Bug 461371 - PDFs digitally signed with Okular become locked in Adobe Acrobat so no one else can sign it
Summary: PDFs digitally signed with Okular become locked in Adobe Acrobat so no one el...
Status: RESOLVED UPSTREAM
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: 21.08.3
Platform: Manjaro Linux
: NOR normal
Target Milestone: ---
Assignee: Okular developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-03 18:53 UTC by Cengiz Gunay
Modified: 2023-05-10 08:42 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In: Poppler 23.05.0


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cengiz Gunay 2022-11-03 18:53:44 UTC
SUMMARY

Once opened in Acrobat Reader or DC, it may allow you to make modifications, but when you try to save the PDF again, it gives this vague error: "The document could not be saved. There was a problem reading this document (105)."

It is important to have Okular interoperable with other tools, so that it can be more widely used. 

The digital signature feature works well and it was a feature I have been waiting for a long time, but I hope this issue can be fixed. I would not be able to share signed documents with my colleagues who use non-open source tools.

Theoretically, PDFs can be locked or left open after being digitally signed, but even Adobe does not give you an option to lock a document. It is also not clear if the locking is the issue here, or there is another problem with the generated file.


STEPS TO REPRODUCE
1. Open a PDF file in Okular
2. Digitally sign it and save as a new PDF
3. Open the new PDF in Acrobat Reader or DC, try to sign or save

OBSERVED RESULT

Getting the above error.

EXPECTED RESULT

For forms that need to be signed by multiple people, I would expect to be able to add another signature in Adobe products.

SOFTWARE/OS VERSIONS
Windows: 10/Acrobat DC (new install)
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 5.23.3
KDE Frameworks Version: 5.88.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
I can provide example files if needed.
Comment 1 Oliver Sander 2022-11-04 11:02:59 UTC
A colleague of mine just confirmed this.
Comment 2 Nicolas Fella 2023-04-27 17:29:39 UTC
PDF allows for some fine-grained control about what you can do with a signed document and what not

Looking at https://www.verypdf.com/document/pdf-format-reference/pg_0733.htm I see this:

The access permissions granted for this document. Valid values are:
1 No changes to the document are permitted; any change to the document invalidates the signature
2 Permitted changes are filling in forms, instantiating page templates, and signing; other changes invalidate the signature.
3 Permitted changes are the same as for 2, as well as annotation creation, deletion, and modification; other changes invalidate the signature

Default value: 2

Okular/Poppler doesn't set this, so the default (2) applies. That should explain why you cannot add a new signature (which is technically similar to adding an annotation). You should be able to do the things described in 2, like filling in forms.

Note that this is my understanding based on reading the linked site and the poppler source, I haven't reproduced the issue to confirm yet
Comment 3 Nicolas Fella 2023-04-28 12:24:54 UTC
It looks like this does not explain the problem. Signing https://invent.kde.org/graphics/okular/-/blob/master/autotests/data/hello_with_dummy_signature.pdf with Acrobat doesn't add a DocMDP entry either.

The relevant part of the document signed by Okular:

%% Original object ID: 32 0
29 0 obj
<<
  /ByteRange [
    0
    490918
    499126
    378
  ]
  /Contents
  /Filter /Adobe.PPKLite
  /M (D:20230428140625+02'00')
  /Name (Nicolas Fella)
  /SubFilter /adbe.pkcs7.detached
  /Type /Sig
>>
endobj

And by Acrobat:

%% Original object ID: 18 0
23 0 obj
<<
  /ByteRange [
    0
    3871
    8413
    9388
  ]
  /Contents
  /Filter /Adobe.PPKLite
  /M (D:20230428140204+02'00')
  /Name (Nicolas Fella)
  /Prop_Build <<
    /App <<
      /Name /Adobe#20Acrobat#20Reader#20#2864-bit#29
      /OS [
        /Win
      ]
      /R 1507584
      /REx (2023.001.20143)
      /TrustedMode true
    >>
    /Filter <<
      /Date (Apr  4 2023 18:35:16)
      /Name /Adobe.PPKLite
      /R 131104
      /V 2
    >>
    /PubSec <<
      /Date (Apr  4 2023 18:35:16)
      /R 131105
    >>
  >>
  /SubFilter /adbe.pkcs7.detached
  /Type /Sig
>>
endobj

The difference is the /Prop_Build entry, but not sure this explains the issue
Comment 4 Nicolas Fella 2023-04-28 16:55:50 UTC
https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1372 fixes the issue for me
Comment 5 Oliver Sander 2023-05-03 10:09:39 UTC
I asked the colleague I mentioned above to test this, and it seems that the issue is indeed fixed for us as well.  Thank you!