BUG: EUTL corrupted by default
If addressbook.acrodata is generated by updating Adobe Approved Trust List (AATL), EUTL will be corrupted. The default behavior of Adobe Reader when opening a signed document for the first time is to prompt for update of AATL. This causes EUTL to stop working and can only be solved by deleting addressbook.acrodata and update EUTL and AATL in the correct order.
Steps to reproduce the issue:
1. Install Adobe Acrobat Reader DC
2. Open a document signed with an EUTL certificate.
3. Accept the prompt for Trust Certificates Update.
Environment:
Freshly installed clean VM with Windows 10 20H2(19042.985)
Adobe Acrobat Reader DC 2021.001.20155
Expected result:
Signature certificate is checked against both AATL and EUTL. Certificate marked as valid.
Observed result:
Signature certificate is checked against AATL only. This marks the certificate as invalid.
This does not change after manually updating EUTL.
The current workaround I have found is the following:
- Close Adobe Reader
- Delete addressbook.acrodata from C:\Users<username>\AppData\Roaming\Adobe\Acrobat\DC\Security
- Launch Adobe Reader and go to Edit > Preferences > Trust Manager
- Update the EUTL list and wait for the confirmation message. If you do AATL first addressbook.acrodata becomes corrupted and needs to be deleted again.
- Update the AATL list.
- Open or refresh the signed document. Both the certificate and the signature is now marked as valid and the signature panel shows that the certificate is validated against both AATL and EUTL.
This can be repeated several times and the result is always the same.
Updating AATL first = EUTL stops working.
Updating EUTL first = EUTL works.
I have also posted the workaround in the Adobe Support Community:
https://community.adobe.com/t5/acrobat-reader/reader-will-not-validate-eu-qualified-signature-after-update/m-p/10813696
-
Marian Ďurkovič commented
The problem here is, that certificate issuer "I.CA Qualified 2 CA/RSA 02/2016" is registered both in AATL and in EUTL, but the registrations are not identical.
When you first load EUTL, addressbook.acrodata contains:
/Country(CZ)/Editable true/Enabled true/ID ..../Source[(EUTL)(AATL)]/
and the signature is verified according to EUTL.
However, the default is to load AATL first, which results in addressbook.acrodata containing:
/Editable true/ID ..../Source[(AATL)(EUTL)]/
and the signature fails verification with Invalid policy constraint
-
Ronald T Blankenship commented
Thanks for this post, it helped with an Acrobat issue I was having with a customer!