Issue: PyHanko - The signer's certificate could not be validated

[mfjclover]

I am encountering an issue with PyHanko where the signer's certificate could not be validated. Despite ensuring that the private key and certificate match, and including the necessary root and intermediate certificates, the validation process fails. Below are the steps I followed and the error details.

Steps to Reproduce:
Set up the PyHanko configuration (pyhanko.yml) with the root and intermediate certificates.
Load the PFX file and verify the private key and certificate match.
Attempt to add a signature field and sign the PDF using PyHanko.

pyhanko.yml
validation-context: trust: - path: C:/Users/Desktop/AC_Raiz_FNMT-RCM_SHA256.pem - path: C:/Users/Desktop/ACREP.pem trust-replace: true

main.py

`import os
import subprocess
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

Set environment variable for pyhanko

os.environ['PYHANKO_CONFIG'] = 'C:/Users/PycharmProjects/pythonProject/pyhanko.yml'

def verify_pfx_content(pfx_path, pfx_password):
with open(pfx_path, 'rb') as pfx_file:
pfx_data = pfx_file.read()

private_key, certificate, additional_certificates = pkcs12.load_key_and_certificates(
    pfx_data, pfx_password.encode(), backend=default_backend()
)

if not private_key or not certificate:
    print("Error: Unable to load the private key or certificate from the PFX file.")
    return False

# Verify the private key matches the certificate
try:
    certificate.public_key().verify(
        private_key.sign(
            b"Test",
            padding.PKCS1v15(),
            hashes.SHA256()
        ),
        b"Test",
        padding.PKCS1v15(),
        hashes.SHA256()
    )
    print("Verification successful: The private key matches the certificate.")
except Exception as e:
    print(f"Error: The private key does not match the certificate. Details: {e}")
    return False

return True

def create_signature_field(input_pdf_path, output_pdf_path):
command = [
'pyhanko', 'sign', 'addfields', '--field', '-1/100,100,200,150/Sig1',
input_pdf_path, output_pdf_path
]
result = subprocess.run(command, capture_output=True, text=True)
print("Output for create_signature_field:")
print(result.stdout)
print(result.stderr)
result.check_returncode()

def sign_pdf(input_pdf_path, output_pdf_path, pfx_path, pfx_password):
if not verify_pfx_content(pfx_path, pfx_password):
print("Error: Verification of the PFX content failed.")
return

with open('pass.txt', 'w') as pass_file:
    pass_file.write(pfx_password)

command = [
    'pyhanko', 'sign', 'addsig', '--field', 'Sig1', '--use-pades', '--with-validation-info', '--no-strict-syntax',
    'pkcs12', input_pdf_path, output_pdf_path, pfx_path, '--passfile', 'pass.txt'
]
result = subprocess.run(command, capture_output=True, text=True)
print("Output for sign_pdf:")
print(result.stdout)
print(result.stderr)
if result.returncode != 0:
    print("Error: Command failed with return code", result.returncode)
    print("Stdout:", result.stdout)
    print("Stderr:", result.stderr)
result.check_returncode()

os.remove('pass.txt')

Define file paths

input_pdf_path = 'C:/Users/Desktop/01.pdf'
temp_pdf_with_field = 'C:/Users/Desktop/temp_with_field.pdf'
output_pdf_path = 'C:/Users/Desktop/signed_output.pdf'
pfx_path = 'C:/Users/Desktop/2025.pfx'
pfx_password = 'password'

Create signature field

print("Creating signature field...")
create_signature_field(input_pdf_path, temp_pdf_with_field)

Sign the PDF
print("Signing PDF...")
sign_pdf(temp_pdf_with_field, output_pdf_path, pfx_path, pfx_password)`

OUTPUT
PYHANKO_CONFIG: C:/Users/PycharmProjects/pythonProject/pyhanko.yml
Creating signature field...
Output for create_signature_field:

Signing PDF...
Verificación exitosa: La clave privada coincide con el certificado.
Certificado adicional encontrado: <Name(C=ES,O=FNMT-RCM,OU=CERES,CN=AC Representación)>
Certificado adicional encontrado: <Name(C=ES,O=FNMT-RCM,OU=AC RAIZ FNMT-RCM)>
Traceback (most recent call last):
File "C:\Users\PycharmProjects\pythonProject\main.py", line 105, in
sign_pdf(temp_pdf_with_field, output_pdf_path, pfx_path, pfx_password)
File "C:\Users\PycharmProjects\pythonProject\main.py", line 87, in sign_pdf
result.check_returncode()
File "C:\Python311\Lib\subprocess.py", line 502, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['pyhanko', 'sign', 'addsig', '--field', 'Sig1', '--use-pades', '--with-validation-info', '--no-strict-syntax', 'pkcs12', 'C:/Users/Desktop/temp_with_field.pdf', 'C:/Users/Desktop/signed_output.pdf', 'C:/Users/Desktop/2025.pfx', '--passfile', 'pass.txt']' returned non-zero exit status 1.
Output for sign_pdf:

2024-07-17 16:38:19,387 - cli - ERROR - Error raised while producing signed file: The signer's certificate could not be validated
Error: Error raised while producing signed file: The signer's certificate could not be validated

Error: Command failed with return code 1
Stdout:
Stderr: 2024-07-17 16:38:19,387 - cli - ERROR - Error raised while producing signed file: The signer's certificate could not be validated
Error: Error raised while producing signed file: The signer's certificate could not be validated

Questions:
Are there any additional certificates required that I might be missing?
Is there an issue with how the validation context is configured in pyhanko.yml?
Are there any specific logs or debug steps I can take to further isolate this issue?
Any insights or suggestions to resolve this issue would be greatly appreciated. Thank you!

[MatthiasValvekens]

It's a bit of a mystery to me why you're invoking the pyHanko CLI from Python in a subprocess, but you do you ;)

Anyway, the reason for why this doesn't work is probably pretty pedestrian: the way validation info embedding is done in pyHanko is by running a full validation process and storing the info that was collected along the way. In particular, if the trust root(s) you want to use as the anchor point for this are not already part of your system trust list, you need to ensure that you pass the appropriate root certificate(s) into the validation context. For the CLI, this is done using --trust and friends, see the docs.