signpdf | Python script to add signature images to PDFs | Image Editing library

I uploaded a new build here: https://www.npmjs.com/package/@chilkat/ck-node14-win64 It is the version "9.50.89-hotfix1".

Please give it a try. Also, I see you are passing "TnTrust Token" to LoadFromSmartCard. If the problem remains, try passing an empty string. This should cause Chilkat to try using the default Microsoft CNG Storage Provider, which may have better success.

This answer essentially is a more detailed version of the comments, essentially finding that what you want to do is not possible.

You ask for a way to

Certify Document when Approval Signature exist

According to the current PDF specification:

Thus, you cannot validly add a certification signature to a PDF which already has approval signatures.

(This does not automatically mean that all validators will detect the issue if you add a certification signature after approval signatures, let alone correctly display the cause. Many validators only do a subset of the checks that strictly speaking are necessary...)

More question if the certification signature come first then next is approval like 3 signature approval, can the last the certification setMDPPermission with 1 ? so at the end the document can't add more approval signature

setMDPPermission adds a DocMDP transform to the signature, and such a transform makes the signature a certification signature. Thus, using this method when signing a document that already has an approval signature, will create an invalid PDF or fail entirely.

You can lock a PDF document with an approval signature, though, if you add a Lock dictionary to the signature field with a P entry of 1. Beware, though, this is a ISO 32000-2 feature originally introduced as a feature of an Adobe Extension to ISO 32000-1. Not all PDF viewers support ISO 32000-2 yet, so some viewers may not respect this entry.

The error message "DocMDP transform method not allowed if an approval signature exists" is correct.

If you want to add a signature to an already signed PDF, simply remove the

I figured it out. I logged the width and the height of my custom view on the overridden setImageBitmap function. Both returns zero. So i logged them again in the onLayout function, and both of them returns the actual width and height of my custom view.

Finally, i decided to use drawBitmap() instead of setBitmap() to resize the bitmap and moved a couple of lines from the setImageBitmap function to the bottom of onLayout function.

It seems the reason why the signed pdf is no longer a valid PDF-A1a is the estimated size for the signature. I have used a value of about 120kb for the signature.

thanks to mkl

i was able to solve the issue by updating openpdf version

updated maven config is

I couldn't reproduce the “Unexpected byte range values defining scope of signed data” error message with the first example document, Foxit "merely" complained that the signature was invalid. Which it indeed is because you forgot to base64-decode the signature string before injecting it into the PDF - PDF requires the embedded signature containers in DER format.

The second example document was shared in a comment:

Now I don't get the error about the byte range anymore but I get new errors: "The document has been altered or corrupted since the Signature was applied." and "The Signer's identity is invalid because it has expired or is not yet valid." and "The signature includes an embedded timestamp but it could not be verified." Not sure if I'm doing it correctly now. This is the new file: https://drive.google.com/file/d/1vsa7thwCsi04r68cdcIsfJG7cT2__-d9/view?usp=sharing

Indeed, the signature container now is injected in DER format, so Foxit Reader can validate it. Concerning the new error messages:

"The document has been altered or corrupted since the Signature was applied." - this indicates here that there is some digest value mismatch.

Calculating and extracting the digest values in question shows that the SHA256 digest value of the signed byte ranges of the document is

In your example PDF the name of the signature field consists of 10 bytes, 9 bytes with value 0x00 and one byte with value 0x01. Apparently Adobe Reader does not like that field name.

After some experiments it looks like Adobe Reader does not like a field name starting with a 0x00 byte.

Maybe it contains some code that determines string lengths in a c'ish manner and interprets a 0x00 as end-of-string. A field name with a leading 0x00 byte, therefore, is interpreted as empty string, a field name not accepted by Adobe Reader either.

Thus, please use a signature field name made of (in particular starting with) some meaningful characters. As validators usually display the name of the signature field, this is a good idea anyways.

In terms of lowlevel PDF objects:

The signature field object looks like this:

So I figured it out.

Can I achieve my goal without having to manually upload a p12/pfx file, is it even possible?

Yes, it is. (See below on what needs to be changed.)

Is the server-side implementation of the deferred signature correct, do I need something else?

Yes, the code above is fine.

Is the pdf manipulation in javascript correct?

Also fine.

Can I transform the native CrytpoKey to forge or pkijs?

Yes, see below.

What is wrong with the last signature?

@mkl answered it in a comment, thank you.

FortifyApp has a CMS demo now. Although it didn't work with the version I was using, it works with version 1.3.4.

So I went with the pki.js implementation. The code changes need for the signing to be successful are the following:

1. Export the certificate: