Skip to content

Command line tool for signing and timestamping PDF Files using certificates from Windows Certififcate Store, PKCS#12 files and PKCS#11 dongles

License

Notifications You must be signed in to change notification settings

MrMabulous/PDFSign

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PDFSign

Basic command line tool for signing and certifying PDF Files using a PKCS12 certificate, a certificate from the windows store or using a PKCS11 compatible hardware token.

Notes

This is a command line tool that allows signing and/or timestamping of pdf files using certificates. The actual PDF manipulation is performed using the itextsharp library v5.5. This is a fork of (https://github.com/IcoDeveloper/PDFSign) with some added features and bug fixes (hardware token support, LTV, certification, TSA authentication, document timestamps). This tool was originaly published by Martin Bene on codeplex

The signing certificate can can either be provided as a PKCS12 file, it can come from the windows certificate store or it can come from a hardware token.

In order to use a certificate from the windows store, the certificate must

  • have the private key marked as exportable
  • the user running pdfsign must have read access to the private key

In order to use a hardware token, the token must support PKCS11 and the path to the driver DLL implementing the PKCS11 api must be provided. For example, for SafeNet eToken this would be C:\Windows\System32\eTPKCS11.dll

It's also possible to only timestamp the document using a trusted timestamping service (TSA) without signing it (for this, simply don't provide any certificate but do provide a tsa url).

In Addition to nuget packages, the build process uses Microsofts ILMerge tool to produce a consolidated single binary including all dlls.

LTV (long term validation) is enabled by default. This embeds the certificate-chain, certificate revocation lists and OSCP replies into the document so that the signature remains verifiable also beyond the validity of the signing certificate. This can significantly increase filesize however if certificates in the chain don't use OSCP and instead reference large CRL files. LTV can be disabled with -ltv- NOTE: If a TSA URL is provided and LTV is enabled, the programm will request two timestamp tokens from the TSA. The first one is only used to extract the trust chain of the token, which is needed to enable LTV for the second token, which will actually timestamp the document. This way Adobe Reader will recognize the Timestamp as LTV enabled.

usage

pdfsign v1.6.1, (c) 2021 Mabulous GmbH
powered by:
pdfsign v1.3.0, (c) 2019 icomedias GmbH
iTextSharp 5.5 Copyright (C) 1999-2018 by iText Group NV
Pkcs11Interop Copyright (C) 2012-2021 The Pkcs11Interop Project
Usage: pdfsign [OPTIONS]
Sign a PDF file using a signing certificate

Options:
  -i, --infile=VALUE         PDF input file
  -o, --outfile=VALUE        Output file for signed PDF
  -b, --backpage=VALUE       PDF file to append to infile before placing
                               signature (optional)
  -p, --password=VALUE       Import password for signing certificate or PIN for
                               pkcs11 token
      --pkcs11lib=VALUE      Path to PKCS11 Library DLL. If specified, PKCS11
                               Token will be used for signing
      --tokenserial=VALUE    The Serial of the PKCS11 token to use. Optional if
                               only a single Token is connected
      --certid=VALUE         The ID (CKA_ID) of the certificate on the token to
                               use. Optional if only a single certificate is
                               stored on the token
      --thumbprint=VALUE     Thumbprint for signing certificate from windows
                               store
      --store=VALUE          Store for signing certificate from windows (
                               CurrentUser or LocalMachine (default
                               LocalMachine))
  -c, --certfile=VALUE       PKCS12 signing certificate
  -r, --reason=VALUE         Signature reason (gets embedded in signature)
  -l, --location=VALUE       Signature location (gets embedded in signature)
  -t, --contact=VALUE        Signature contact (gets embedded in signature)
  -s, --show                 Show signature (signature field visible), on: -s+
                               off: -s-, default on
      --page=VALUE           Page of the document to place signature: 1..n,
                               last. default 1
      --template=VALUE       Template for the signature text. use \n for line
                               breaks, [name], [date] for substitution
      --dateformat=VALUE     Format for [date] substitution when using template
      --showvalidity         Show signature validity (deprecated), on: -
                               showvalidity+ off: -showvalidity-, default off
      --tsa=VALUE            URL of rfc3161 TSA (Time Stamping Authority)
      --tsauser=VALUE        If selected TSA server requires credentials, enter
                               username (optional)
      --tsapass=VALUE        If selected TSA server requires credentials, enter
                               password (optional)
      --ltv                  Enables Long Term Validation, on: -ltv+, off: -ltv-
                               , default on
      --certlevel=VALUE      Certification Level. 0: Not certified, 1: No
                               changes allowed, 2: Only Allow Form-Filling, 3:
                               Only Allow Form-Filling & Annotations, default 0
      --width=VALUE          Signature width, default 180
      --height=VALUE         Signature height, default 80
      --hsep=VALUE           Horizontal seperation of signatures, default 10
      --vsep=VALUE           Vertical seperation of signatures, default 10
      --hoffset=VALUE        Horizontal offset of signatures, default 350
      --voffset=VALUE        Vertical offset of signatures, default 5
      --cols=VALUE           Number of signature columns, default 1
  -v, --verbose              Enable log output, on: -v+, off: -v-, default on
  -m, --multi                Opens document in 'Append mode', leaving existing
                               signatures untouched, on: -m+, off: -m-, default
                               on
  -h, -?, --help             Show this help message and exit
Return Values:
         0: Success
        -1: Bad Command Line Option(s)
        -2: Error processing signing certificate
        -3: Error getting secret key
        -4: Error getting certificate chain
        -5: Error processing input file
        -6: Error opening output file
        -7: Error generating signature
        -8: Error using PKCS11 token```

## multiple signatures

Multiple signatures are supported; if you leave signature visibility turned on, additional signatures get 
seperate signature field names (Signature, Signature1, Signature2...) and are automatically positioned as 
a grid with --cols columns from left to right and bottom to top.

## certification

By default the PDF is only signed, not certified (which allows to add additional signatures later).
To certify, set --certlevel to something other than 0

## Trusted Timestamping

To add a trusted timestamp (which allows to prove that the document was not altered after the date of
the timestamp) set --tsa to a URL of a RFC 3161 TSA-server.
If the server requires login, additionally define --tsauser and --tsapass

About

Command line tool for signing and timestamping PDF Files using certificates from Windows Certififcate Store, PKCS#12 files and PKCS#11 dongles

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C# 100.0%