18.09.2024
Durée de Lecture: 6 Minuten

Long live PDF/A – down with the signature?

Dans cet Article
    There are all kinds of regulations when it comes to archiving documents. The PDF/A standard ensures long-term reproducibility. This is why many companies are switching to PDF/A with the help of SEAL Systems. When adapting PDF files to the PDF/A standard, we are increasingly encountering digitally signed files. This supposedly presents us with a problem: we can either adapt to the standard or retain the signature. Both are not possible. Or can we?

    Sign PDF files correctly

    Note the order – signature comes last

    But why are files signed before they are saved with our PDF/A workflow? Applying a signature in a document workflow should always be the last step. However, the signature is often applied before our customers receive the file – e.g. from their suppliers. Signatures are currently very much in vogue and so the case of external files being signed is becoming increasingly common.

    Furthermore, the use of simple and intuitive solutions such as Adobe Sign and Docu Sign is increasing. These can be used to quickly replace an established signature process in the company with an end-to-end digital process. The technical quality of these digital signatures is quite low, but where there are no legal requirements, these solutions may suffice. The introduction is so simple that subsequent processes, such as archiving, are usually not considered.

    Attention! Error! “Document was changed or damaged after signing”

    If a PDF file is not standard-compliant, it must be changed in order to be archived in accordance with the law. If it was already signed, this signature will be broken. This is because every change to the file breaks the signature, even invisible changes such as the entry of metadata. However, breaking the signature does not damage the content of the PDF file. The unfortunate thing is that every user of an Acrobat Reader is made aware of this fact with a clearly visible red cross and a worrying error message (“Document was changed or damaged after signing”).

    Alternatively, the customer can set our PDF/A workflow so that a PDF file is not adapted to the PDF/A standard if it is signed. In this case, the signature will of course remain in tact, but the PDF file may not be suitable for long-term use.

    Receive signature information

    signature
    In some cases, the signature contains important information that you do not want to lose, such as the owner of the certificate or the date of the digital signature. Before the signature is deleted, we can read out this information about the signature; this can be stamped on the generated PDF/A or visualized on an additional page and attached to this page (keyword: signature page).

    Delete signature

    Is it not possible to delete a signature without a trace if it is broken because compliance with the PDF/A standard has been given a higher priority? Yes, that is possible. Broken signatures are then no longer found as such in Acrobat Reader.

    Not all signatures are visible. However, a visible signature is a popular addition to a digital signature. It has nothing to do with the actual cryptographic process. Unfortunately, it is not possible to remove this visualization when removing the digital signature. In terms of program technology, it is not possible to determine which visible object in the PDF was once applied to visualize the signature. However, it is perhaps also a good thing if at least this seemingly manual signature is retained.

    Hackers can change a signed PDF without breaking the signature! Can we do the same?

    No, this does not work. It has often been reported in the media that it has been possible to change a signed PDF file and several PDF readers (of which there are at least 20) have not noticed. These were always errors in the reader implementation. The cryptographic process itself is secure.

    So there’s no chance to help out here in a positive sense to get PDF/A customization and signature under one roof.

    Pick up everything and combine in one container

    Part 3 of the PDF/A standard allows PDF/A to be used as a container for any files (non-standardized PDF and even non-PDF). This somewhat illogical softening of the PDF/A standard is now proving to be a solution for keeping all information together.

    The PDF/A file generated by us (after the signature has been removed) becomes an envelope file. And this envelope contains the original, non-standardized but signed PDF. An XML file with the determined signature information can also be placed in the envelope. This idea has been around for quite a long time, but is only now gaining acceptance among our customers.

    As a technical overkill, the customer can also secure this container with a digital seal (*) from his own company; for a total increase in credibility.

    (*) What is a seal? Cryptographically like a signature, only in practical use with a different meaning (as a counterpart to electronic signatures for natural persons), the eIDAS Regulation also introduced electronic seals which, unlike a signature, can also be used by organizations (legal entities). What is described in this article as a problem with signatures also applies to seals.

    Summarized – Workflow for PDF/A with signature

    In accordance with archiving regulations, many of our customers are currently converting from PDF to PDF/A. No problem with our PDF/creation process. However, when adapting digitally signed PDF files, a few special features must be observed in order to avoid error messages when reading the PDF.

    Follow these steps:

    1. Read Signature Information – Extract the signature details from the document.
    2. Remove Signature – Delete the existing signature from the document.
    3. Adapt to PDF/A – Convert the document to PDF/A format using our PDF/A creation process.
    4. Generate PDF/A-3 with Embedded Original File and XML – Create a PDF/A-3 file, embedding the original document and including the original signature information in XML format.
    5. Seal the Container – Apply a digital seal to the entire document container.

    Contact us

    So if you are caught up in the apparent contradiction – signature versus PDF/A – then talk to us. In particular, if the keyword Adobe Sign or Docu Sign is mentioned, then as a file archivist you should be prepared that your requirements will not be taken into account.