Digital signatures are common in many forms of legal documents and contracts. This one is a small screen version of the original, but its use is widespread.
The problem is the digital signature is one of those things that can be easy to just copy and paste into a document. A digital signature is a signature that is not from the document’s author, but rather an algorithm that was developed to ensure that the document was authentic. This is made possible by the fact that the information in the document is already digitally stored. The signature is a digital hash of the document that makes it much more difficult to modify the document.
For a while, signature PDFs were a thing for many. The problem with a signature PDF is that they can easily be copied and pasted into another documents file. They can also be easily edited by anyone with access to the original PDF. Now, the digital signature PDF is not as easy to just copy and paste into a document.
This is due to the fact that PDF is a “compressed” format. Meaning that in PDF files, information is not stored as it is in a native document. This makes it much more difficult to modify the document that is created by adding, removing or changing information. Adding a signature to a document is even more difficult since the signature would need to be the very same hash as the original document.
So what does this mean for a user? If you already have a PDF file that you would like to add a signature to, you could easily do so by using GhostScript to write a new document with the same signature. However, this would require that the original PDF document is still around so you could use it to sign a new document, if needed.
The first step is to create a new PDF using a signature that is the exact same hash as the original because if you try to sign a document that already has a signature, the signature would need to be the exact same hash as the original.
It is also possible to add a signature, but this involves using something like GhostScript and also requires that the original file is still around. You could still sign a new document, but it would need to be created with the exact same signature hash as the original.
This trick seems like it works, but the thing is that if it does, it’s just not good enough to stop file-rights violations. If you sign a document that already has a signature, you don’t get to use the same signature hash for the new document. It’s like signing a check and then trying to use the same signature on an insurance claim.
That last part is a good point, but a real security issue is that people would use the same signature hash to sign a new document that is signed by someone else as their signature, and then try to convince the bank to allow them to use that signature to sign a new deal. There’s even a name for it: signature-swap.
But really, there was a time when you had to get the same signature hash to sign a new document. In 2005, the United States government was in the process of implementing a new system of digital signature on the internet. The system would have been used to protect documents like contracts. Now, it’s used to protect documents like emails and bank transactions.