How do I forge a parent signature

Validate certificate-based signatures

Define your validation settings in advance. This ensures that certificate-based signatures are valid when you open a PDF and that verification details about the signature are displayed. For more information, see Set Signature Verification Preferences.

When validating certificate-based signatures, a signature status icon appears in the document message bar. Additional status details are displayed in the Signatures window and the Signature Properties dialog box.

When you receive a signed document, you can check the signature (s) and thus the signatory and the signed content. Depending on the configuration of your application test, this can also run automatically. The signature is checked for validity by checking the authenticity of the certificate status of the digital ID of the signatory and the integrity of the document:

  • The authenticity check confirms that the certificate of the signatory or the corresponding higher-level certificate is in the list of trusted identities of the verifier. It is also checked whether the signature certificate is valid according to the user configuration of Acrobat or Reader.

  • The document integrity check checks whether the signed content has been changed after it was signed. In the case of content changes, the document integrity check is checked to determine whether the content change has been approved by the signer.

Define default settings for signature verification

  1. Open the Preferences dialog box.

  2. Under Categories, select Signatures.

  3. Under Review, click More.

  4. To automatically check all signatures in a PDF document when the document is opened, select "Check signatures when the document is opened". This option is activated by default.

  5. Set any verification options and click OK.

    When checking

    These options set methods for determining which plug-in to use when verifying a signature. The appropriate additional module is often selected automatically. Check with your system administrator for specific requirements for add-ins for verifying signatures.

    If possible, determine whether the associated certificate has been revoked ...

    Certificates are compared to a list of certificates excluded during the examination. This option is activated by default. If you disable this option, the revocation status for approval signatures is ignored. The revocation status is always activated for certification signatures.

    Time of review

    Check signatures using

    Select an option to specify how to verify the validity of the certificate-based signature. By default, you can check the time based on the time the signature was created. Otherwise, this can also be done by checking based on the current time or the time of the time stamp server when the signature was created.

    Use expired timestamps

    The secure time stamp provided by the time stamp or embedded in the signature is used, even if the signature's certificate has expired. This option is activated by default. If you deactivate this option, you can discard expired timestamps.

    Verification information

    Specifies whether to add verification information to the signed PDF file. The default is to notify users when the verification information is too large.

    Specify whether all root certificates of the Windows certificate function are to be considered trustworthy when checking signatures and certified documents. Selecting these options can have a negative impact on security.

    It is not recommended to classify all root certificates as trustworthy in the Windows certificate function. Many of the certificates issued with Windows are designed for purposes other than verifying trusted identities.

Define the trustworthiness of a certificate

In Acrobat or Reader, the signature of a certified or signed document is valid if you and the signer have a relationship of trust. The degree of trustworthiness of the certificate indicates for which processes you classify the signer as trustworthy.

You can change the trust settings of certificates to allow certain actions. For example, you can change the settings so that dynamic content and embedded JavaScript are trusted in the certified document.

  1. Open the Preferences dialog box.

  2. Under Categories, select Signatures.

  3. Under Identities & Trusted Certificates, click More.

  4. Select Trusted Certificates on the left.

  5. Select a certificate from the list and click Edit Trust.

  6. On the Trust tab, select one of the following items for which you want the certificate to be trusted:

    Use this certificate as the trusted root

    A root certificate is the parent certification authority of a chain of certification authorities, one of which has issued the certificate. If you classify the root certificate as trustworthy, all certificates issued by this certification authority are automatically classified as trustworthy.

    Signed documents or data

    Confirms the identity of the signatory.

    Categorizes documents as trustworthy if the author has certified the document with a signature. You trust the signer to certify documents and accept the actions taken by the certified document.

    When you select this option, the following options are available:

    Dynamic content

    Allows you to play movies, audio files and other dynamic elements in a certified document.

    Embedded JavaScripts with a high level of permissions

    Allows execution of privileged JavaScript embedded in PDF files. JavaScript files can be used to cause harm. We recommend activating this option only if it is necessary for trustworthy certificates.

    Privileged system operations

    Allows Internet connections, cross-domain script use, background printing, external object references and the inclusion of an import / export file for security settings in certified documents.

    Enable the Embedded JavaScripts with a high level of authorization and Privileged system operations only for sources that you trust and with whom you work closely, for example your employer or service provider.

