Digitally signed PDF issues

As the MWJ reboot gets ever closer, we’re reminded today that when some of you open PDF issues of MDJ or MWJ in Adobe Acrobat or Adobe Reader (or Adobe Acrobat Reader – perhaps the next version will be called “Acrobat Acrobat Adobe Reader Adobe Adobe Read Reader”), you see dialog boxes like this one:

Although the Language is stilted, and Nouns are strangely capitalized, the first Sentence is the one you want:

The Digital Signature that was used to Certify this document shows that the document has not been tampered with, though the author’s Certificate could not be verified.

Our setext issues are digitally signed using industry-standard and mostly-open PGP technology. Long long ago, we used PGP to digitally sign issues of MDJ and MWJ as well, so readers that care could verify that their copy of the issue had not been modified, not by a single bit, since we signed and sent it.

However, we stopped using PGP to sign PDF files in the early 21st century when Adobe built digital signatures into Acrobat, because that way the file can contain its own digital signature. With PGP, we had to sign the issue as a file, producing a separate “.pdf.sig” file that has to accompany the PDF file in distribution.

Digital signatures use public key encryption, so verifying them requires comparing part of the signature to the signer’s public key. The PGP keys we use to sign issues are on PGP’s keyservers as well as here on our own Web site. For Acrobat, we created a signing key in July 2002, and we make that available to you here. Download, unstuff, and open the “.fdf” file; Acrobat should launch and ask you to import the certificate, as well as whether you trust it or not. You can find more information about sharing Acrobat certificates and security settings here.

We’re updating this information today for two reasons:

  1. Due to the traditional problem with relative and absolute URLs, the link to the FDF file on our keys page was incorrect until today.

  2. The MD5 and SHA1 fingerprints for the FDF file, as posted, weren’t easy to verify with current versions of Mac OS X (we don’t even quite remember how they were generated back in 2002). To solve the identity problem, we’ve moved the file to our secure server. As long as our SSL certificate is current, your browser verifies that it’s getting the FDF file from our secure server as part of the transaction, so you know it came from us.

Sorry for any inconvenience the missing FDF file may have caused. Let us know if you have further questions on MDJ or MWJ digital signatures.