in the Details tab.

Direct login to the module fails, as per screen. However I am able to sign PDFs with the dedicated "LocalSigner" application - so the certificate itself appears to be ok, looks like the PKCS module for Acrobat has an issue.

I can see both certificates at top level, but not under the module.

KR ...Peter

Report · Aug 10, 2018

The fact that you can't login to the device means that the driver is not working properly, assuming the driver is not wrong.

There are multiple reasons for this, and one is really that the PKCS#11 was written to rely on API that are not available in MacOS Sierra. The fact that the device is working with the LocalSigner application means that they may use different mechanisms like CTK or TokenD rather than PKCS#11.

There's nothing we can do more to help but suggest that you open a support case with SwissSign, given that signing with Acrobat is a supported option covered by their website.

Regards

Andrea

Report · Aug 10, 2018

Many thanks for your analysis, Andrea - this is much appreciated!

I have already opened a support case with SwissSign, and I have amended it with the reference to this thread so they have the full information available. I have also suggested that they approach the module provider - I hope he will contribute to this thread.

Kind Regards...

...Peter

Report · Nov 06, 2019

Hi Andrea,

As you were very helpful with my last issue, I kindly ask you to look into a similar one (after upgrading to macOS Catalina) - https://community.adobe.com/t5/Acrobat/Signing-with-Swiss-PostSuisseID-no-longer-working-on-macOS/td....

SwissSign Support is already notified (I sent them a link).

Many Thanks!

...Peter

Report · Aug 13, 2018

I had a conversation with SwissSign support today - the good news is that the solution works. However correct installation is crucial (even detail settings count). SwissSign is in the process of amending their online instructions - these should become available in the course of the next days. I will post the link once it is published.

Report · Aug 16, 2018

Recommended settings based on conversation with SwissSign:

SwissSign recommends to deactivate Enhanced Security. In my case, both settings with and without enhanced security worked.

Settings under Preferences > Signatures > Identities & Trusted Certificates:

Navigation "Digital IDs" (top level): As the SwissSign token (USB stick or chip card) contains two certificates, the one for signing (Qualified Signature) must be set to "use for signing" under "Usage Options". The setting is shown with a pencil symbol left to the certificate.

Refresh might be necessary in case the certificates are not displayed.

Sometimes, the SuisseID certificates are displayed twice - it appears that they are cached on the Apple keychain. I could resolve the situation by restarting Acrobat.

In the "PKCS#11 Modules and Tokens" navigation, the path to the PKCS#11 module must be set to /usr/local/lib/libcvP11.dylib - the module is copied to that directory in the SwissSign installation process (but the path is not automatically set).

Navigation "cv PKCS#11 module": Login is required (using the SuisseID token password/pin). In my case, this doesn't always reliably the first time; more attempts might be necessary. Once logged in, the certificates are accessible.

Navigation "SuisseID": Again, the certificate used for signing (Qualified Signature) must be set to "used for signing" (shown by pencil to the left).

Settings under Preferences > Signatures > Document Timestamping:

Under the navigation "Time Stamp Servers", a path to the SwissSign server must be added: http://tsa.swisssign.net

In addition, the SwissSign server must be set as default, displayed by the star symbol to the left.

A last effect: In case macOS went through a few sleep cycles with applications open, Acrobat doesn't recognise the token anymore. Restarting Acrobat helped in my case. Sometime, a system restart might be required.

Adobe Community

Signing with Swiss PostSuisseID no longer working on macOS

1 Correct answer