[jira] [Commented] (PDFBOX-5647) Showing signature verified for tampered document

Fri, 11 Aug 2023 21:34:08 -0700 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-5647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17753455#comment-17753455
 ] 

Tanmay Sharma commented on PDFBOX-5647:
---------------------------------------

[~mkl] thanks for the update. Is there someway we can find the incremental 
updates using pdfbox? I know that no proper solution is available but my team 
will do a poc to check if they can solve that issue. It would be great if you 
can guide us how we can find all the incremental updates. We will check try to 
implement a solution to check which incremental updates are allowed for 
different PDFs.

> Showing signature verified for tampered document
> ------------------------------------------------
>
>                 Key: PDFBOX-5647
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5647
>             Project: PDFBox
>          Issue Type: Bug
>          Components: Signing
>            Reporter: Tanmay Sharma
>            Priority: Blocker
>         Attachments: Doc1_signed.pdf, Doc1_signed_corrupted.pdf
>
>
> A 2 page document was signed. The signature of document was verified by 
> [ShowSignature 
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java]
>  and it prints "Signature Verified". 
> Then a corrupted signed PDF was created by deleting the second page of the 
> same signed PDF and the signature of the corrupted PDF was also verified 
> using [ShowSignature 
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java].
>  Ideally the verification should fail because hash of the document is changed 
> (as second page is deleted). But instead of printing "Signature verification 
> failed", it still prints "Signature Verified". 
> How the signature of corrupted pdf is still getting verified successfully?
> Both signed pdf and corrupted signed pdf is added in the attachments.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to