1 HOME


© 2013 Adobe Systems, Inc. All rights reserved.

Updated Oct 14, 2014.

15   Digital signatures

Digital signature features are only available in Reader for documents that have been rights enabled by a LiveCycle server or an author who has selected Extend Features in Adobe Reader. Acrobat users can take full advantage of all the available signature capabilities. For more detail about dozens of other options, see the Digital Signatures Guide.

Note

Due the complexity and critical nature of these settings, installations should leverage existing configurations via the Registry feature.

15.1   Signature validation (verification)

To set a signature validation method, do the following:

  1. Set the Default Verification Method to one of the following:

    • Use the document-specified method. Prompt if it is not available.
    • Use the document-specified method. Use the default method if it is not available.
    • Always use the default method (overrides the document-specified method).

    In some enterprise situations, administrators may require a method other than Adobe Default Security. For example, non-Adobe plugins may be used in business environments that require support of biometrics, signature escrow, alternative methods of private key access, and so on. In those cases, administrators may specify an alternate plugin or provide user training on how to choose the right one.

This setting is stored in:

[HKCU\Software\Adobe\<product name>\<version>\Security\cHandlers]
"aPrivKey"="Adobe.PPKLite"
"aVerify"="Adobe.NoHandler"
"bVerifyUseAlways"=dword:00000000
  1. Lock the default verification (signature validation) method by checking Prevent end user from modifying.... This setting sets:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cSecurity\cHandlers\]
"bVerify"
  1. Set whether you want to automatically Verify signatures when the document is opened. This setting sets:
[HKCU\Software\Adobe\(product name)\<version>\Security\cDigSig]
"bValidateOnOpen"
  1. Lock automatic signature verification by choosing Prevent user from modifying this setting. This setting sets:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockdown\cSecurity\cDigSig\]
"bValidateOnOpen"

15.2   Signature creation

To configure the signing method, do the following:

  1. Set the Default Signature Method to one of the following:

    • Adobe Default Security
    • Ask when I sign
    • Third party

This setting sets:

[HKCU\Software\Adobe\(product name)\<version>\Security\cHandlers]
"aPrivKey"
  1. Lock Default Signature Method by checking the Disable modify . . . checkbox. This setting sets:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cSecurity\cHandlers\]
"bPrivKey"

3. Check Show location and contact information when signing if you would like the Location and Contact Info fields to appear in the signing dialog during signing. The data is then added to the signature block after signing. The value is stored in:

[HKCU\Software\Adobe\(product name)\<version>\Security\cPubSec]
"bAllowOtherInfoWhenSigning"
  1. Set Enable reviewing of document warnings to allow signers to check document integrity prior to signing. The document can be analyzed to determine if it contains any content that could adversely impact the integrity of the signing process. For example, a document could contain JavaScript that could change a data field before or after a signature is applied.

    • Never
    • When Certifying only
    • Always

The value is stored in:

[HKCU\Software\Adobe\(product name)\<version>\Security\cPubSec]
"iShowDocumentWarnings"
  1. Set Prevent signing until document warnings are reviewed to force a review of document warnings.

Note

Enable Reviewing of Document Warnings and Prevent signing until document warnings are reviewed settings function in tandem and should be set together. Setting both these options to Always results in the highest degree of assurance that the signing process is not adversely impacted by malicious content. The value is stored in:

[HKCU\Software\Adobe\(product name)\<version>\Security\cPubSec]
"iRequireReviewWarnings"
  1. Set Prevent users from certifying without visible signatures. Selecting this option prevents the use of invisible certification signatures. The value is stored in:
[HKCU\Software\Adobe\(product name)\<version>\Security\cDigSig]
"bAllowInvisibleSig"

15.3   Signing reasons

  1. Set Show reasons when signing. Enabling this option results in a Reasons field appearing in the signing dialog. The signer can then choose a default reason such as “I have reviewed this document” or create a new one. The value is stored in:
[HKCU\Software\Adobe\(product name)\<version>\Security\cPubSec]
"bAllowReasonWhenSigning"
  1. Lock Show reasons when signing by choosing Prevent user from modifying this setting. The value is stored in:
[Software\Policies\Adobe\<product name>\<version>\FeatureLockdown\cSecurity\cPubSec]
"bReasons"

15.4   Directory servers

Acrobat products ship with pre-configured directory servers stored in a directories.acrodata file. The servers are used by the Trusted Identity Manager to locate certificates used in digital signature and certificate security workflows. Users can trust these certificates for signing and certifying documents as well as for encrypting documents prior to sending them to the certificate owner. In enterprise settings, certificates are stored on a directory server so thereby providing users with a searchable and already trusted set of trusted identities.

If your company uses a centrally managed certificate repository, such as an LDAP directory server, you can add pre-configured server information to the installer. To do so:

  1. In the Directory Servers field, choose Set.
  2. Select the directory server file (directories.acrodata ) or navigate to another file.
By default, the Wizard opens the Security directory for the currently logged on user. When set, the value is stored in:
[ALL_USERS_PROFILE]\Application Data\Adobe\<product name>\<version>\Replicate\Security.
  1. Choose Open. The text box displays a message that this feature has been set.

Note

If you select a file name other than directories.acrodata, the file will be renamed.

15.4.1   Unsetting directory servers

To unset the directory server, choose Unset. The text box displays the message that this feature is not set.

Note

You can also set these files with the Files and Folders feature.

15.5   Trusted identities

Acrobat products do not ship with trusted identity data. Enterprise IT will typically want to install a pre-configured addressbook.acrodata file that captures Lightweight Directory Access Protocol (LDAP) information for contacts and certificates. The certificates can be delivered as already installed trusted identities with specific levels of trust set for any or all certificates used in digital signature and certificate security workflows.

  1. In the Trusted Identities field, choose Set.
  2. By default, the Wizard opens the Security directory for the currently logged on user. Select the directory server file addressbook.acrodata or navigate to another file.
  1. Choose Open. The text box displays a message that this feature has been set.

    • If you select a file name other than addressbook.acrodata, the file will be renamed.
    • You can also set these files with the Files and Folders feature.

The value is stored at:

[ALL_USERS_PROFILE]\Application Data\Adobe\<product name>\<version>\Replicate\Security.

15.5.1   Unsetting trusted identities

To unset trusted identities, choose Unset. The text box displays the message that this feature is not set.