Forum moved here!

Home / Verify e-signatures with SumatraPDF

QuanticReader

Hello,

I’ve been a long time user of Sumatra Pdf, always liked it for its simplicity and lightweight.

I wonder if you intend to implement a feature to verify the validity of a digital signature or view its certificate like other readers have such as PDF-XChange Viewer?

sangeeth98

yes,
Recently, I was forced to download adobe to verify digital signature of a document. It will be nice if that feature is added in the upcoming updates.

GitHubRulesOK

@QuanticReader
@sangeeth98

I am not the developer so can not speak with authority,
However that is a function proprietary to Adobe (and their licensed collaborators) that may depend on background scripting features that have not been added to SumatraPDF (thus SumatraPDF is lightweight and more secure)

Additionally signatures have reputedly been “worked around” so it would be double pointless to add a worthless feature. For more on this issue see https://github.com/sumatrapdfreader/sumatrapdf/issues/59#issuecomment-418562337

SumatraPeter

I wouldn’t go so far as to declare that digital signatures are completely worthless. Also, as kjk stated MuPDF already has the ability to verify digital signatures. However until #344 is closed all folks can do is wait:

SumatraPeter

https://www.pdf-insecurity.org/signature/viewer.html

Since digitally signed PDFs are often mandated by law and even admissible as evidence in legal proceedings.depending on the jurisdiction, this is a devastating attack. So important warning for everyone using other PDF software to insert/verify digital signatures: Install the latest updates (or switch to another program if a vulnerable one hasn’t been patched)!

GitHubRulesOK

I have to say
"research team has been working since early October 2018 together with experts from Germany’s Computer Emergency Response Team "

Which is after the date of my “surmise” that rumblings were floating about signature spoofing which was based on something similar to the second of the subsequently published three attack vectors. But still not sure if they cover some or all of the other potential methods that I had heard of.

Notably Adobe Reader version 9 was the most secure (most hardened over time) and of course Foxit which I had used to test shortcomings fared poorly

Inevitably SumatraPDF not listed as it cannot be compromised since it does not support scripting of signatures :slight_smile: .