ROB: Prevent sign command from signing already signed pdfs

moormaster · moormaster · commit 7ef37581c9be · 2025-10-10T17:14:41.000+02:00
diff --git a/pdfly/sign.py b/pdfly/sign.py
@@ -24,6 +24,7 @@
 from endesive import signer
 from fpdf import FPDF, get_scale_factor
 from pypdf import PageObject, PdfReader, PdfWriter
+from pypdf.generic import PdfObject
 
 
 def main(
@@ -36,6 +37,8 @@ def main(
     validate_output_args_or_raise(output, in_place)
 
     pdf_reader = PdfReader(filename)
+    pdf_is_unsigned_or_raise(pdf_reader)
+
     output_file: Union[io.BufferedWriter, tempfile._TemporaryFileWrapper]
     if output:
         output_file = open(output, "wb")
@@ -55,6 +58,28 @@ def main(
         output.unlink()
 
 
+def pdf_is_unsigned_or_raise(pdf_reader: PdfReader) -> None:
+    for page in pdf_reader.pages:
+        if page.annotations is None:
+            continue
+
+        if any(is_signature(annotation) for annotation in page.annotations):
+            raise typer.BadParameter("PDF is already signed.")
+
+
+def is_signature(annotation: PdfObject) -> bool:
+    resolved_annotation_object = annotation.get_object()
+    if resolved_annotation_object is None:
+        return False
+
+    subtype = resolved_annotation_object["/Subtype"]
+    if subtype != "/Widget":
+        return False
+
+    fieldtype = resolved_annotation_object["/FT"]
+    return fieldtype == "/Sig"
+
+
 def _sign_pdf_contents(
     pdf_reader: PdfReader,
     output_file: Union[io.BufferedWriter, tempfile._TemporaryFileWrapper],
diff --git a/resources/sign_pkcs12.pdf b/resources/sign_pkcs12.pdf
diff --git a/tests/test_sign.py b/tests/test_sign.py
@@ -16,6 +16,28 @@ def test_sign_missing_certificate_key_option(capsys, tmp_path):
     assert "Missing option" in captured.err
 
 
+def test_sign_already_signed_pdf(capsys, tmp_path):
+    # Act
+    with chdir(tmp_path):
+        exit_code = run_cli(
+            [
+                "sign",
+                str(RESOURCES_ROOT / "sign_pkcs12.pdf"),
+                "-o",
+                "out.pdf",
+                "--p12",
+                str(RESOURCES_ROOT / "signing-certificate.p12"),
+                "--p12-password",
+                "fpdf2",
+            ]
+        )
+    captured = capsys.readouterr()
+
+    # Assert
+    assert exit_code == 2
+    assert "already signed" in captured.err
+
+
 def test_sign_pkcs12(capsys, tmp_path):
     # Act
     with chdir(tmp_path):
