Removing PDF Signature Certificates

There are several ways to lock down a pdf. The most common of these is the password, of which there are two variations: user and owner. The user password prevents the document from being opened without the password, while the owner password allows whoever created it to restrict access to certain functionality (like printing or image extraction), while placing no restrictions on the actual opening of the document. There’s a less common way of preventing a document from being altered: the digital signature. Applying a cryptographic digital signature effectively prevents anyone other than the document’s creator from altering it, or by extension, removing the signature. Or does it?

In 2005, German software engineer Martin Backschat discovered a way to remove the restrictions, which in turn allows the signature to be removed – all with just ten lines of Perl.

#!/usr/bin/perl

# Usage: perl invalidate-signing-certs.pl <in.pdf> out.pdf

#

binmode(STDIN);

binmode(STDOUT);

$/ = "\0";

while(<>) {

s#(/Perms<</DocMDP.*?>>)#' ' x length $1#ge;

s#(/Ff 1)(?=.*?/Lock )#' ' x length $1#ge;

s#(?<=/Lock)(.*?)(/Ff 1)#"$1" . ' ' x length $2#ge;

s#(/Lock .*?)(?=/)#' ' x length $1#ge;

print $_;

}

If you already have Perl on your system – which you do if you’re running Mac os x or Linux – all you need is the code above (but there’s a zip with some other goodies on Martin’s page). There’s also a screencast of this process on YouTube. If you’re on Windows, you’ll need Cygwin.

Once the script has worked its magic, it’s fairly trivial to remove the signature, though not exactly intuitive.

In Acrobat 8...

Short version:

1 Right-click the signature and select Clear Signature from the context menu.

2 Go to Forms > Edit form in Acrobat.

3 Select the signature container and delete it.

Save your sparkly clean pdf.

Long version:

You don’t actually need to do this, but if you’re curious about what’s going on, walking through it once will help illustrate the process...

1 Down the left edge of the application window is a stack of icons which correspond to informational sidebar panels: page thumbnails, bookmarks, etc. Open the Signatures panel and you should see this warning just below the signature (the line beginning “Signed by ... ”):

This is because it’s been thoroughly mauled by the unsigning script.

2 You can either click the signature line and select Go to Signature field from the Options drop down just above, or right-click it and select the same command from the context menu. The page will shift to wherever the signature is, and highlight it with a box.

3 Right-click the signature and select Clear Signature from the context menu.

4 Go to Forms > Edit form in Acrobat.

5 Select the signature container and delete it.

Save your sparkly clean pdf.

In Acrobat 9 and x...

Beginning with version 9, Adobe changed the way that Acrobat handles signatures. Even if a document contains an invalid signature, all of the controls except for Validate All Signatures (which serves no purpose in the case of a munged sig) are greyed out and inaccessible. Fortunately, there’s a simple workaround for clearing the broken and worthless signature stamp.

1 Expanding the info in the Signature panel, you should see an entry listing the page on which the signature is physically located. Hovering this field should give you the hand tool; clicking it will take you to the page.

2 Extracting the page will give you a new document without the offending signature. (If you don’t Delete Pages After Extracting, the original serves as a handy placeholder.)

3 Insert the clean page into the original document, and delete the page containing the mangled signature.

Save the file, and you’re done.

Recent Events Occurring Recently

As mentioned above, Adobe has been actively changing Acrobat’s feature set for a number of years. Really, what they’ve been doing with every new version is determinedly stripping out anything that could be even remotely construed as useful functionality. At this rate, in another few iterations, you won’t even be able to open documents.

Frequent suggestions for dealing with munged signatures (and various other challenges) in newer versions of Acrobat is to simply extract the pages and reconstruct the pdf, print the pdf in question to another pdf, or to make a PostScript version of the original and then re-Distill that. While that works, the problem is that you lose all the bookmarks, links, and pagination in the process. Obviously, that’s not really a tenable solution.

Fortunately, all is not lost. Back in 2013, Adobe graciously (and inexplicably) offered installers and serials for both the Windows and Mac versions of Acrobat 8 Professional – it being six or seven years old by that point. Far from being long in the tooth, it’s got plenty of fang for the job at hand.

Get yourself a copy and keep it installed along side whatever modern reader you’re already using.