Documentation menu

Language

PythonJava.NETNode.jsPHP

Certification & field locking

Certification (DocMDP)

A certifying signature declares which later changes are allowed. Usecertify= on the first signature:

certify.py
from atick import Certify

atick.sign_pfx(pdf, certify=Certify.NO_CHANGES, ...)               # P=1 - no changes at all
atick.sign_pfx(pdf, certify=Certify.FORM_FILLING, ...)             # P=2 - form filling + signing
atick.sign_pfx(pdf, certify=Certify.FORM_FILLING_ANNOTATIONS, ...) # P=3 - + annotations
atick.sign_pfx(pdf, certify=Certify.NONE, ...)                     # 0 - a normal (non-certifying) signature
LevelValueAllows
NONE0a normal approval signature (no certification)
NO_CHANGES1nothing — any later change (incl. another signature, LTV, timestamp) breaks it
FORM_FILLING2filling form fields + adding signatures
FORM_FILLING_ANNOTATIONS3the above + annotations
NO_CHANGES (P=1) forbids everything afterwards — so it cannot be combined with later LTV, document timestamps, or extra approval signatures. Use it as a single, final signature. For a document that will gather more signatures, certify withFORM_FILLING / FORM_FILLING_ANNOTATIONS.

Field locking (FieldMDP)

Lock specific form fields so they cannot be changed after signing — without certifying the whole document:

lock_fields.py
atick.sign_pfx(pdf, lock_fields=["ApproverName"], ...)   # lock these fields
atick.sign_pfx(pdf, lock_fields=["*"], ...)              # lock ALL fields

If a locked field is altered after signing, the signature is reported as invalid.

Pre-sign checks

Validate the signing certificate before signing:

presign_checks.py
atick.sign_pfx(pdf, ...,
    verify=True,                                   # not expired + CRL + OCSP + not revoked
    trusted_roots=["<root SHA-1>", "<another>"],   # chain must reach one of these (built from AIA)
)

Granular checks

Instead of the all-in-one verify=True (which runs every check and refuses to sign on failure), you can switch on the individual checks:

  • verify_expiry=True — refuse to sign if the signing certificate has expired or is not yet valid.
  • verify_crl=True — pre-sign CRL revocation check (refuse if the certificate is revoked).
  • verify_ocsp=True — pre-sign OCSP revocation check.
  • trusted_roots=[der, ...] — extra trusted root certificates (DER bytes) used by the checks when building the chain.
presign_granular.py
atick.sign_pfx(pdf, pfx, pw, style=..., placements=...,
    verify_expiry=True,    # refuse if expired / not yet valid
    verify_crl=True,       # refuse if revoked (CRL)
    verify_ocsp=True,      # refuse if revoked (OCSP)
)

Any check that fails raises atick.AtickError before the document is touched.

Next page →