Dear list, pdfsig-24.02 gives the following verification results from a digitally signed PDF document:
- Signing Hash Algorithm: SHA1 - Signature Type: ETSI.CAdES.detached - Signed Ranges: [0 - 248], [54250 - 87428] - Total document signed - Signature Validation: Signature is Invalid. Acrobat Reader had no problem with this signature (tested weeks ago). MuPDF-1.24.4 (mutool sign -v) complains about the certificate, but not about the signature: Certificate error: Self-signed certificate in chain. The document is unchanged since signing. I guess signature verification is rejected because of SHA1. If you allow me a suggestion (I can provide an MR myself), please consider another message. For most (non-tech) users, signature validity is mainly its correctness (no digest mismatch). Even some PDF viewers (I cannot remember Acrobat right now) use "invalid signature" for digest mismatch. I wonder whether the following wording would be better: Signature may be valid, but cryptographically insecure. I know that the expression seems too complex at first, but I thinks it dispels the misleading idea "the signature is wrong". Many thanks for your help, Pablo
