Bug 461371

Summary: PDFs digitally signed with Okular become locked in Adobe Acrobat so no one else can sign it
Product: [Applications] okular Reporter: Cengiz Gunay <cengique>
Component: PDF backendAssignee: Okular developers <okular-devel>
Status: RESOLVED UPSTREAM    
Severity: normal CC: aacid, nate, nicolas.fella, oliver.sander
Priority: NOR    
Version: 21.08.3   
Target Milestone: ---   
Platform: Manjaro   
OS: Linux   
Latest Commit: https://gitlab.freedesktop.org/poppler/poppler/-/commit/c5bc25a0094b3fd10e8eea5296a006a4f530a771 Version Fixed In: Poppler 23.05.0
Sentry Crash Report:

Description Cengiz Gunay 2022-11-03 18:53:44 UTC 
SUMMARY

Once opened in Acrobat Reader or DC, it may allow you to make modifications, but when you try to save the PDF again, it gives this vague error: "The document could not be saved. There was a problem reading this document (105)."

It is important to have Okular interoperable with other tools, so that it can be more widely used. 

The digital signature feature works well and it was a feature I have been waiting for a long time, but I hope this issue can be fixed. I would not be able to share signed documents with my colleagues who use non-open source tools.

Theoretically, PDFs can be locked or left open after being digitally signed, but even Adobe does not give you an option to lock a document. It is also not clear if the locking is the issue here, or there is another problem with the generated file.


STEPS TO REPRODUCE
1. Open a PDF file in Okular
2. Digitally sign it and save as a new PDF
3. Open the new PDF in Acrobat Reader or DC, try to sign or save

OBSERVED RESULT

Getting the above error.

EXPECTED RESULT

For forms that need to be signed by multiple people, I would expect to be able to add another signature in Adobe products.

SOFTWARE/OS VERSIONS
Windows: 10/Acrobat DC (new install)
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 5.23.3
KDE Frameworks Version: 5.88.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
I can provide example files if needed.
Comment 1 Oliver Sander 2022-11-04 11:02:59 UTC 
A colleague of mine just confirmed this.
Comment 2 Nicolas Fella 2023-04-27 17:29:39 UTC 
PDF allows for some fine-grained control about what you can do with a signed document and what not

Looking at https://www.verypdf.com/document/pdf-format-reference/pg_0733.htm I see this:

The access permissions granted for this document. Valid values are:
1 No changes to the document are permitted; any change to the document invalidates the signature
2 Permitted changes are filling in forms, instantiating page templates, and signing; other changes invalidate the signature.
3 Permitted changes are the same as for 2, as well as annotation creation, deletion, and modification; other changes invalidate the signature

Default value: 2

Okular/Poppler doesn't set this, so the default (2) applies. That should explain why you cannot add a new signature (which is technically similar to adding an annotation). You should be able to do the things described in 2, like filling in forms.

Note that this is my understanding based on reading the linked site and the poppler source, I haven't reproduced the issue to confirm yet
Comment 3 Nicolas Fella 2023-04-28 12:24:54 UTC 
It looks like this does not explain the problem. Signing https://invent.kde.org/graphics/okular/-/blob/master/autotests/data/hello_with_dummy_signature.pdf with Acrobat doesn't add a DocMDP entry either.

The relevant part of the document signed by Okular:

%% Original object ID: 32 0
29 0 obj
<<
  /ByteRange [
    0
    490918
    499126
    378
  ]
  /Contents
  /Filter /Adobe.PPKLite
  /M (D:20230428140625+02'00')
  /Name (Nicolas Fella)
  /SubFilter /adbe.pkcs7.detached
  /Type /Sig
>>
endobj

And by Acrobat:

%% Original object ID: 18 0
23 0 obj
<<
  /ByteRange [
    0
    3871
    8413
    9388
  ]
  /Contents
  /Filter /Adobe.PPKLite
  /M (D:20230428140204+02'00')
  /Name (Nicolas Fella)
  /Prop_Build <<
    /App <<
      /Name /Adobe#20Acrobat#20Reader#20#2864-bit#29
      /OS [
        /Win
      ]
      /R 1507584
      /REx (2023.001.20143)
      /TrustedMode true
    >>
    /Filter <<
      /Date (Apr  4 2023 18:35:16)
      /Name /Adobe.PPKLite
      /R 131104
      /V 2
    >>
    /PubSec <<
      /Date (Apr  4 2023 18:35:16)
      /R 131105
    >>
  >>
  /SubFilter /adbe.pkcs7.detached
  /Type /Sig
>>
endobj

The difference is the /Prop_Build entry, but not sure this explains the issue
Comment 4 Nicolas Fella 2023-04-28 16:55:50 UTC 
https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1372 fixes the issue for me
Comment 5 Oliver Sander 2023-05-03 10:09:39 UTC 
I asked the colleague I mentioned above to test this, and it seems that the issue is indeed fixed for us as well.  Thank you!