Removing PDF Signature Certificates

There are several ways to lock down a pdf. The most common of these is the password, of which there are two variations: user and owner. The user password prevents the document from being opened without the password, while the owner password allows whoever created it to restrict access to certain functionality (like printing or image extraction), while placing no restrictions on the actual opening of the document. There’s a less common way of preventing a document from being altered: the digital signature. Applying a cryptographic digital signature effectively prevents anyone other than the document’s creator from altering it, or by extension, removing the signature. Or does it?

In 2005, German software engineer Martin Backschat discovered a way to remove the restrictions, which in turn allows the signature to be removed – all with just ten lines of Perl.

#!/usr/bin/perl

# Usage: perl invalidate-signing-certs.pl <in.pdf> out.pdf

#

binmode(STDIN);

binmode(STDOUT);

$/ = "\0";

while(<>) {

s#(/Perms<</DocMDP.*?>>)#' ' x length $1#ge;

s#(/Ff 1)(?=.*?/Lock )#' ' x length $1#ge;

s#(?<=/Lock)(.*?)(/Ff 1)#"$1" . ' ' x length $2#ge;

s#(/Lock .*?)(?=/)#' ' x length $1#ge;

print $_;

}

If you already have Perl on your system – which you do if you’re running Mac os x – all you need is the code above (but there’s a zip with some other goodies on Martin’s page).

If you’re on Windows, the script was repackaged by cupcake along with the Cygwin dll’s needed to run it, and a bat file. All you have to do is extract the zip, copy the pdf’s you wish to clean into the Unsign directory, and run the bat. The first time it runs, a subdirectory called “unsigned” is created and the new pdf’s are copied into it. There’s also a screencast of this process on YouTube.

Once the script has worked its magic, it’s fairly trivial to remove the signature, though not exactly intuitive.

In Acrobat 8...

Short version:

1 Right-click the signature and select Clear Signature from the context menu.

2 Go to Forms > Edit form in Acrobat.

3 Select the signature container and delete it.

Save your sparkly clean pdf.

Long version:

You don’t actually need to do this, but if you’re curious about what’s going on, walking through it once will help illustrate the process...

1 Down the left edge of the application window is a stack of icons which correspond to informational sidebar panels: page thumbnails, bookmarks, etc. Open the Signatures panel and you should see this warning just below the signature (the line beginning “Signed by ... ”):

This is because it’s been thoroughly mauled by the unsigning script.

2 You can either click the signature line and select Go to Signature field from the Options drop down just above, or right-click it and select the same command from the context menu. The page will shift to wherever the signature is, and highlight it with a box.

3 Right-click the signature and select Clear Signature from the context menu.

4 Go to Forms > Edit form in Acrobat.

5 Select the signature container and delete it.

Save your sparkly clean pdf.

In Acrobat 9 and x...

Beginning with version 9, Adobe changed the way that Acrobat handles signatures. Even if a document contains an invalid signature, all of the controls except for Validate All Signatures (which serves no purpose in the case of a munged sig) are greyed out and inaccessible. Fortunately, there’s a simple workaround for clearing the broken and worthless signature stamp.

1 Expanding the info in the Signature panel, you should see an entry listing the page on which the signature is physically located. Hovering this field should give you the hand tool; clicking it will take you to the page.

2 Extracting the page will give you a new document without the offending signature. (If you don’t Delete Pages After Extracting, the original serves as a handy placeholder.)

3 Insert the clean page into the original document, and delete the page containing the mangled signature.

Save the file, and you’re done.