Signing PDF with annotations results in invalid signature

[Twometer]

I have a PDF that was created with gopdf and contains Link annotations.
The PDF is then signed with pdfsign.

If I open the signed document in Adobe, it reports:

Signature is invalid: There have been changes made that invalidate the signature.

Without the link annotation, everything works fine and the PDF is shown as certified.

[vanbroup]

Can you add some examples code and the resulting PDF files?

[Twometer]

@vanbroup Sure:

Working PDF

It says unknown because of my self-signed test certificate, but as you can see it says "Document has not been modified".

PDF download: working.pdf

Failing PDF

Here, it says "There have been changes made to this document that invalidate the signature.

The only difference is that this PDF contains a Link annotation

PDF download: failing.pdf

Repro

I am using this code for signing the PDF:

pdfSign.Sign(bytes.NewReader(pdf), pdfWriter, pdfReader, pdfLen, pdfSign.SignData{
	Signature: pdfSign.SignDataSignature{
		CertType:   pdfSign.CertificationSignature,
		DocMDPPerm: pdfSign.AllowFillingExistingFormFieldsAndSignaturesAndCRUDAnnotationsPerms,
		Info: pdfSign.SignDataSignatureInfo{
			Name:        "Test Signing",
			Reason:      "Demonstrating signing failures",
			Location:    "The Internet",
			ContactInfo: "Twometer",
			Date:        time.Now(),
		},
	},

	DigestAlgorithm:   crypto.SHA384,
	Signer:            certs.key,
	Certificate:       certs.cert,
	CertificateChains: [][]*x509.Certificate{certs.chain},
})

Here is the full repro code: https://gist.github.com/Twometer/d6611dee04132251531fbc2962190388

More info

The only difference I can see in those PDFs raw streams is the line

/Annots [<</Type /Annot /Subtype /Link /Rect [0.00 842.00 32.00 810.00] /Border [0 0 0] /A <</S /URI /URI (https://google.com)>>>>]

being present in the Page object.

(And of course some changes to the signature and the xref table)

[vanbroup]

Thanks for these details @Twometer. I couldn’t find your unsigned file right away, but I’ve just released a new version that should address your issue. Could you please verify if it works?

[Twometer]

Thanks @vanbroup, I have just tested the new version (v0.0.0-20241114132424-1f5035cb0e1e) with the same code and the same thing still happens:

Do I have to change any settings in the signing configuration?

The unsigned file is created dynamically in the repro code with gopdf, but i've also attached it here: failing-unsigned.pdf

[Twometer]

okay one more update, I have tried setting ApprovalSignature instead of CertificationSignature and that seems to work now:

Do you have an idea why changing the signature type would "fix" this?

[Twometer]

I've noticed today that when viewing the document with an ApprovalSignature that Adobe shows as correctly signed using the Foxit PDF reader, it now complains that the document was corrupted:

[vanbroup]

This doesn't happen with any of the test documents right?

I have not been able to look at your source document yet but have you tried opening that with Acrobat and does it ask you to have the document when closing (this often happens when there is an issue in the source document).

Also, do you know if the document has an xref table or stream? I did do most testing with the tables and less with the streams for now.

[Twometer]

I've tried testfile12.pdf which seems to contain a link annotation as well, and that seems to work fine. With the test document, the CertificationSignature also works fine.

I've also tried opening and closing multiple source files in Adobe, and never got a saving prompt.

My source document has just a regular xref table at the end of the document, no xref streams.

[Twometer]

The only difference I can see between the test document and my document is that the /Annots object is inline in my document, but a reference to a separate object in the test document.