Digital Signature Support in InfoPath 2010

Hi, this is Gergely Kota, a developer on the InfoPath team. Digitally signing data when filling out a form makes the data tamper-proof, authenticates its signer, and is a key component of trusting form data. In this post, I’d like to share the improvements that have been made to digital signature support in InfoPath 2010. InfoPath 2010 allows you to make more secure signatures with improved cryptographic algorithms and makes long-term storage of signed forms more robust by supporting 3rd-party time stamping. This post describes these improvements and shows you how to strengthen any signature created in InfoPath 2010 Filler. For a primer on digital signatures, read an Introduction to Digital Signatures in InfoPath.

Note - Data signing should not be confused with code/template signing , which remains unchanged.

Signature Security

Digital signatures are only as secure as the cryptographic algorithms they use to ensure signed data hasn't been tampered with. InfoPath 2007 and 2003 support RSA or DSA for signing and SHA1 for hashing. Though a combination of RSA and SHA1 is considered secure for now, algorithms become exposed to attack over time and are eventually rendered obsolete. If either the signing or hashing algorithm is cracked or compromised, the integrity of the signature can no longer be verified. InfoPath 2010 enables you to address these concerns by supporting newer, more secure, ECC signing and SHA-2 family of hashing algorithms.

Signing with a particular algorithm

When creating a signature, a user may sign with one of potentially many certificates installed on their machine. The signature algorithm is determined by the chosen digital certificate. To determine the algorithm:

1. Begin the signing process
2. Change your signing certificate
3. Highlight desired certificate and click View Certificate 
4. Look at the Public key field under the Details tab

Administrator Settings: Hashing algorithms

By default, InfoPath 2010 hashes signature data using SHA1. This is done to maintain backwards compatibility with InfoPath 2007 and InfoPath 2003. InfoPath 2010 also supports the SHA2 family of hashing algorithms. If backwards compatibility is not a concern, an administrator can set the hashing algorithm in the registry.

HKCU\Software\Microsoft\Office\14.0\Common\Signatures\SignatureHashAlg
Value	Description
“sha1” (default)	SHA1 hash algorithm
“sha256”	SHA256 hash algorithm
“sha384”	SHA384 hash algorithm
“sha512”	SHA512 hash algorithm

Signing and Hashing Algorithm Compatibility

The following table shows which versions of InfoPath are able to sign and/or verify signatures with the given combinations of signing and hashing algorithms:

Long-term Signature Support

Certificates guarantee the identity of the signer, but expire after a while. This is to reduce the time attackers have to deduce an associated private key (which would allow them to impersonate a signer) and to limit the shelf-life of a compromised certificate. Certificates may also be revoked if they are taken out of commission before their expiration date. If the certificate used to create a signature is now expired or revoked, we should be cautious of whether the signed data is valid or not unless we can verify that the data was signed while the certificate was still valid. This poses an impending problem because all certificates expire (often in a year!), and we would require a trusted timestamp to confirm when the signature was created. Without such a trusted timestamp, InfoPath will show the signature as invalid, with the reason in the Signature Details dialog:

This can be especially problematic, for example, for a printed copy of the form which would show an invalid signature, and there would be no way to verify why. InfoPath 2010 adds support for XML Advanced Electronic Signature (XAdES), which allows for adding a trusted timestamp that can be used to resolve when the signature was added relative to the signing certificate's expiration and/or revocation time (see a detailed discussion of XAdES in Microsoft Office for details and level options). If such a timestamp exists and confirms that the signature was made when the signing certificate was valid, InfoPath can safely conclude that the signature is entirely valid:

Server Support

InfoPath 2010 Forms Services signs forms using RSA and SHA1, and is able to verify any signature created in the InfoPath 2010 client. XAdES is a client-only feature.

Final Word

By leveraging the security improvements and time-stamping support described in this post, you are increasing the strength and longevity of your signatures. Happy signing!

Gergely, InfoPath dev

Comments

• Anonymous
  July 25, 2010
  Hi Gergely, Very useful post there. Would like to ask, how about browser forms that are uploaded to SharePoint? Is it still possible to sign?

• Anonymous
  July 26, 2010
  Signing is supported in the browser as well, however the enhancements for 2010 are for client only. Forms signed with other algorithms in the client and opened in the browser will be validated properly, but you can only apply a signature using RSA+SHA1 in the browser.

• Anonymous
  July 26, 2010
  Thanks Gergely for your prompt response. Would you be able to point me to any guides or more details on dig sig in SharePoint browser forms (or maybe as one of your blog topic?)? Since CAPI is already not supported, we hope to find an updated solution. Thanks!

• Anonymous
  July 27, 2010
  We have a lab that covers creating a form template and signing it in a web browser: msdn.microsoft.com/.../bb251748(office.12).aspx If you are looking to sign using signing/hashing algorithms other than RSA and SHA1, you have 2 options:

1. you can open the same forms from SharePoint using InfoPath client, apply the signature and save the form back to SharePoint. When you open the same form in the future in the browser, these signatures will be properly validated.
2. if you don't have InfoPath client, you could download the form from SharePoint, apply the signature using whatever solution you come up with, then upload the form back to SharePoint. As in [1], the signature will be validated when someone later opens the form in the browser as long as supported algorithms were used (see Signing and Hashing Algorithm Compatibility earlier in this post). However, you will need to exactly mimic the format of the signature applied by InfoPath.