  7. Click OK and close the Digital ID and Trusted Certificates Settings dialog box. Then click OK in the Preferences dialog box.

Further information can be found in the Digital Signature Guide (PDF) at www.adobe.com/go/learn_acr_security_de.

The Signatures window shows information about the individual certificate-based signatures in the current document as well as the change history of the document since the first certificate-based signature. Each certificate-based signature has an icon that indicates the verification status. The details of the verification are listed under each signature and can be viewed by expanding the signature. In the "Signatures" window you will also find information about the time of the signature, as well as information about trustworthiness and the signatory.

  1. Choose View> Show / Hide> Navigation Pane> Signatures, or click the Signatures button in the document message bar.

By right-clicking a signature field in the Signatures window, you can perform most signature-related operations, including adding, deleting, and reviewing signatures. In some cases, however, the signature field is locked after it has been signed.

If the signature status is unknown or not confirmed, manually review the signature to find the problem and a possible solution. If the signature status is invalid, contact the signer about the problem.

For more information on signature warnings and valid and invalid signatures, see the Digital Signature Guide (PDF) at www.adobe.com/go/learn_acr_security_de.

You can view the validity of a certificate-based signature and a time stamp in the signature properties.

  1. Open the PDF document that contains the signature and click the signature. The signature validation status dialog box describes the validity of the signature.

  2. For more information about the signature and timestamp, click Signature Properties.

  3. In the Signature Properties dialog box, review the summary for validity. One of the following messages may appear in the summary:

    The date and time of the signature are given according to the signer's computer clock.

    The time is based on the local time on the signer's computer.

    The signature is provided with a time stamp.

    The signer used a timestamp server and your settings show that you trust this timestamp server.

    The signature is time stamped, but the time stamp could not be verified.

    To check the timestamp, the timestamp server's certificate must be added to your list of trusted identities. Talk to your system administrator.

    The signature is timestamped, but the timestamp has expired.

    In Acrobat and Reader, time stamps are checked based on the current time. This message appears if the signer of the timestamp's certificate expired before the current time. To have Acrobat or Reader accept an expired timestamp, select Use Expired Timestamps in the Signature Verification Preferences dialog box (Preferences> Signatures> Verification: More). Acrobat and Reader display a warning message when checking signatures with an expired time stamp.

  4. If you would like more information about the signer's certificate, such as: For example, settings for trustworthiness or legal restrictions on the signature, in the "Signature Properties" dialog box, click View a signer's certificate.

    If the document was changed after it was signed, check the signed version of the document and compare it to the current version.

Each time a document is signed with a certificate, a signed version of the PDF document is saved with the PDF. Each version is saved as an append-only version, so editing the original is not possible. All certificate-based signatures and the corresponding versions can be called up in the "Signatures" window.

  1. In the Signatures window, select the signature, expand it, and choose Show Signed Version from the options menu .

    The previous version opens in a new PDF file, with version information and the name of the signer displayed in the title bar.

  2. To return to the original document, choose the document name from the Window menu.

After signing a document, you can view a list of changes made to the document since the last version.

  1. Select the signature in the Signatures pane.

  2. Select “Compare signed version with current version” from the options menu .
  3. When the process is finished, close the temporary document.

If a certificate is classified as trustworthy, it is added to the list of trusted identities under Manage trusted identities and the trustworthiness level is set manually. End users often exchange certificates as needed when using certificate security. You also insert certificates directly from signatures into signed documents and then determine the level of trustworthiness. In companies, however, employees often have to automatically check the signatures of others. Acrobat trusts all certificates for signing and certification that are associated with a trust anchor. Administrators should configure the client installations accordingly or assist users in adding one or more trust anchors. For more information on how to trust certificates, see Digital Signatures.

You can sign PDF components in a PDF Portfolio or the entire PDF Portfolio. Once you sign a PDF component, the PDF file can no longer be edited and the content is protected. After you've signed all of the PDF components, you can sign the entire PDF Portfolio to finalize it. You can also sign the entire PDF Portfolio to lock the contents of all PDF components at the same time.

  • For more information on signing PDF components, see Signing PDF Documents. The signed PDF file is automatically saved in the PDF Portfolio.

  • To sign an entire PDF portfolio, you have to sign the cover sheet ("View"> "Portfolio"> Cover sheet). After you have signed the entire PDF Portfolio, you cannot add any more signatures to the component documents. However, you can add additional signatures to the cover sheet.

