
Shadow attacks: hiding and replacing content in signed PDFs - fanf2
https://pdf-insecurity.org/
======
xtacy
The core problem seems to be:

    
    
       For instance, overwriting content on a page of the document is not allowed and thus leads to invalid signature verification. Nevertheless, some changes are considered harmless by the PDF applications and do not throw any warnings
    

I am trying to understand if there is any design consideration behind not
signing the entire PDF, but only some sections?

~~~
josephcsible
One obvious need is other signature blocks that haven't yet been signed. When
you sign a PDF, your name and the date end up in the signature block that's
part of the PDF and, e.g., prints with it. If you had to sign the entire PDF,
then a second person adding their signature would invalidate the first one.

~~~
Bootvis
Surely there must be a way to have an order of signing so that additional
signing doesn’t invalidate previous signatures.

