Document:: Signatures:: DefaultHandler
This is the default signing handler which provides the ability to sign a document with the adbe.pkcs7.detached or ETSI.CAdES.detached algorithms. It is registered under the :default name.
The signing handler is used by default by all methods that need a signing handler. Therefore it is usually only necessary to provide the actual attribute values.
This handler provides two ways to create the PKCS#7 signed-data structure required by
By providing the signing certificate together with the signing key and the certificate chain. This way
HexaPDFitself does the signing. It is the preferred way if all the needed information is available.
By using an external signing mechanism. Here the actual signing happens “outside” of
HexaPDF, for example, in custom code or even asynchronously. This is needed in case the signing certificate plus key are not directly available but only an interface to them (e.g. when dealing with a HSM).
Assign a callable object to
external_signing. If the signing process needs to be asynchronous, make sure to set the
signature_sizeappropriately, return an empty string during signing and later use
Signatures.embed_signatureto embed the actual signature.
Optionally setting the reason, location and contact information.
Making the signature a certification signature by applying the DocMDP transform method.
# Signing using certificate + key document.sign("output.pdf", certificate: my_cert, key: my_key, certificate_chain: my_chain) # Signing using an external mechanism: signing_proc = lambda do |io, byte_range| io.pos = byte_range data = io.read(byte_range) io.pos = byte_range data << io.read(byte_range) signing_service.pkcs7_sign(data) end document.sign("output.pdf", signature_size: 10_000, external_signing: signing_proc)
This class also serves as an example on how to create a custom handler: The public methods
sign are used by the digital signature algorithm. See their descriptions for details.
Once a custom signing handler has been created, it can be registered under the 'signature.signing_handler' configuration option for easy use. It has to take keyword arguments in its initialize method to be compatible with the
The certificate with which to sign the PDF.
The certificate chain that should be embedded in the PDF; normally contains all certificates up to the root certificate.
The contact information. If used, will be set on the signature object.
The DocMDP permissions that should be set on the document.
The signing location. If used, will be set on the signature object.
The reason for signing. If used, will be set on the signature object.
The size of the serialized signature that should be reserved.
If this attribute has not been set, an empty string will be signed using
sign to determine the signature size.
The size needs to be at least as big as the final signature, otherwise signing results in an error.
The type of signature to be written (i.e. the value of the /SubFilter key).
The value can either be :adobe (the default; uses a detached PKCS7 signature) or :etsi (uses an ETSI CAdES compatible signature).
Public Class Methods
Public Instance Methods
Sets the DocMDP permissions that should be applied to the document.
Valid values for
Don't set any DocMDP permissions (default).
No changes whatsoever are allowed.
Only filling in forms and signing are allowed.
Only filling in forms, signing and annotation creation/deletion/modification are allowed.
Finalizes the signature field as well as the signature dictionary before writing.
Returns the DER serialized OpenSSL::PKCS7 structure containing the signature for the given IO byte ranges.
byte_range argument is an array containing four numbers [offset1, length1, offset2, length2]. The offset numbers are byte positions in the
io argument and the to-be-signed data can be determined by reading length bytes at the offsets.