January 30, 2023 | PDF, signature

How to Modify a Signed PDF Without Compromising the Signature

Once a PDF has been digitally signed, it is usually impossible to edit without compromising the signature. And it’s precisely the purpose of an electronic signature not to be able to tamper with a signed document! However, in some cases, it is possible to amend the file in a way that keeps the original signature valid.

Is it possible to modify a signed PDF?
- Legal aspects
- The two sides of a valid signature
  - An industry-valid signature
  - A technically-valid signature
Different signatures, different modification rights
- What does the specification say about modifying electronic signatures?
Use the incremental update method with GdPicture.NET
Takeaways

Is it possible to modify a signed PDF?

Legal aspects

From a legal point of view, a signed document will not be valid if there is any evidence that it was altered after signing.
Most of the time, it’s not even possible to modify a signed PDF because the content will be locked, and the user will get a warning message.
However, sometimes, it can be helpful to modify typos or add notes to a signed document without compromising the initial signature and asking the signer to review the entire document again. It is especially true when signing long contracts, for instance.
Of course, we’re not talking about trying to modify the content of a signed document at length. People will always use tricks and software loopholes to achieve this, but it can be relatively easy to prove that the document has been tampered with if necessary. And generally speaking, if the content of a document needs to be significantly edited, people will need to resign it.

The two sides of a valid signature

An industry-valid signature

Depending on your industry, country, and line of business, there are different ways to sign a PDF.

In the European Union, the eIDAS regulation allows three types of electronic signatures:

the simple electronic signature suitable for everyday acts or those with low legal or financial consequences for the signatory.
the advanced electronic signature, which includes the use of a digital certificate.
the qualified electronic signature, generally used for authentic acts of notaries, lawyers, bailiffs, courts, and the like. Its security criteria are comparable to those of the advanced digital signature.

It is up to the entity asking for a signature to implement the right signing protocol and method.
For example, in most countries, you cannot use a simple electronic signature when selling a house. If you do so, the act will be considered invalid because, legally, the notary should have used a qualified electronic signature.

A technically-valid signature

As we said before, an electronic signature must be technically valid to avoid legal issues.
It means that:

the signing software or solution used must provide valid signatures and options to protect the signed document;
the user hasn’t tampered with the document after it has been signed.

As a solution developer, you have no power over what users can do with their signed documents (there will always be people trying to edit uneditable documents!) But you can develop tools that will provide valid signatures that people will trust.

Different signatures, different modification rights

What does the specification say about modifying electronic signatures?

If we look at the latest version of the PDF specification (ISO 32000-2/12.8 Digital signatures), we have some insights about how to implement modifications of a signed PDF.

Usage Rights (UR)

Before PDF 2.0, you could implement Usage Rights to modify a PDF with a signature. This concept is now outdated.

12.8.2.3 UR

The features described in this subclause are deprecated with PDF 2.0.
The UR transform method (deprecated in PDF 2.0) shall be used to detect changes to a document that shall invalidate a usage rights signature, which is referred to from the UR3 entry in the permissions dictionary (see “Table 263 — Entries in a permissions dictionary”). The transform parameters dictionary (see “Table 258 — Entries in the UR transform parameters dictionary”) specifies the additional rights that shall be enabled if the signature is valid. If the signature is invalid because the document has been modified in a way that is not permitted or the identity of the signer is not granted the extended permissions, additional rights shall not be granted.
A PDF processor that modifies a PDF, with a UR signature in excess of the rights that are granted by that signature, should remove that signature prior to writing the newly modified PDF.

DocMDP

PDF signatures implement the DocMDP (Document Modification Detection and Prevention) mechanism for checking modifications. This method can allow some changes.

“MDP” stands for Modification Detection and Prevention.

12.8.2.2 DocMDP

12.8.2.2.1 General

The DocMDP transform method shall be used to detect modifications relative to a signature field that is signed by the author of a document (the person applying a certification signature). A document can contain only one signature field that contains a DocMDP transform method. It enables the author to specify what changes shall be permitted to be made to the document and what changes invalidate the author’s signature.

Examples of changes that can be permitted:

filling in forms,
instantiating page templates and signing,
annotation creation, deletion, and modification.

Incremental update

The incremental update is a feature that allows you to make changes to a PDF and save it without invalidating any existing digital signatures. Modifications are added after the signed file, providing a convenient history of changes.

PDF specification ISO 32000-2

12.8 Digital signatures
12.8.1 General
NOTE 1
If a signed document is modified and saved by incremental update (see 7.5.6, “Incremental updates”), the data corresponding to the byte range of the original signature is preserved.
Therefore, if the signature is valid, it is possible to recreate the state of the document as it existed at the time of signing.

Diagram showing electronic signatures applied to 3 incremental updates on a document

Multiple signatures and incremental updates.

Two important notes to keep in mind about incremental updates:

not all signatures are compatible with it,
not all PDF editors support it.

Use the incremental update method with GdPicture.NET

The GdPicture.NET PDF SDK allows you to use the incremental update method to modify signed PDFs by adding the changes after the signed file.

Using pdf = New GdPicturePDF
	pdf.LoadFromFile("signed_document.pdf")
	pdf.SetOrigin(PdfOrigin.PdfOriginTopLeft)
	pdf.AddStickyNoteAnnotation(PdfStickyNoteAnnotationIcon.PdfAnnotationIconComment, 100, 100, "Author", "Subject", "This is a note.", 1, False, 0, 0, 0, 0, 0, 0, 0)
	pdf.SaveToFileInc("signed_document_with_note.pdf")
End Using

See the full documentation in our guides.

Takeaways

To wrap up, here are a few things to keep in mind when modifying signed PDFs:

Modifying the page content of a signed file without resigning it is generally not a good idea (in almost all cases).
Know your signed files!
Not all signatures allow modifications. Some allow the use of annotations, while others don’t.
Signatures implement DocMDP (Document Modification Detection and Prevention) mechanism for checking modifications. It can vary from document to document.
Use the incremental update method (SaveToFileInc / SaveToStreamInc) if you need to modify a signed document without compromising the original signature.

Don’t let your customer use tricks and loopholes to edit their signed PDFs!
Help them use electronic signatures that are legally and technically valid by building the right tools.

Check our PDF signing features in the GdPicture.NET PDF SDK and let us know if you need any help.

Cheers!

Elodie & Matus

incremental update PDF 2.0