Unable to get LTV Enabled

[mayurpatil1211]

I am trying to sign a PDF by a sectigo eIDAS certificate. And I am able to sign the PDF without an issue, but the signed PDF is not LTV enabled. For that i am adding timestamper, its giving issue of validation.

root_cert = load_cert_from_pemder('root_cert.pem')
intermediate_person = load_cert_from_pemder('intermediate_person.pem')
amc_cert = load_cert_from_pemder('amc_cert.pem')
cert_file = '/home/mayur/Documents/amcrest/wesign/certs/cert-2271673745.pem'

cms_signer = signers.SimpleSigner.load_pkcs12(
    'output.pfx', 
    ca_chain_files = ('root_cert.pem','intermediate_person.pem'), passphrase=password,signature_mechanism=algos.SignedDigestAlgorithm({"algorithm": "sha512_rsa"}),)

tst_client = timestamps.HTTPTimeStamper('https://timestamp.sectigo.com/qualified?td=sha512') 


vc = ValidationContext(trust_roots=[root_cert], other_certs = chain, allow_fetching=False, algorithm_usage_policy=AcceptAllAlgorithms())


out = signers.PdfSigner(signature_meta=signers.PdfSignatureMetadata(
                                        field_name='Signature',
                                        reason='My reason',
                                        location='My location',
                                        # use_pades_lta=True,
                                        use_pades_lta=False,
                                        subfilter=fields.SigSeedSubFilter.PADES,
                                        embed_validation_info=False,
                                        validation_context=vc,
                                        signer_key_usage = {'digital_signature'}#('digital_signature')
                                        ),
                        signer=cms_signer,
                        timestamper=tst_client,
                        # stamp_style=style,
                        # new_field_spec=sp
                        )

with open('document-signed.pdf', 'wb') as outf:
    print(out)
    out.sign_pdf(w, output=outf)`

When timestamper is set to "None". PDF will be signed without an issue but with timestamper

Traceback (most recent call last):
File "/home/mayur/Documents/amcrest/wesign/certs/new_demo.py", line 195, in
out.sign_pdf(w, output=outf)
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko/sign/signers/pdf_signer.py", line 1524, in sign_pdf
result = asyncio.run(
^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/runners.py", line 194, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko/sign/signers/pdf_signer.py", line 1586, in async_sign_pdf
validation_info = await signing_session.perform_presign_validation(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko/sign/signers/pdf_signer.py", line 1793, in perform_presign_validation
async for ts_path in async_ts_paths:
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko/sign/timestamps/api.py", line 101, in validation_paths
yield await job
^^^^^^^^^
File "/usr/lib/python3.12/asyncio/tasks.py", line 631, in _wait_for_one
return f.result() # May raise f.exception().
^^^^^^^^^^
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko_certvalidator/init.py", line 269, in async_validate_usage
validated_path = await self.async_validate_path()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko_certvalidator/init.py", line 136, in async_validate_path
self._path = candidate_path = await find_valid_path(
^^^^^^^^^^^^^^^^^^^^^^
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko_certvalidator/init.py", line 34, in find_valid_path
async for candidate_path in paths:
File "/home/mayur/Documents/amcrest/wesign/certs/env/lib/python3.12/site-packages/pyhanko_certvalidator/registry.py", line 649, in anext
raise PathBuildingError(
pyhanko_certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: Sectigo Qualified Time Stamping Signer #3, Organization: Sectigo (Europe) SL, Country: ES" - no issuer matching "Common Name: Sectigo Qualified Time Stamping Root R45, Organization: Sectigo (Europe) SL, Country: ES" was found`

`

===========================
With timestamper=None PDF will be signed and can be verified by pyHanko

pyhanko sign validate --pretty-print --trust root_cert.pem --no-diff-analysis document-signed.pdf

Field 1: Signature

Signer info

Certificate subject: "Common Name: Amcrest Industries LLC, Organization Identifier: NTRUS-801362377, Organization: Amcrest Industries LLC, Country: US"
Certificate SHA1 fingerprint: 9239b108d4a067a98ff253a8c280fa9781de69d9
Certificate SHA256 fingerprint: 682064ba76b6d41705bbba870a78186bd9f2df108e8d361d939081a6425c7821
Trust anchor: "Common Name: Sectigo Qualified Legal Person Root R45, Organization: Sectigo (Europe) SL, Country: ES"
The signer's certificate is trusted.

Integrity

The signature is cryptographically sound.

The digest algorithm used was 'sha512'.
The signature mechanism used was 'sha512_rsa'.

Signing time

Signing time as reported by signer: 2024-11-05T19:41:42+05:30

Modifications

The signature covers the entire file.

Bottom line

The signature is judged VALID.

Environment (please complete the following information):

• OS: Linux (Ubuntu 22.04)
• Python 3.12