Timestamp, Adobe Reader & "date/time are from the clock on the signer’s computer" about pyhanko HOT 4 CLOSED

Yes, if everything is done correctly, Acrobat should display "The signature includes an embedded timestamp".

And you're quite right that timestamp validation is important :)

from pyhanko.

That's an excellent question, and one that I should probably address more fully in the documentation.

The short answer is: yes, pyHanko supports embedding timestamps, and here's how to get that to work.

The slightly longer answer is that, as the diagnostic message in Acrobat implies, the point of embedding timestamps is to ask a trusted third party to tell you what time it is, instead of forcing the signature's validator to take your word for it. In order to do that, you basically need to tell pyHanko who to ask. There's no "default" way to get timestamp tokens, so unless you provide pyHanko with a TSA endpoint, it'll just put the time on your computer's clock into the signature container.

The way this works on the technical level is by sending a digest of the signature to a time stamping authority, who will reply with a signed, timestamped statement that certifies that the signature existed at that time. This token is then stapled to the signature. There are quite a few widely trusted timestamp authorities that provide their services to the public for free. You can find a list of those here (note: possibly some of these are no longer operational, I haven't tried them all). Alternatively, if you're working with government paperwork, chances are that your government PKI also supplies a TSA service.

EDIT: upon rereading your question, you seem to be asking why Acrobat is rejecting your timestamp token. That could be for any number of reasons, but you can probably figure out what the problem is by inspecting the signature properties (Acrobat provides pretty detailed reporting on trust validation if you know where to look). It could be that the TSA you used isn't trusted by Acrobat by default, but I don't know by heart whether that would generate the same status message.

I'll leave the answer up anyway for future reference :)

from pyhanko.

Hi, @MatthiasValvekens!

Thanks for the fast support :)

Hmmm, strictly speaking, my question is different. I don't think I was clear enough, sorry. To put it in other terms:

If all the assumptions made are true (correct encoding, correct implementation of the time stamp, TSA trusted according to Adobe etc), the output PDF from pyHanko would be “certifiable” (ie, Adobe would show the message that The signature includes an embedded timestamp)? Or, even so, with everything “right” according to pyHanko, Adobe would still show the message that signature date/time are from the clock on the signer’s computer?

More directly: are there any a priori known limitations between pyHanko's PDF output and Adobe's timestamp validation?

I know that for many this would be a silly, trivial validation - and that's why they don't even check it. But in my case it is essentially important. Hence the question.

from pyhanko.

I'll close this question now, feel free to reopen if you encounter related issues later.

from pyhanko.