Can you help to check whether my digitally-signed PDF file conforms to the PAdES-LTA standard?

[DanielXiao2018]

Dear Developer Team,

Just now I was using your Signatures-Conformance-Checker tool to check whether a digitally-signed PDF document (please refer to the attached PDF file BlankPage_20210923154027860_DigitalSignature.pdf) conforms to the PAdES-LTA standard.

From the testing full reports, my PDF document is under the "PAdES-signature-1" signature.
Under the specification of "ETSI EN 319 142-1 v1.1.1 Building Blocks and Baseline", my PDF document got 1 of 54 items failed, the details of the full reports are shown in the attached TXT file (sorry, the HTML format is not supported to be uploaded) "Full Report Details ETSI EN 319 142-1 v1.1.1 Building Blocks and Baseline.txt"
Under the specification of "ETSI EN 319 142-2 v1.1.1 Additional PAdES signatures profiles", my PDF document got 3 of 54 items failed, the details of the full reports are shown in the attached TXT file "Full Report Details ETSI EN 319 142-2 v1.1.1 Additional PAdES signatures profiles.txt".

Full Report Details ETSI EN 319 142-1 v1.1.1 Building Blocks and Baseline.txt
Full Report Details ETSI EN 319 142-2 v1.1.1 Additional PAdES signatures profiles.txt

Please kindly help me to evaluate whether our digital signature solution has conformed to the PAdES-LTA standard? If not yet, how can we make improvement?

Thank you very much for any help.

Rgds,
Daniel

BlankPage_20210923154027860_DigitalSignature.pdf
Full Report Details ETSI EN 319 142-1 v1.1.1 Building Blocks and Baseline.txt
Full Report Details ETSI EN 319 142-2 v1.1.1 Additional PAdES signatures profiles.txt

[mkl-public]

First of all, you mixed up your outputs, Full Report Details ETSI EN 319 142-1 v1.1.1 Building Blocks and Baseline.txt contains the 319142-2 check output and Full Report Details ETSI EN 319 142-2 v1.1.1 Additional PAdES signatures profiles.txt contains the 319142-1 check output.

Please kindly help me to evaluate whether our digital signature solution has conformed to the PAdES-LTA standard? If not yet, how can we make improvement?

Let's assume by PAdES-LTA you mean PAdES baseline signature level B-LTA. (Because if you mean what some validators call PKCS7-LTA, we'd first need to get to a common understanding of those PKCS7-* levels...)

To be B-LTA, your signature must at least fulfill the base level B-B requirements. In this regard the 319142-1 check already found 3 errors:

• Wrong SubFilter: You use the SubFilter adbe.pkcs7.detached but a PAdES baseline signature must use ETSI.CAdES.detached.
• Use of signingTime attribute: You use a signed signingTime attribute in your embedded CMS signature container but this is explicitly forbidden for PAdES baseline signatures.
• Missing ESS certificate ID attribute: You have neither an ESSCertID nor an ESSCertIDv2 signed attribute. PAdES baseline signatures must have one of them, matching the digest algorithm used in signing.

After fixing these issues you are likely to have a B-B type. To get a B-LTA type, you have to extend your signed PDF

• to B-T first by adding a time stamp; this may be a signature time stamp in the CMS signature container or a document time stamp in a new revision;
• to B-LT next by adding a new revision with all validation related information necessary to validate the signature and the timestamp;
• to B-LTA finally by adding another time stamp; this time it must be a document time stamp.