1
votes

I'm generating a PDF file with puppeteer. It automatically generates a PDF-1.4 file. Then, I use dss to digitally sign it with a PAdES signature. The resulting file can be opened in PDF viewers and PDFStudio seems to correctly parse the document signature.

Is this valid however? Wikipedia states that the PDF/A-2 (which is based on 1.7) added support for PAdES. Do I need to generate at least PDF-1.7 (or PDF/A-2) to have a valid PDF file with a valid signature?

Note: I use the term valid in both the technical and legal terms.

1

1 Answers

1
votes

The PAdES norm ETSI EN 319 142 characterizes

PAdES signatures profiled in the present document build on PDF signatures specified in ISO 32000-1 with an alternative signature encoding to support digital signature formats equivalent to the signature format CAdES.

The PDF norm ISO 32000-1 characterizes

ISO 32000 specifies a digital form for representing documents called the Portable Document Format or usually referred to as PDF. PDF was developed and specified by Adobe Systems Incorporated beginning in 1993 and continuing until 2007 when this ISO standard was prepared. The Adobe Systems version PDF 1.7 is the basis for this ISO 32000 edition. The specifications for PDF are backward inclusive, meaning that PDF 1.7 includes all of the functionality previously documented in the Adobe PDF Specifications for versions 1.0 through 1.6. It should be noted that where Adobe removed certain features of PDF from their standard, they too are not contained herein.

(This may sound a bit confusing, on one hand PDF 1.7 includes all of the functionality previously documented in the Adobe PDF Specifications for versions 1.0 through 1.6, on the other hand Adobe removed certain features of PDF from their standard. Indeed, some features were removed but I don't believe your PDF 1.4 files are affected.)

Thus, a PDF file like yours claiming a version 1.4 also is a PDF 1.7 by backward inclusiveness and as such can get signed by PAdES signatures.

Thus, yes, PDF 1.4 files can (technically) validly be signed with PAdES signatures. (Unless, obviously, your files explicitly disallow this.)

(Actually one can also view PAdES signatures as adopted in ISO 32000-2; in this case your PDF 1.4 files by backward inclusiveness are also PDF 2.0 and as such can be signed using PAdES signatures as specified there.)


You also enquire about legal aspects. First of all, I am not a lawyer, so don't consider this formal legal consultation.

To start with, though, you have to make clear in which legal system you want to investigate legal validity.

While PAdES originally has been defined in the context of European Union signature regulations, a number of other countries also adopted PAdES as standard for their preferred PDF signatures.

So: Are you wondering about validity as signatures in the context of EU eIDAS signatures? Are you considering specific regulations of EU member states? Or are you wondering about the situation in other countries outside the EU?

In the EU your PAdES signatures should be generally accepted. Even though there may be some member state special regulations in specific contexts, they should only influence your choice of the PAdES profile you request for your signatures from DSS, they should not render your PDF 1.4 source PDFs unusable for PAdES signing.

I don't know specifics about non-EU legal systems with a PAdES preference. But I indeed would be surprised if any would be bothered by your PDFs being PDF 1.4.


In comments the question arose whether the signed file is also still a valid PDF 1.4 and if not whether the version 1.4 in the file header would be a concern.

Obviously PDF 1.4 does not know the details of the PAdES signature encodings. Fortunately, though, the PDF Reference 1.4 actually does not know any specific signature encoding at all! Thus, no signature encoding is invalid as long as it follows the very few rules present in the PDF 1.4 reference, and PAdES signatures do so.

Furthermore, the PDF 1.4 reference allows

A PDF producer or Acrobat plug-in extension may also add keys to any PDF object that is implemented as a dictionary, except the file trailer dictionary (see Section 3.4.4, “File Trailer”).

Thus, any keys added while applying the PAdES signature which are not defined in PDF 1.4 are harmless.

Thus, the PDF 1.4 files with PAdES signatures added are also still valid PDF 1.4 files. Obviously, though, a plain PDF 1.4 viewer does not know how to validate the PAdES signatures. But as it does not know how to validate any signatures at all, that's of no concern.