How to add overlay to already signed PDF without invalidating first signature using PDFBOX?

Question

I am trying to add overlay (which i think is a disallowed change) to already signed PDF (visible detached signature) and then sign this PDF again. This results in invalidation of first signature. However, second signature remains valid.

Is it possible to have both signatures to be valid after second sign ?

I am using PDFBOX v2.0.8

Attaching sample pdfs here

1. Original PDF
2. Digitally sign PDF from step 1
3. Overlay digitally signed PDF from step 2
4. Digitally sign PDF produced from Step 3

Thanks, Abhi

Answer 1

As it turned out the main problem was not whether or not the changes applied after the first signature were allowed or not, the problem was that these changes were added to the file using a normal save.

Such a normal save can completely change the order in which PDF objects are stored in the PDF file. Consequentially such a normal save damages the first signature beyond repair as its alleged signed byte ranges have changed and the signature value is not located in the gap between those ranges anymore either.

Thus, whichever changes you apply to a signed document, make sure you store them as an incremental update!

That being said, though, it is difficult to use the PDFBox incremental update mechanism for anything else than what it was designed for, i.e. anything but adding additional signatures. You have to mark the low level objects you changed including a chain of objects from the document catalog to them, so you must in particular understand how exactly your changes are implemented on a very low level. Furthermore, this mechanism often requires you to save more objects than actually have changed to to the "chain from the catalog" criterion.