• Anonymous
  November 01, 2010
  Hi Gergely, Your post is really a knowledge enhancer. I have developed an infopath 2010 form with some digital signature fields using optional section control. When I preview the form and click on "Click here to insert" it shows a pop up wherein I can select an image from my local drives. But the problem is when I publish the form and open in IE 8, and click on "Click here to insert" it does not give me an option to select image. Let me know if anybody is having any knowledge about this problem. I look forward to hearing from you. Thanks, Nirav.

• Anonymous
  November 02, 2010
  Signing with an inserted image is a client-only feature. IPFS is limited to text in the signature.

• Anonymous
  December 26, 2010
  Hi Gergely, Very interesting post. I would like to ask, why do I have to click on <sign> twice in order to sign my form? The first click prompt me that the data has been tamper with. And only successfully digital sign upon the second click. However, I did not make any changes to any fields in the form.

• Anonymous
  March 02, 2011
  I have two questions that I would love to have answered

1. Attached documents, are they ecrypted also, or just the link to the document
2. what does the digital signature do to the size of the signed document ?

• Anonymous
  April 21, 2011
  The comment has been removed

• Anonymous
  May 16, 2011
  Hi Gergely, Thanks for your post. I have a question that I hope you can help with. We've been using InfoPath 2007 forms with digital signatures for a while now. The forms are stored as XML in a Forms library but we've found that when we create a new form template and deploy that to the library or when we move the forms to a new library (which we need to do as part of our 2010 upgrade), all digital signatures are invalidated which is a big problem for compliance reasons. Is there a way that we can either: a) store all form data including the digital signature in a list so that we don't need a form per se to access the form data b) store the form in a read only type format (like .pdf or .xsf) so that we don't need a template to view the forms (for the auditors) I really appreciate your help. Thanks, Eduard

• Anonymous
  August 30, 2011
  Hi Gergely, I submitted this bug report about InfoPath 2010 custom digital signatures to connect.microsoft site a while ago: connect.microsoft.com/.../infopath-2010-custom-digital-signature-support-not-working Is there any hope for getting a hotfix for this? Our customers are starting to migrate from IP 2007 to 2010, and the custom digital signature support not being all there is a bit of a problem for us. Thanks!

• Anonymous
  September 23, 2011
  The comment has been removed

• Anonymous
  November 07, 2011
  An InfoPath template on Form Services opened and signed using the browser still shows me the "There is a problem with this signature" error... The certificate has expired but the time and date of the signature is valid. How come this verification is not working? Am I missing something. I have SharePoint 2010 Entreprise with InfoPath Form Services installed.

• Anonymous
  November 09, 2011
  Hi Gabriel, Your scenario is a fuzzy area of signature validation and InfoPath has chosen to go with the more strict version. The issue largely boils down to the fact that there is no trusted timestamp in the signature (which XAdES addresses, but only the client can apply, and the server does not validate). Since the timestamp can be trivially spoofed and the cert's expiration time has passed, there's "some chance" that an attacker has reverse-engineered the signer's private key and created a document to look like it has a valid signature.

• Anonymous
  December 05, 2011
  Hi, I am writing to get some help on the digital signatures used in InfoPath 2007. We have a local CA issuing certificates for users to digital sign browser enabled forms. The timestamp information etc. is all in place, but considered valid only until the certificate has not expired. Once expired, Infopath browser forms mark them as "There is a problem with this signature" and the pop-up window shows Expired Certificate. What can I do to resolve this issue since we have over 5000 forms signed and my boss is about to slit me apart!! I also tried the hotfix below, but it works only for the desktop environment. The browser enabled forms still show an error: support.microsoft.com/.../980206 Is there something I can do!! Please help me out. Regards, LogicWorm

• Anonymous
  December 05, 2011
  Hi LogicWorm, Take a look at this Knowledge Base article: Description of the Office Forms Server 2007 hotfix package (ifswfe-x-none.msp): December 14, 2010 support.microsoft.com/.../2466315 This is the equivalent fix to the one you mentioned but this is for the server. Scott

• Anonymous
  January 03, 2012
  So, if the client signs a browser-enabled form using Internet Explorer, the timestamp is not trusted? Why? If XAdES is client side, then why does Internet Explorer not implement this? I do not understand. What will happen to all the forms already signed? The signatures cannot be trusted and will fail to pass an audit? Can you advise me in what I should do now with over 500 signed forms that have a fuzzy timestamp? Thank,

• Anonymous
  January 04, 2012
  LogicWorm - Check out support.microsoft.com/.../t

