Signature validation failure for european commission DSS

Question

Signature validation failure for european commission DSS

hemil opened this issue 2 years ago · 6 comments

We came across an issue when using endesive to sign a pdf. When trying to validate a signature here for a european commission DSS, it throws an error:

The certificate chain for signature is not trusted, it does not contain a trust anchor.
The signed attribute: 'signing-certificate' is absent!

These are the sample files I used:
original_file

file_with_signatures

On looking further into the endesive code, I could see that this commit adds the signing-certificate attribute but it isn't there in the latest release.

I wanted to ask regarding your release plan for this commit above.

Please let me know if you could think of an alternate solution to this.

Answer 1 · 2023-04-19T07:30:25.000Z

Somehow I procrastinated with the next version and I don't know why. Version 2.0.16 generated and uploaded to pypi.

Answer 2 · 2023-04-19T08:12:38.000Z

Thanks @m32 Let me try it again with the new version.

Answer 3 · 2023-04-19T11:21:02.000Z

We tried it with the new version. We're no longer getting the The signed attribute: 'signing-certificate' is absent! part of the error, but the validation is still failing due to

        Unable to build a certificate chain up to a trusted list!
        The signature/seal is an INDETERMINATE AdES digital signature!

The error:

Do you have an idea regarding the cause of this?

The v16 signed pdf file

Answer 4 · 2023-04-19T13:54:08.000Z

$ ./pdf-verify-xx.py test_hemil_europa_certs-1.pdf

test_hemil_europa_certs-1.pdf

failed certificate verification: The path could not be validated because the end-entity certificate expired 2022-03-18 02:57:35Z

cert.issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Entrust, Inc.'), ('organizational_unit_name', ['See www.entrust.net/legal-terms', '(c) 2015 Entrust, Inc. - for authorized use only']), ('common_name', 'Entrust Class 3 Client CA - SHA256')])
cert.subject: OrderedDict([('country_name', 'IN'), ('state_or_province_name', 'Haryana'), ('locality_name', 'Gurgaon'), ('organization_name', 'Draftspotting Technologies Private Limited'), ('common_name', 'Draftspotting Technologies Private Limited'), ('email_address', 'signingops@spotdraft.com')])

** signature no: 0 **
signature ok? True
hash ok? True
cert ok? False

Answer 5 · 2023-04-20T07:33:32.000Z

My bad. We updated the certificate and tested it. It's throwing the same error.

test_hemil_europa_certs_v16-valid_cert.pdf

Answer 6 · 2023-04-20T10:50:15.000Z

It seems to me that the dss demo does not have up-to-date root certificates. I signed the document with acrobat reader and got the same errors.
pdf-1.pdf
pdf.pdf