Hi Team,
Recently, in the PDF Viewer of MS Edge there is a panel with information about digital signatures in the document, but the signatures created with GemBox.PDF have the status “Unknown Signature”, and the certificate information is not loaded when trying to view. If the same file is signed, for example, with Acrobat Reader with the same certificate, everything is OK with the second signature. For example, I generated a file through the site and example PAdES B-B level (PDF Advanced Electronic Signatures (PAdES) in C# and VB.NET) and then signed the file with the same certificate GemBoxECDsa521.pfx, but through Acrobat. If the file is opened with Acrobat Reader, everything is correct, but when viewed with MS Edge, one of the signatures is Unknown. Any ideas why this happens?
Hi Mario,
The certificate GemBoxECDsa521 has been added as trusted in Windows, Acrobat, Edge and …, that’s why the example is with this certificate. The picture shows that the first signature is Unknown, and the second Invalid, the difference is that the first was made with GemBox.Pdf, and the second with Acrobat. Through properties, the first signature has no information about the certificate, but the second one has (The certificate is the same GemBoxECDsa521). The same problem exists with the Qualified Digital Certificate issued by the Qualified Trust Service Provider.
As I wrote, it happens with every signature generated with GB.Pdf, even from the page with signing examples (PAdES B-B level) and viewing with Edge, then: “View signatures-> Properties->(Certificate)View” and no certificate information is loaded. This is a file generated from the examples with two signatures. Here is a file generated by the example and then signed with the same certificate but through Acrobat. There is no information about the certificate of the first signature, but there is for the second.
It seems that the MS Edge PDF signature validator has a couple of issues:
It doesn’t support validating PAdES signatures (reported as Unknown both ‘Signer’s identity’ and ‘Document modified’).
It doesn’t support certificate chains in which certificates are signed with different algorithms or with the ECDsa algorithm (‘Signer’s identity’ reported as Invalid and ‘Document modified’ reported as No or even Yes).
If you import the GemBoxCA.crt root certificate into the Trusted Root Certification Authorities via MS Edge Settings → Privacy, search, and services → Security → Manage certificates and try validating the signature from the PDF file created with the Digitally sign a PDF file with a visible signature example (non-PAdES signatures), you will see that the signature is valid for all input digital IDs that use RSA algorithm and is invalid for all input digital IDs that use ECDsa algorithm. This confirms that MS Edge PDF signature validator either doesn’t support certificate chains in which certificates are signed with different algorithms (because intermediate certificate GemBoxECDsa.crt is signed with the RSA key of the root certificate GemBoxCA.crt and the root certificate is also self-signed with the same RSA key, while GemBoxECDsa*.crt signer certificates are signed with the ECDsa key of the intermediate certificate and they also use ECDsa algorithm for signing the PDF file) or it simply doesn’t support ECDsa algorithm.
When validating the output of the PAdES B-B level example, it is reported as Unknown for any input digital ID (either RSA or ECDsa) so this confirms that MS Edge PDF signature validator doesn’t support validating PAdES signatures.
Note that in the file in which you added the second signature using Adobe Acrobat, that signature is not actually PAdES (this can be observed if you open the file in Adobe Reader and check Signature Properties… → Advanced Properties… of both signatures, you will see that the first one is PAdES Signature Level: B-B, while the second one doesn’t have any info regarding the PAdES Signature Level) so it is not reported as Unknown as PAdES signatures, but as Invalid because it uses ECDsa algorithm.
All of the tested files’ signatures are reported as valid in Adobe Reader, so the issue is not with GemBox.Pdf but with the MS Edge PDF signature validator.
Thanks for the comprehensive answer Stipo.
I’ve been using the library for over 5 years and I’ve never doubted it, I just became curious as to why this happens.
