LlosLab Software Development BlogEngineering notes for PDF, Delphi, and document software developers.

Техническая статья

HotPDF: digital signatures and PAdES-ready signing in Delphi

Программирование PDF

HotPDF — нативная VCL PDF-библиотека для приложений Delphi и C++Builder, которым нужны прямое создание и редактирование PDF, формы, аннотации, шифрование, цифровые подписи, Unicode-шрифты, вывод с учетом стандартов и preflight-отчеты без внешнего PDF-runtime.

Эта статья предназначена для Delphi teams adding certificate-based approval, invoice signing, or long-term validation evidence. Она рассматривает digital signatures and PAdES-ready signing как промышленную инженерию документов, а не как одиночный вызов компонента.

Практический риск состоит в том, что a PDF may contain a visible signature box while the byte range, certificate chain, timestamp, revocation data, or later incremental update invalidates trust. Поэтому процессу нужны письменный контракт, наблюдаемая диагностика и реалистичные регрессионные файлы.

Архитектурные решения

Design signing as a revision-controlled workflow. certificate source, private-key boundary, and operator approval process / timestamp authority, revocation source, and long-term validation profile

  • certificate source, private-key boundary, and operator approval process
  • timestamp authority, revocation source, and long-term validation profile
  • visible signature appearance, signer reason, contact, and location fields
  • whether later annotations, forms, or metadata updates are allowed after signing

Порядок реализации

Prepare evidence before reserving the signature field. The order below keeps the workflow reviewable for Delphi and C++Builder teams.

  1. freeze the document content and preflight it before signature reservation
  2. load certificate material from the approved key store or signing service
  3. reserve the signature field and byte range with enough space for the final value
  4. apply timestamp and revocation data according to the selected PAdES profile
  5. verify the final file in at least one independent validator before release

Доказательства проверки

Signature evidence worth keeping. Keep these fields with the output or support record.

  • signer certificate fingerprint, chain status, timestamp result, and revocation source
  • signature byte range, digest algorithm, PAdES profile, and validation summary
  • document hash before signing and final hash after the signed revision is saved
  • policy decision for any warning that did not block the signature

PAdES is a lifecycle, not only a signature

PAdES-ready output needs deterministic document bytes, a verified certificate context, timestamp policy, revocation evidence, and a save strategy that does not alter signed byte ranges after the signature is applied.

Profile ownership and versioning

A named, versioned profile is easier to review than options scattered across forms, scripts, and batch parameters. It also makes support reports readable when customers use older templates or policies.

  • certificate source, private-key boundary, and operator approval process
  • timestamp authority, revocation source, and long-term validation profile
  • visible signature appearance, signer reason, contact, and location fields
  • whether later annotations, forms, or metadata updates are allowed after signing
  • signer certificate fingerprint, chain status, timestamp result, and revocation source
  • signature byte range, digest algorithm, PAdES profile, and validation summary

Engineering review notes for digital signatures and PAdES-ready signing

Use these review notes to make sure the feature has moved beyond a demo and can be defended during release, support, and customer escalation.

  • Decision: certificate source, private-key boundary, and operator approval process. Implementation pressure point: load certificate material from the approved key store or signing service. Acceptance evidence: document hash before signing and final hash after the signed revision is saved. Regression trigger: timestamp and revocation services need timeout and retry policies
  • Decision: timestamp authority, revocation source, and long-term validation profile. Implementation pressure point: reserve the signature field and byte range with enough space for the final value. Acceptance evidence: policy decision for any warning that did not block the signature. Regression trigger: editing metadata or form values after signing can invalidate the signed revision
  • Decision: visible signature appearance, signer reason, contact, and location fields. Implementation pressure point: apply timestamp and revocation data according to the selected PAdES profile. Acceptance evidence: signer certificate fingerprint, chain status, timestamp result, and revocation source. Regression trigger: certificate chain checks can pass on a developer machine but fail offline
  • Decision: whether later annotations, forms, or metadata updates are allowed after signing. Implementation pressure point: verify the final file in at least one independent validator before release. Acceptance evidence: signature byte range, digest algorithm, PAdES profile, and validation summary. Regression trigger: visible appearance text should not be treated as cryptographic evidence
  • Decision: certificate source, private-key boundary, and operator approval process. Implementation pressure point: freeze the document content and preflight it before signature reservation. Acceptance evidence: document hash before signing and final hash after the signed revision is saved. Regression trigger: timestamp and revocation services need timeout and retry policies

Пограничные случаи

  • editing metadata or form values after signing can invalidate the signed revision
  • certificate chain checks can pass on a developer machine but fail offline
  • visible appearance text should not be treated as cryptographic evidence
  • timestamp and revocation services need timeout and retry policies

Delphi / C++Builder notes

HotPDF Component should sit behind a small service boundary that receives files, streams, profiles, and credentials, then returns output paths, warnings, metrics, and validation status. Important terms include PAdES, digital signature, byte range, timestamp, DSS, revocation.

Пример кода Delphi

Следующий эскиз Delphi показывает практическую границу сервиса для этой темы. Оставляйте проверки политики, журналирование и валидацию вне узкого блока вызова продукта, чтобы сценарий было проще тестировать.

procedure SignApprovedPdf(const InputFile, OutputFile: string; const Policy: TSignaturePolicy);
var
  Pdf: THotPDF;
begin
  Pdf := THotPDF.Create(nil);
  try
    LoadUnsignedPackage(Pdf, InputFile);
    CheckSigningPolicy(Policy);
    AttachPadesEvidence(Pdf, Policy.Certificate, Policy.TimestampServer);
    SaveSignedPackage(Pdf, OutputFile);
    ValidateSignatureChain(OutputFile, Policy.TrustAnchors);
  finally
    Pdf.Free;
  end;
end;

Производственный чек-лист

  • Run the workflow on an empty file, a normal customer file, and a worst-case file
  • Open the generated PDF with the target viewer, validator, printer, or downstream application
  • Log product version, profile version, input hash, output path, elapsed time, and warning count
  • Keep passwords, certificates, temporary files, and customer data under explicit retention rules
  • Add regression documents when a customer file exposes a new edge case

Product documentation

HotPDF Component