No signature in HelloSign signed document - signing

I have this strange question regarding HelloSign, the answer to witch I was not able to find in their docs.
I have implemented the embed signing feature on my website with test mode on.
The signing process goes as it should via POST /signature_request/create_embedded request. The iFrame is opened, I put the signature and after I get the SIGNED event, I perform the GET /signature_request/files/[:signature_request_id] request to get signed document. The file is being downloaded and saved, and when I open it and compare with the file preview I have on HelloSign account, I see the many differences.
In my downloaded file there is the signature field added by HelloSign, but actually there is no signature inside. Also the additional page with transaction information does not exist.
Here is actually what I get in my pdf:
And this is what is contained in the file downloaded directly from HS admin:
Does this mean there was something wrong with downloaded doc, or is this just the test mode effect?
I hope I haven't completely misunderstood the signing feature...

You should be waiting for the backend callback with the event signature_request_all_signed.
More info on handling callbacks can be found here: https://www.hellosign.com/api/eventsAndCallbacksWalkthrough
When a user signs a document, it takes a few seconds for the final PDF to be generated. If you request to download the file before then, you will get the file in the state before it is signed (i.e. in the same state as if you had downloaded the file before the user had signed). To be safe, wait for the signature_request_all_signed callback and then fetch the final PDF.

Related

How does an AWS S3 POST object form initiate an upload

I’m uploading images from a user’s device to a S3 bucket using POST object from a HTML form. Everything is working fine but I don’t understand how the S3 server can initiate an upload from a client browser after the form data (file name, signature, policy, etc.) has been posted to its URL. The image data is in a file on the client device and is not contained in the form, only the file name is there. Where in the process is the upload started and how does the S3 server tell the client browser to upload the image data? Perhaps there’s more communication between the web server and browser during a post/response that I’m not aware of. Any insight would be appreciated.
Further research has shown that the browser itself automatically formats each file as a part of the form submission when the form has an input type="file" control. The file becomes an intrinsic part of the form data submitted and the server side processing knows to look for it as such.
HTML4 input type="file" spec
"The following example shows how the contents of a user-specified file may be submitted with a form. The user is prompted for his or her name and a list of file names whose contents should be submitted with the form. By specifying the enctype value of "multipart/form-data", each file's contents will be packaged for submission in a separate section of a multipart document."

Appending page to e-signed pdf w/ itextsharp [duplicate]

This question already has answers here:
how to add blank page in digitally signed pdf using java?
(2 answers)
Closed 3 years ago.
Is there a way to append a page to an e-signed PDF without losing the digital signature using iTextSharp? In real estate you often have a contract and addendum, both esigned in a seperate process, but users would like to have them attached in one single pdf file. The problem is that once you add a page to an e-signed doc, the e-signature disappears.
It makes sense since the signature means a user has made an agreement based on what was presented to them, but if you're just appending another esigned addendum, or even another unsigned page for them to sign in addition to the previously signed page, I would hope they is something that takes this into account and keeps track of envelope changes for any legal reasons
Digitally signing a document means that the software validates its content and appends a "seal" using a certificate. That means that when the file is signed, its content is locked and any modification to the content of the file would result in an invalidation of the digital signature (not the same as eSignature, which is more procedural in nature). DocuSign enforces this and as a result would invalidate both signatures (digital and electronic) when the file is modified. You can send a new envelope with the new file to be digitally signed if you want, but you cannot modify a signed digitally document after the fact.

Unexpected error when attempting to sign via Docusign

We are automating scripts with Selenium, part of which is to sign a document with document. There is a docusign community forum but we just have a demo docusign account with one user, and I do not think that can send email to the community, so I thought I could ask here.
We are getting the envelope ID of a document, and then requesting the page and logging in. This is the URL:
https://XXXdemo.docusign.com/documents/details/{ENVID}"
(I used XXX here for the first three characters for security). Also, I replace {ENVID} with the actual envelope ID.
This has been working, and still is kind of working. We do signs and advances, etc. Often now, in the middle of a sequence of steps (signing, advancing, etc) we get the login page again and the error message: Invalid Managed Token ID and / or secret
(see attached image).
I did talk to some developers who told me to clear the cache before running the test. The only problem is that our Selenium tests (which are running in Chrome) start with a completely new, empty cache, bookmarks, etc.
I thought that maybe the envelope id was expiring, but a developer said he did not believe that was the case. Any suggestions what could be happening?
Specifics:
- We create a document in Salesforce and send it to Docusign for signature.
- We are using Selenium, Java and the latest version of Chrome.
- This appears to happen at different Docusign places, and sometimes not at all. Often happens when clicking "sign"
- A google search for the error message returned only two results, neither of which was too helpful.
- The picture below is after having signed in and running for a while.

