BFO PDF Library 2.28.1 - we broke timestamping

BFO PDF Library 2.28.1 / Report Generator 1.2.8

The release we put out 10 days ago, PDF Library 2.28, unfortunately broke the application of new Digital Signatures when those signatures contain a timestamp. This is a common codepath for many users. We've release 2.28.1 to fix it.

As this impacts the Report Generator too, we're updating that too. Mostly however, the fix we put in last week for the XML External Entity injection was still triggering a false positive report for the Veracode tool that triggerred the original report. While unexploitable, the report was making some customers nervous. This should be fixed with this release.

How did you miss this?

Timestamped signatures used to be part of our automated regression test, but were commented out a few years ago as the Timestamp server we were using at the time was unreliable. So we missed it. Now fixed in the codebase and in the regression tests.

Any other changes?

A much less common codepath is that we also broke converting a PDF to PDF/A if that PDF has been cloned first (by calling pdf = new PDF(pdf) and the original PDF had no XMP metadata. That's now fixed too, and we took the opportunity to re-run our mass conversion but with the additional step of cloning the PDF first, which caught a couple of changes to the PDF/A-1 profile since that was last done.

In the Report Generator, a regression in 1.2.4 caused layout to fail if an invalid font was specified, and this is now fixed too.


Mea culpa. New downloads at as usual.