Is this pdf digital signed correctly? PHP/TCPDF

Question

I'm updating a project for my company and there is a section where we need to digitally sign a pdf with our certificate file. In this case, I should change the script that signs this pdf using an updated library from PHP.

In the old code, we were using another script to make happen that, and we had to use a .p12 file + a string. Using this old script, when you open the created pdf with Acrobat Reader DC we get the next image where you can see that says "Signed and all signatures are valid".

In the new script, I'm using the next example:

https://tcpdf.org/examples/example_052/

To be able to apply this example with my certificate I had to convert my pfx file certificate (".p12") to 2 kinds of ".pem" throw these nexts commands lines:

openssl pkcs12 -in myOldCertificate.p12 -clcerts -nokeys -out publicCert.pem -> asked me "Enter Import Password"

openssl pkcs12 -in myOldCertificate.p12 -nocerts -out privateKey_cert.pem -> asked me "Enter Import Password" and also for "Enter PEM pass phrase"

So finally, I just changed the line 89 from the downloaded example 52.

// set document signature

$pdf->setSignature('file:///var/www/html/publicCert.pem', 'file:///var/www/html/privateKey_cert.pem', 'xxxxxx', '', 2, $info); -> In the 'xxxxx' I wrote the same string as the Import password and, just in case, also the same for PEM pass phrase.

And when I create the digital signed pdf and open it with the Acrobat Reader DC you can see the next image:

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid. You have to think that I will need the most secure way to verify the authenticity and the integrity of this pdf.

Answer 1

The PDF format supports two types of user signatures:

• approval signatures and
• certification signatures.

Certification signatures in addition to signing the document also select which changes to the document shall be allowed after signing; approval signatures merely sign.

Usually the author of a document signs it using a certification signature to indicate that he is the author of the document and allows only certain additions to it (e.g. form fill-ins). A so certified document then is forwarded to other parties who (probably after form fill-ins) sign the document using an approval signature to indicate that they approve the document contents including their additions.

Your old code applied an approval signature while your new code applies a certification signature allowing "only form fill-in, signing, and page adding actions".

Concerning your worries

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid.

Other than the difference described above, the certification signature is just as valid as the approval signature. As an overview of the meanings of the signature status bar icons, have a look here:

(This cheat sheet is for Adobe Acrobat and Reader 9; meanwhile the color of the certification ribbon has changed from blue to black but its meaning is still the same)

---

If you strictly want to go back to an approval signature, try extending the line

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);

in the example code with another parameter to

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info, 'A');

which should (at first glance at the TCPDF sources) cause the code to create approval signatures.