Chapter 14, Security, Control, and Digital Signatures
XFA Specification
Signed Forms
416
<certificates url="MyCertURL">
<signing type="optional">
<certificate>...</certificate>
...
</signing>
<issuers type="required">
<certificate>...</certificate>
...
</issuers>
<oids type="optional">
<oid>...</oid>
...
</oids>
</certificates>
</filter>
</signData>
</proto>
</subform>
</template>
</xdp:xdp>
PDF Signatures
A PDF signature applied to an XFA form is always a document-of-record signature because it always
includes XFA data, configuration, and data. Because it is always a document-of-record signature, it is
placed upon a form by an explicit action of the user. To this end, XFA defines a signature widget that is
used only for PDF signatures. The widget itself displays the signed or unsigned state of the document.
Since there can potentially be more than one signature widget on a document, each widget
independently displays its own signed state.
Applying a PDF signature to a form does not prevent subsequent alterations to the form; however, if the
signed portion of the form is altered, the signature dictionary stored in the document no longer matches a
freshly calculated signature value. Hence, analysis can determine that the form was tampered with after
signing.
The PDF signature includes the entire XFA form embedded in the PDF and most of the non-XFA content in
the PDF as well. Some portions of the non-XFA content are omitted as specified in the PDF standard
[PDF].
Unlike an XML digital signature, a PDF signature signs the XFA form exactly as it is currently expressed,
rather than signing a normalized copy. This means that it is not possible to make even meaningless
changes to the XFA form without voiding the signature. For example, changing a space to a tab in
between an element tag and the following attribute name voids the signature, even though it does not
change the meaning of the XML.