• Anonymous
  January 04, 2012
  Gabriel - The timestamp is not trusted because the consumer of the signature has no guarantee about where that value came from. The untrusted timestamp is taken from the signing machine's system clock which can be set by the signer at will. The client in this case is the InfoPath client application (infopath.exe). The implementation of all the XAdES timestamping exists in the Office client applications only (and thus not in IE - also it requires configuration that a browser-based form user is unlikely to be able to do correctly). The XAdES information is added to the signed information that InfoPath would place there anyways (follow 'XAdES in Microsoft Office' link in the blog post for more info on format and config). The goal is to get a trusted timestamp of what was signed from a 3rd-party time-stamping service, thus we can later verify that the signature was created while the signing cert was valid. When a signing cert is expired, the InfoPath client will check the additional XAdES information to verify that it's fine to consider the signature valid anyways. Forms that are signed without XAdES information will eventually fail to validate due to the signing certificate's expiration. There are patches released for both the server and client to override this behavior.

• Anonymous
  January 06, 2012
  "There are patches released for both the server and client to override this behavior. " I could find a patch for InfoPath Form Services 2010.. Do you have links? Thanks,

• Anonymous
  January 06, 2012
  "There are patches released for both the server and client to override this behavior. " I could NOT find a patch for InfoPath Form Services 2010.. Do you have links? Thanks,

• Anonymous
  January 25, 2012
  I have a form in 2007 that has digital signature and it works fine form infopath 2007 to infopath 2007; however, when people try to open this form with infopath 2010, it crashes. Can you advise what is the fix for this issue? Thank you,

• Anonymous
  January 26, 2012
  Hi JC, On your machines with Office/InfoPath 2010, have you applied Service Pack 1 for Office 2010? The reason I ask is that there was an issue with the original released version where InfoPath 2010 would crash. This was resolved with a fix that was part of Service Pack 1. Scott

• Anonymous
  February 17, 2012
  I have a somewhat odd issue: when opening an Infopath document on a computer with Office 2010, a user is not able to sign the document because the "Sign" button is greyed out.  We utilize Infopath as a template for a Form Library on SharePoint 2007.  This error occurs even when opening Infopath 2007 documents, but only on computers with Office 2010; a computer on Office 2007 can still open, sign, and save Infopath documents.  Even creating a new Infopath document with Infopath Designer on a 2010 computer, without even using SharePoint, we are still unable to sign the document. After not being able to sign the document (either on your own computer or from the SharePoint) and selecting "Cancel", Infopath freezes up, displays "Not Responding" and forces you to close the program without saving. If you click "See additional information about what you are signing...", Infopath also freezes up, Infopath freezes up, displays "Not Responding" and forces you to close the program without saving.  Selecting "Change..." and selecting a different certificate gives the same result. Is there a patch, work around, or fix action that will allow users with Office 2010 to digitally sign Infopath documents?  Is it a security issue or a software issue with Office 2010? I can provide a screenshot if necessary.

• Anonymous
  February 17, 2012
  Hi Jazley21, This was an issue that was corrected with Service Pack 1 (SP1) for Office/InfoPath 2010. Please install that update and you should be good. Scott

• Anonymous
  February 29, 2012
  I've been doing this for years using a program called PDFpen, which also lets you add text to documents. For example, you can use it to fill out scanned PDF forms. With PDFpen, you can even modify text that's already there (but not scanned text). www.taxprintindia.com/digital-signature-software-mumbai-india.htm

• Anonymous
  May 27, 2012
  Can forms with digital signatures be submitted to a CRM database using the web services submit option?

• Anonymous
  March 18, 2013
  The comment has been removed

• Anonymous
  March 18, 2013
  Hi Jeanne, Assuming your area to be signed is a "section" then you can simply wrap that section within another section and then add conditional formatting to this new section that insures it is hidden until your other field has been completed. Scott

• Anonymous
  April 25, 2013
  We have recently made some minor changes to one of our InfoPath templates that uses Digital Signatures and upgraded the Forms library in SharePoint that already had a number of forms there. We now get the following warning "This form is digitally signed, but was created with an older version of the form template. This form will be upgraded to work with the new template, but this may remove its signatures. Do you want to view the signatures before upgrading?" whenever we try to open one of the existing forms (i.e. ones that existed prior to the template upgrade). If we proceed it invalidates the signatures stored in these existing forms. Can anyone suggest a solution?

• Anonymous
  August 04, 2013
  What is there about signing on the explorer?

• Anonymous
  March 13, 2014
  When using InfoPath and digital signatures with SharePoint, a Digital Signature Control Installation must take place at the user workstations.  In my environment most users are not administrators.  I've located the .cab files on the SharePoint servers but was wondering if you had instructions on how these files should be installed and where they should be located if this were to be pushed out via GPO.  Thanks.

• Anonymous
  April 09, 2015
  The comment has been removed

• Anonymous
  April 20, 2015
  I have an InfoPath 2013 form on a SharePoint 2013 site and after users enter in the required information, I digitally sign it to lock the data the users entered. The form is opened in a Browser by default. However once I sign it and the data is locked, any other user can log into SharePoint and hit the remove button next to my signature and remove it and edit the form. Is there any way to keep other users from removing my signature from an InfoPath form on a SharePoint site