[
https://issues.apache.org/jira/browse/PDFBOX-5647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17753466#comment-17753466
]
Tilman Hausherr commented on PDFBOX-5647:
-----------------------------------------
I suspect solving this would require changes in the parser (because PDFBox
doesn't "remember" what was added in what version) or identify the EOF
positions and read several versions of the file into several PDDocuments and
then compare the changes.
> Showing signature verified for tampered document
> ------------------------------------------------
>
> Key: PDFBOX-5647
> URL: https://issues.apache.org/jira/browse/PDFBOX-5647
> Project: PDFBox
> Issue Type: Bug
> Components: Signing
> Reporter: Tanmay Sharma
> Priority: Blocker
> Attachments: Doc1_signed.pdf, Doc1_signed_corrupted.pdf
>
>
> A 2 page document was signed. The signature of document was verified by
> [ShowSignature
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java]
> and it prints "Signature Verified".
> Then a corrupted signed PDF was created by deleting the second page of the
> same signed PDF and the signature of the corrupted PDF was also verified
> using [ShowSignature
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java].
> Ideally the verification should fail because hash of the document is changed
> (as second page is deleted). But instead of printing "Signature verification
> failed", it still prints "Signature Verified".
> How the signature of corrupted pdf is still getting verified successfully?
> Both signed pdf and corrupted signed pdf is added in the attachments.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