Certificate-based signatures for attachments of PDF components

Attachments can be provided with a signature before the cover sheet is signed. To apply signatures to attached PDF files, open the PDF file in a separate window. Right-click on the plant and select the option "Open file" in the context menu. To view the signatures in the PDF Portfolio, open the cover sheet. The document message bar and signature window appear.

Signed and certified PDF portfolios

A properly signed or certified PDF Portfolio has one or more signatures that approve or certify the PDF Portfolio. The most important signature is displayed on a signature sticker in the toolbar. Detailed information on all signatures is displayed on the cover sheet.

  • To see the name of the organization or person who signed the PDF Portfolio, position the pointer over the signature badge.

  • To display detailed information about the signature that is displayed in the signature sticker, click on the signature sticker. The cover sheet and the signature window on the left are displayed with detailed information.

If the approval or certification of the PDF Portfolio is invalid or has a problem, a warning symbol will appear on the signature sticker. For an explanation of the problem, position the mouse pointer on the signature sticker with the warning symbol. Different warning symbols are displayed for different situations.

A list with explanations of the warnings can be found in the DigSig Administrator's Guide at www.adobe.com/go/learn_acr_security_de.

Acrobat and Reader support data signatures in XML format. These are used to sign data in XFA forms (XML Forms Architectures). For form events such as mouse clicks, file storage, or submission, the form creator provides instructions on XML signature functionality, verification, or removal.

Data signatures in XML format conform to the W3C XML signature standard. Just like digital PDF signatures, digital XML signatures ensure the integrity, authentication, and integrity of the document.

However, PDF signatures have more than one data validation status. Some of these status ratings are activated when digitally signed PDF content changes. In contrast, XML signatures only have the status valid or the status invalid. The invalid status is activated when changing XML-signed content.

With the long-term signature check, you can check the validity of a signature long after the document has been signed. For a long-term check, all elements required for the signature check must be embedded in the signed PDF. Embedding these elements can be done when the document is signed or after the signature is created.

If certain information is not added to the PDF, a signature can only be validated for a limited time. This restriction is due to the fact that certificates associated with the signature expire or are revoked at a certain point in time. If a certificate has expired, the issuing body is no longer responsible for status information on the revocation of the certificate. Without a corresponding revocation status, the signature cannot be verified.

Elements required to establish signature validity include the signing certificate chain, the revocation status of the certificate, and possibly a time stamp. If the necessary elements are available and are embedded when signing, the signature can also be checked if external validation resources are required. The required elements can be embedded in Acrobat and Reader, provided they are available. The author of the PDF document must activate the appropriate usage rights for Reader users ("File"> Save as> "PDF with extended reader functions").

A properly configured timestamp server is required to embed timestamp information. In addition, the signature verification time must be set to "Backup time" ("Preferences"> "Security"> Advanced preferences> "Verification" tab). With CDS certificates, further verification information such as revocations and time stamps can be added to documents without additional configuration by the signatory. However, the undersigned must be online to obtain the required information.

Add verification information when signing

  1. Make sure your computer can connect to the necessary network resources.

  2. Make sure the preference Include signature lock status when signing is still selected (Preferences> Signatures> Creation & Appearance: More). This preference is selected by default.

  3. Sign the PDF document.

When all elements of the certificate chain are available, the information is automatically added to the PDF. If a timestamp server has been configured, the timestamp is also added.

Add exam information after signing it

In some workflows, signature verification information is not available when signing, but can be accessed later. For example, a company representative may officially sign a contract on his laptop while traveling by air. However, at this point the computer cannot communicate with the Internet to add timestamp and revocation information to the signature. Later, when an internet connection is available, anyone who validates the signature can add this information to the PDF file. All subsequent signature checks can then also use this information.

  1. Make sure your computer can connect to the necessary network resources, then right-click the PDF file's signature.

  2. Select the option to add verification information.

The information and methods for embedding this long-term signature verification information (LTV) in the PDF file comply with Part 4 of the ETSI 102 778 PDF standard for extended electronic signatures (PAdES). For more information, see blogs.adobe.com/security/2009/09/eliminating_the_penone_step_at.html. The command is not available if the signature is invalid or signed with a self-signed certificate. The command is also not available if the verification time matches the current time.