signedpdf | A Python library for digitally signing PDFs | Document Editor library

Normally you can directly set things in the constructor but there is an issue with Controllers in regards to middleware. The Controller is resolved before the request has passed through the middleware stack. Which means you usually won't have things like sessions or auth available yet. You would want to use a closure based middleware in the constructor of the Controller to be able to set this value:

I would like to know why my signature goes in the side panel and instead the one I find in the other files is located at the bottom of the page and is visible immediately. How can I show my signature on the page as shown in the image (*IMG2)?

Your signature has no visualization in the document because you created it as an invisible signature (firma invisibile)! If you want to create a visible signature, you have to tell iText where that visualization shall go. You do that using the PdfSignatureAppearance method SetVisibleSignature:

Your code as is adds an image to the static content of a page. That is forbidden to do to a signed file. For details on allowed and disallowed changes to a signed PDF read this answer.

According to your code comments, though, you also tried to alternatively add the image to the signature appearance. That is not forbidden as such. But analyzing the provided example PDFs it becomes apparent that in this attempt additional content streams have been added to the page. Even though they essentially are empty, this is considered a change of page content which is disallowed.

As it turned out, you didn't add the image to the page content in this attempt but you still retrieved the OverContent of the page:

A first quick look through your code revealed two major errors.

You hash the document data twice (using different APIs for that... weird!):

Thanks to Tilman Hausherr I could figure out what was going on:

1 - I have a Desktop APP that communicates with SmatCards and so on, and it is the signer. To communicate with the server (through a webpage) we use WebSocket. I've written my own websocket server class, and that is why it's only prepared to work with 65k bytes. Than when I tried to send the data here:

Since the signature that I receive does not contain a timestamp from a timestamp server, can I embed such a timestamp at this point or should the remote web service add it before sending the signature to me?

Such a time stamp is added to the signature container as unsigned attribute. Because they are not signed, unsigned attributes in a signature container can be changed after applying a signature, e.g. additional ones can de added.

Thus, you yourself can in particular add a time stamp to the signature container retrieved from your service.

Depending on the nature of your signatures, though, you might have to increase the size of the placeholder you create in the pdf to have enough space for the additional time stamp.

I was trying with wrong pair of DSC (USB token) and timestamp URL. That was the reson it was throwing exception to me while adding LTV.

Then I tried with actual global sign dsc and url embedded in it's property of x509 extension then it worked and I was able to sign PDF : zeta-uploader.com/browse/897639557

Reference Code for fetching timestamp URL:

There are a number of issues in your code.

First of all your code mixes different iText signing API generations. There is the older API generation which requires you to work very near to the PDF internals, and there is the newer (since version 5.3.x) API which is implemented as a layer over the older API and does not require you to know those internals.

The "Digital Signatures for PDF documents" white paper focuses on showing the newer API, only section 4.3.3 "Signing a document on the server using a signature created on the client" uses the old API because the use case does not allow for the use of the newer API.

Your use case does allow for the use of the newer API, though, so you should try and use only it.

(In certain situations one can mix those APIs, but you then should really know what you're doing and still can get it awfully wrong...)

But now some more specific issues:

The MakeSignature.Sign* methods implicitly close the underlying PdfStamper and SignatureAppearance objects, so working with those objects thereafter should not be assumed to result in sensible information.

But in GetBytesToSign you do

What can be does to fix this issue?

If Adobe is selling a special certificate for PDF, we are willing to perches such certificate! is that an option?

I have searched all over, but could not find a proper solution.

By default Adobe Reader trusts certificates with issuers from Adobe's own AATL (Adobe Authorized Trust List) and the EUTL (European Union Trust List).

For details read Adobe Trust Services:

Adobe facilitates trusted and secure exchange of electronic documents and information by means of trust services that enable individuals, governments and enterprises around the world to run their businesses safely based on principles of Security, Availability, Authenticity, Integrity, Confidentiality, and Privacy.

Adobe Authorized Trust List (AATL)

The Adobe Approved Trust List (AATL) is the largest Trust Service for electronic documents in the world allowing millions of users to create digital signatures that are trusted whenever the signed document is opened in the ubiquitous Adobe Acrobat or Acrobat Reader software. Over 6 billion electronic and digital signature transactions are processed through Adobe Document Cloud solutions every year.

Acrobat and Acrobat Reader have been programmed to reach out to an online service run by Adobe to periodically download a list of trusted digital certificates from leading Trust Service Providers.

Digital signatures created with a Digital ID that has been issued under any of the trustworthy certificates published in the AATL will appear as trusted in Acrobat and Acrobat Reader. This enormously simplifies the validation of these signatures without requiring any specialized software or custom configuration.

Visit the Adobe Authorized Trust List web page to know more about the AATL program and view the list of partners that provide trusted AATL Digital IDs.

Adobe European Union Trust List (EUTL)

EU Trusted lists are essential elements in building trust among electronic market operators by allowing users to determine the qualified status and the status history of trust service providers and their services.

The Adobe European Union Trust List (EUTL) is a reduced version of the combined trusted lists from all EU Member States and EEA countries which includes the information specified in Article 1 of European Commission Implementing Decision (EU) 2015/1505.

Some Member States may include in their trusted lists information on non-qualified trust service providers, but these services are excluded from the Adobe EUTL. Some Member States may also include in their trusted lists information on nationally defined trust services of other types than those defined under Article 3(16) of EU Regulation n. 2014/910. As these services are not qualified according to EU Regulation n. 2014/910, they are excluded as well from the Adobe EUTL.

Acrobat and Acrobat Reader have been programmed to reach out to an online service run by Adobe to periodically download the list of trusted digital certificates from EU Qualified Trust Service Providers that meet the requirements specified in Article 1 of the Implementing Decision (EU) 2015/1505.

Digital signatures created with a Digital ID that has been issued under any of the trustworthy certificates published in the EUTL will appear as trusted in Acrobat and Acrobat Reader. This enormously simplifies the validation of these signatures without requiring any specialized software or custom configuration.

Visit Adobe’s European Union Trust List (EUTL) web page to know more about the EUTL program and view a list of providers that issue EUTL trusted services.