Revision history for PDF-Sign 0.07 2026-4-08 - Fixed TARFLAGS --format=ustar to avoid PAX headers (CPANTS kwalitee) - POD moved back inline into Sign.pm (MetaCPAN indexing) - Separate license file - OpenSSL 4.x forward compatibility (prevent silent smime regression) - Cosmetic fixes 0.06 2026-04-07 - Fixed: Documentation typo corrections - If signature exceeds reserved space, PDF is returned unchanged with a warning instead of producing a corrupted document. - Fixed regression in PDF date string timezone offset: minutes were not wrapped in single quotes as required by PDF Reference 1.7 (Adobe, section 3.8.3) - date format D:YYYYMMDDHHmmSS+HH'mm' - Added test for PDF date format compliance regex verifies /M field format D:YYYYMMDDHHmmSS+HH'mm' including PDF string delimiters 0.05 2026-04-06 - Fixed: regression to allow Mswin32 paths in ts_query 0.04 2026-04-06 - Fixed: Calculation of Time Zone Offset for systems without %z (timegm-based: correct DST handling for all timezones, replaces the previous CET/CEST-only approach) - Pod separated from code - Checked Compatibility with deps to Perl 5.10+ - Fixed: strips non path chars from args of ts_query 0.03 2026-04-04 - Fixed: VERSION in POD corrected to 0.03 - Fixed: replaced UTF-8 em-dash with ASCII hyphen-minus in POD - Fixed: README removed stale dependency on Crypt::OpenSSL::X509 (removed in 0.01, never published) - Fixed: README removed TEST_CERT_PEM/TEST_KEY_PEM instructions, test suite now generates self-signed certificates automatically - Fixed: verify_signatures ByteRange matching rewritten to use Contents fingerprint instead of field order (fixes CMS/TSA swap) - Fixed: verify_signatures CMS verification compatible with OpenSSL 1.1.1 (CAfile extraction from embedded certificate) - Known: TSA verification via openssl ts -verify requires a full CA bundle; pass ca_bundle argument or ensure system CA store is available. Acrobat Reader performs full PAdES validation. - Known: TSA verification not available with LibreSSL (no ts -verify) - Known: CMS verification not available with LibreSSL (no cms command) 0.02 2026-04-02 - Fixed: PDFArray() and similar calls now use explicit parentheses to avoid parser ambiguity when imported at compile time - Fixed: PDF backend detection moved to BEGIN block with warn instead of die, allowing modules that do not require PDF::API2 or PDF::Builder to load PDF::Sign without fatal error - Fixed: functions requiring PDF backend (prepare_file, sign_file, prepare_ts, ts_file) replaced by informative stubs when no PDF backend is available, deferred error to call time - Fixed: Makefile.PL now exits with status 0 (NA report) when neither PDF::API2 nor PDF::Builder is installed, avoiding spurious FAIL reports on CPAN Testers (RT#174516) - Fixed: test suite skips gracefully when PDF backend or openssl is unavailable, producing SKIP instead of FAIL (RT#174516) - Fixed: openssl.cnf referenced via __FILE__-relative path in test files for consistent behavior regardless of invocation dir - Fixed: PDF backend detection in tests uses BEGIN block to anticipate compile-time loading of PDF::Sign - Fixed: duplicate comment block in verify_signatures removed - Fixed: verify_signatures temp file path separator normalized to forward slash for cross-platform consistency - Known limitation: ts_query uses shell form (not list form) to suppress openssl "Using configuration from..." stderr noise when used in CGI/Apache context; shell injection risk is accepted and documented (input is caller-controlled tmpdir path) - Fixed: ts_query sanitizes path arguments (strip double quotes) to mitigate shell injection risk in shell form invocation - Thanks to SREZIC for reporting and suggestions (RT#174516) 0.01 2026-03-29 - Initial CPAN release - prepare_file, sign_file: CMS/CAdES signature support - prepare_ts, ts_file: RFC3161 DocTimeStamp support - cms_sign: openssl cms via open() list form (no shell injection) - ts_query: openssl ts via open() list form - tsa_fetch: curl with LWP::UserAgent fallback - OpenSSL 1.x / 3.x compatibility (-cades, ETSI.CAdES.detached) - PDF::API2 or PDF::Builder backend autodetection - Cross-platform timezone handling (Linux / Windows) - Process-safe temp files (PID in filename) - PDF32000-2008 12.8.1 compliant ByteRange implementation