How do I obtain and load a public certificate for digital signature verification? (Also: a signature cannot be verified due to trust issues related to lack of trusted certificates in the VerificationOptions; how do I fix this?)
Usually, what happens is that the signer uses a keyfile whose corresponding public certificate is already in the Acrobat trust lists, which can be manumatically (by clicking ‘Yes’ to the ‘Install Trusted Certificates’ dialog) downloaded in to Acrobat, and which we can also load (if in the p7c file format) using PDF::VerificationOptions::AddTrustedCertificates (with an ‘s’ on the end, notice – it’s the bulk loading version of the function). Acrobat supports extracting to p7c and extracting seems to be the easiest way to get all the trust lists (rather than going to all the individual list publishers). (We don’t support some certificates which use unusual extensions or time formats, but we can bulk load most of the ones in the trust lists.)
If your document still doesn’t verify due to lack of a trusted root (you can check details of trust verification by getting the trust string and presumptive certificate path data from the PDF::TrustVerificationResult which is contained in the PDF::VerificationResult), the signer’s certificate is probably not on the trust list. What you’re supposed to do to verify with such a certificate is:
- Get whoever signed the document to extract ONLY their public certificate (i.e. not their private key) from their keyfile (*.pfx), if even the signer doesn’t have ready access to the public certificate directly (otherwise, skip this step). The format doesn’t matter too much – we support both PEM and binary DER.
- Get whoever signed the document to send this certificate to you via a secure (authenticated) channel so that you obtain the correct certificate for trusting from the correct person or organization.
- Load the certificate into your options using PDF::VerificationOptions::AddTrustedCertificate.
- Pass the VerificationOptions object to the Verify function.