Why iText check if the signature covers whole document returns FALSE, if the only information added after signing was DSS? No other changes were made in the document.
But you yourself say that something has been added after signing. Thus, the signature does not cover the whole document. Thus, if iText reported something different here, it would be wrong.
In iText 7.1.7 method SignatureUtil.signatureCoversWholeDocument does not take into account DSS byte range. For me DSS is part of the signature and validation check should count with this.
DSS is not part of the signature. Please re-read the specifications.
SignatureUtil.signatureCoversWholeDocument checks whether the signed byte ranges of the given signature encompass the whole PDF except the gap left during signing for embedding the CMS signature container.
If there is any addition to the document thereafter, the method will return false even if the addition only contains DSS, actually even if the addition contains no new objects, and also even if only a trailing eol is added.
How to ignore/exclude DSS bytes at the end of the PDF document when calling signatureCoversWholeDocument method?
What you need is something else. What you need is code that checks whether additions applied to a PDF after a signature are allowed or disallowed. iText does not contain a method for that, so you have to implement that code yourself or look for a third-party implementation.
Please be aware that this task is not easy. Even the implementation thereof in Adobe Acrobat (which may serve as a kind of reference here) errs every so often, and in either direction.
