Bug 121133 - Adobe Reader DC claims that the PDF has been modified after signing
Summary: Adobe Reader DC claims that the PDF has been modified after signing
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Printing and PDF export (show other bugs)
Version:
(earliest affected)
6.1.2.1 release
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: filter:pdf
Depends on:
Blocks: PDF-Export Digital-Signatures
  Show dependency treegraph
 
Reported: 2018-11-02 19:58 UTC by Alexander E. Patrakov
Modified: 2020-07-29 07:41 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:


Attachments
Test document signed in LibreOffice Writer on Linux (69.00 KB, application/pdf)
2018-11-02 19:58 UTC, Alexander E. Patrakov
Details
Test document signed in jSignPDF 1.6.4 on Linux (49.59 KB, application/pdf)
2018-11-02 19:59 UTC, Alexander E. Patrakov
Details
Warning displayed by Adobe Reader DC (38.87 KB, image/jpeg)
2018-11-02 20:05 UTC, Alexander E. Patrakov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander E. Patrakov 2018-11-02 19:58:08 UTC
If I sign an existing PDF document in LibreOffice Draw, or export PDF from LibreOffice Writer and sign it during export, then Adobe Reader does not like the signature: it claims that the page has been modified. The expectation is that the signature checking should pass without any complaints.

I will attach an example document signed by LibreOffice Writer.

It is also possible to export the same document without signatures, and then use the same certificate in jSignPdf 1.6.4 to sign it. The result does not trigger the "pages modified" alert in Adobe Reader DC, so it is not a problem with the certificate. I will attach a document to demonstrate this, too.

Note: by default, Adobe Reader DC does not trust certificates issued by COMODO. To verify my signature, please, in Adobe Reader DC, go to Edit > Preferences > Signatures > Verification > More... and check the box "Trust ALL root certificates in the Windows certificate store for: [X] Validating signatures".
Comment 1 Alexander E. Patrakov 2018-11-02 19:58:43 UTC
Created attachment 146257 [details]
Test document signed in LibreOffice Writer on Linux
Comment 2 Alexander E. Patrakov 2018-11-02 19:59:16 UTC
Created attachment 146258 [details]
Test document signed in jSignPDF 1.6.4 on Linux
Comment 3 Alexander E. Patrakov 2018-11-02 20:05:15 UTC
Created attachment 146259 [details]
Warning displayed by Adobe Reader DC
Comment 4 Mike Kaganski 2018-11-02 21:02:28 UTC
Thank you for filing the issue!

Could you please describe, step-by-step, how did you sign the PDF in LibreOffice, mentioning every button click and keypress (except for passwords, of course)? My assumption would be that you have saved the PDF after signing.
Comment 5 Alexander E. Patrakov 2018-11-02 21:19:13 UTC
0. Make sure that Firefox is not running (not sure if it is relevant)
1. Open LibreOffice Writer on Arch Linux
2. File > Open, open the odt document. Or just type the text and save it as an odt file.
3. At this stage, the document is not modified. Click File > Export As > Export as PDF...
4. A dialog appears.
5. On the general tab, leave all settings as the defaults. However, I remember that, in the past, i have specifically unticked the "Create a PDF form" box on the General tab, and LibreOffice remembers this. Anyway, the settings on the general tab are: All pages, JPEG compression at 90%, reduce image resolution to 300 dpi, no watermark, no checkboxes in the right column.
5. On all other tabs except Digital signatures, leave all the settings as defaults.
6. On the Digital Signatures tab, select my certificate (that is, click Select, double-click the certificate), type the password, leave all other fields empty.
7. Press the Export button in the bottom right corner of the dialog.
8. Type the desired filename for the PDF file, press Save.
Comment 6 Alexander E. Patrakov 2018-11-02 21:48:19 UTC
This bug is reproducible on Arch Linux but not under Windows 10.
Comment 7 Miklos Vajna 2018-11-06 13:28:49 UTC
FWIW xmlsecurity/qa/create-certs/ has a shell script you can run on Linux and use the resulting test certificates on both Windows an Linux if you want to reproduce this.
Comment 8 Alexander E. Patrakov 2018-11-06 15:01:13 UTC
You can also get free email certificates from COMODO, just as I did.
Comment 9 shara valery 2018-11-19 07:48:26 UTC Comment hidden (spam)
Comment 10 Alexander E. Patrakov 2018-11-19 07:51:27 UTC
Sorry, I can't just tell my correspondents to install Acrobat DC. They open my files in Adobe Reader DC, they don't need to edit the PDF.
Comment 11 Josh George 2019-06-06 06:11:37 UTC Comment hidden (spam)
Comment 12 Andre Russell 2019-06-07 10:19:58 UTC Comment hidden (spam)
Comment 13 dgs 2019-08-01 08:43:13 UTC Comment hidden (spam)
Comment 14 Jems Smith 2019-08-07 12:41:05 UTC Comment hidden (spam)
Comment 15 jones smith 2019-08-16 11:33:10 UTC Comment hidden (spam)
Comment 16 Timur 2019-11-04 15:50:13 UTC
Same warning in LO 6.4+ in Windows 7 as in attachment 146259 [details]: "1 Page(s) Modified". I guess I can put to New. But please also test.
Comment 17 realsciallikes 2019-12-10 09:02:09 UTC Comment hidden (spam)
Comment 18 Jaydeep Dahiwal 2020-04-28 07:39:00 UTC Comment hidden (spam)
Comment 19 Jaydeep Dahiwal 2020-04-28 07:39:44 UTC Comment hidden (spam)
Comment 20 Michal Bozon 2020-04-30 16:05:51 UTC
I have the same problem. Signed PDF document exported by LibreOffice (Writer) signature seems to be OK when verified e.g. by poppler pdfsig utility. However Adobe Reader (used to make sure the exported document is correct for mainstream users utilizing mainstream apps, or rather correct then opened in THE PDF reader app) successfully verifies the signature, but claims that the document was modified after signing. This does not happen e.g. for some randomly chosen PDF document released and signed by the (our) government.

The problem is unaffected by changing "normal" to archive PDF/A (either 2b or 1b) PDF export option (other options left default).

LiberOffice version: 6.4.3.2 (build 6.4.3-1) (but it's a long-term problem, the same problem was months or years ago)
Adobe Reader version: 11.0.10 (for Windows, running in Wine)
OS: Arch linux
Comment 21 Michal Bozon 2020-04-30 20:21:25 UTC
.. to check a different linux flavour,
I have tested in Debian stable (10.3, x86_64), libreoffice 6.1.5.2 (build 1:6.1.5-3+deb10u5).

And the problem is still the same.
Comment 22 Michal Bozon 2020-04-30 22:57:43 UTC
.. I currently do not have resource to inspect and build LibreOffice source, but I've made potentially interesting observation when inspecting/manipulating the resulting PDF file.

When the last (4th) PDF signature /ByteRange [ ... ] component (i.e. 2nd offset) is increased by 1, the signature is of course verified as incorrect, but the "1 Page(s) Modified" no longer appears (it is not the case if the value is decreased by 1).
Comment 23 critic 2020-06-28 03:23:53 UTC Comment hidden (spam)
Comment 24 johan 2020-07-29 07:24:41 UTC Comment hidden (spam)