We receive signed PDF documents with ulterior modifications

Maybe this one would fit better on so security? I'm not sure...
These are the facts:
We have a web app where users download a PDF document with a form, they fullfill this form, sign it with their electronic certificate and upload it back to our environment.
We've shown cases where the uploaded document is signed, but it show some fields that have been altered after the signature. If we check the integrity of PDF signatures, it shows that have been data alteration after the signature, but the signature it's fine and valid.
If we right-click on the signature and select "See signed version" we see the real data loaded on the moment of the signature.
Now, this goes against my general perception of electronic signature functionality. If any change is made to the document (or the data loaded into it) after I make a signature, this signature should become invalid, as the document has been altered.
The behaviour of the PDF seems to be different, as not only the signature still is valid, also the "default version" that you see when you open the document is the last one, not the signed one.
Now I'm wondering
Is this some kind of bug or is a expected behaviour?
There is any place where info on the matter can be found? (google keeps redirecting me once and again to "how to sign a PDF" articles).
If this is a defined behaviour, how do you deal with it?
Now, this goes against my general perception of electronic signature functionality. If any change is made to the document (or the data loaded into it) after I make a signature, this signature should become invalid, as the document has been altered.
The behaviour of the PDF seems to be different, as not only the signature still is valid, also the "default version" that you see when you open the document is the last one, not the signed one.
Is this some kind of bug or is a expected behaviour?
It is expected behavior.
You have to be aware of two special factors here:
A PDF signature field contains the information of the byte ranges signed. Obviously not the whole file can be signed as the signature itself is embedded and cannot be part of the signed bytes. Thus, the signed bytes ranges need to be recorded somewhere. Cf. this answer on Information Security Stack Exchange:
Additions to a PDF can be made by appending to the existing document, a process called an incremental update. These updates can again be signed etc., also cf. the answer referenced above:
Thus, making changes to a PDF by means of an incremental update, the existing integrated signatures in the document still correctly sign their respective signed by range. They still are mathematically valid in spite of the added changes.
Furthermore the current contents of a PDF are defined in particular by the newest incremental update, so when you open the document it shows the content including the last changes, not the signed one.
Now, while this sounds like PDF signatures have no meaning, this is not the case. The specification ISO 32000-1 clearly defines which changes are allowed to be made in an incremental update to a certified (= signed with some special flags) base version of a document, and Adobe in their Acrobat and Reader software have extrapolated restrictions from this for signed but not certified documents, cf. this answer on stack overflow.
In particular at most the following changes are allowed:
Adding signature fields
Adding or editing annotations
Supplying form field values
Digitally signing
If this is a defined behaviour, how do you deal with it?
As the documents originate from you, you can start by applying a certificate signature to the document which only allows as little changes as possible in your use case.
Then you can define signature lock information for the signature fields your users are to sign. In these lock information you can e.g. prescribe that after signing the given signature field, a number of form fields shall be read-only.
Finally you only accept back PDFs which still contain your certification signature and to which no disallowed changes were added.
There actually are numerous PDFs which are certified and contain a number of fields for additional approval signatures, and each of the approval signature fields is coupled with some form fields which will not be editable anymore after signing. After all the signature fields are signed, all fields are read-only.
There is any place where info on the matter can be found? (google keeps redirecting me once and again to "how to sign a PDF" articles).
You should in particular look at the PDF specification ISO 32000-1 and some Adobe documents on the behavior of their software. You'll find links at the bottom of the stack overflow documentation page the above mentioned links point to.

iPDF-poppler passworded document

Note: I am not sure if this is better here, or at superuser, but since it concerns the poppler library, I would assume here, because people here are more likely to know how it works.
Software: iPDF 2.12 + Poppler 2.11 (Last commit 2006-12-12) for Irex Iliad. Sources are here.
Problem Documents: Sciam digital PDFs (any of them, since all are produced the same way).
The document will load fine using Okular, Adobe Reader, and XPDF without requesting any passwords, and can be read without problem.
Loading using iPDF - so poppler - requests a password to open the document.
I have tried bypassing the SecurityHandler:checkEncryption method in Poppler/SecurityHandler.cc, by making it return true. This works, but fails to load the pdf with errors:
Error: Unsupported version/revision (4/4) of Standard security handler
Error (13571568): Unknown compression method in flate stream
Error: Top-level pages object is wrong type (null)
Error: Couldn't read page catalog
(PV_E)PDFCore.cpp:61,open() Open PDF document (èÖ#(èÖ#à failed with error code 2
(PV_E)PDFApp.cpp:185,open() Could not open file!
This suggests that the actual stream is encrypted, which - if true - suggests that okular is somehow bypassing this.
I am aware of people having similar problems on other mobile devices (I found a similar report with a Nexus One).
I do not know enough about how the pdf format works to know whether there is some 'default' password that should be used instead to open (no other permissions needed) the document. Is there?
Is it a case that it is requesting the owner password, when it only needs to use the user password (blank?) to open it?
Else, does anyone know how something like Okular/XPDF would be able to open it without problem?
This turned out to be an issue with the version of poppler being used by the application being too old for the required security handler.
As such, I have started my own project to create a new pdf viewer for my iliad based on the latest (0.14.*) version of poppler which can handle it. Sources here.