Everything around Error Messages
Fix signature problems yourself
A | Error patterns
What does the error message “Serial Number Mismatch. We strongly advise to go through the Pre-Signing Process in order to retrieve the actual StepUp SerialNumber”. This error message indicates that in a PWD/OTP process the password was reset and re-selected without performing a new identification with the corresponding step-up process according to the Reference Guide.
I authenticated correctly with PWD/OTP, Mobile ID or Mobile ID App – but the signature didn’t work … what could be the reason?
- You have set a new password for the PWD/OTP procedure. This may only be carried out in exceptional situations at an internal registration authority and must otherwise always take place as part of a new identification.
- You had previously authenticated with PWD/OTP and you have now activated your MobileID with a Swiss mobile phone number or internationally by use of a Mobile ID App. In this case, a new identification must also take place because the means of authentication belonging to the identity has changed.
- You have changed the SIM or the mobile phone provider. As a result, the MobileID authentication has changed when using a MobileID. A new identification is also necessary for this.
- If none of these causes are present, you should open a ticket.
Often the messages refer to the missing integrity, i.e. the document shows changes after signing the document. For example, elements from the network were downloaded and inserted later. This can be avoided by consistently using the latest version of the PDF/A standard PADES for the signature. In order to build up correct PADES documents please follow this link here: https://github.com/SCS-CBU-CED-IAM/AIS/wiki/PAdES-Long-Term-Validation
It should be noted that the EU validators are far from harmonised. This means that test portals can present an electronic qualified signature as “invalid”, even though it meets the requirements for eIDAS dating. Harmonisation is being worked on by the EU.
“Signature is valid but the signer’s identity validity could not be verified” is Adobe’s statement if no LTV format was used. The background is that Adobe then tries to check the validity of a 10 minute certificate. If no long-term validation format was used, which stores the validity information at the time of the signature, these can no longer be accessed after some time. Therefore, signatures with short-term certificates (but also signatures with long-term proof) must always be saved in LTV format. You can find more hints here: https://github.com/SCS-CBU-CED-IAM/AIS/wiki/PAdES-Long-Term-Validation
This message is triggered in two cases:
a) In case you have just been identified with the Swisscom RA app and a change has taken place before with your authentication method (SIM card/contract change, Mobile ID reset, password for the signature has been changed, change from PWD/OTP to Mobile ID)
In this case, everything is OK, and you can continue to sign as usual up to level qualified.
b) In case new Terms & Conditions are available that must be accepted and a change has taken place with your authentication method since the last successful signature (SIM card/contract change, Mobile ID reset, password for the signature has been changed, switching from PWD/OTP to Mobile ID)
In this case, you must be re-identified in order to be able to make qualified signatures.
The verify call which checks if a person is well-known to the RA-Service returns the following error code:
“message”: “Cannot check jurisdiction of unknown user with msisdn XXXXXXXXX”,
On this Signature Check page you can check at any time whether you can sign electronically or whether you need a new registration:
If the result is positive, you will be shown with which signature type (QES, FES) and in which legal area (EU, Switzerland) you can sign electronically.
In case of a negative result, the reason for a new registration and identification for the electronic signature is displayed.
Translated with www.DeepL.com/Translator (free version)
Make sure that you have not registered the person in the RA-App Demo Mode (mobile number +41001234567, company “demo”).
Check the Service Status page (https://trustservices.swisscom.com/service-status/) to see if there are any faults. If no SMS arrives after another attempt, please inform the support.
If you are already registered (with RA app or the Smart Registration Service), you have to observe the following:
- If you already use the Mobile ID on SIM card and want to use the Mobile ID app, you should use the recovery code when activating or to authenticate with the Mobile ID SIM at activation and not to activate as a “new Mobile ID”. Otherwise, this app will also be considered as a new method of declaration of will and you will need to be re-identified.
- The same happens the other way round if you want to switch from an installed Mobile ID app to the Mobile ID SIM card.
Typical error message in such a case is an error message with “serial mismatch”.
The Smart Registration Services tries 5 times all 3 days to send out the SMS again. Only if all attempts fail after 15 days a reidentification is necessary.
With the password/SMS code method, there is unfortunately no possibility of recovery; a user must be re-identified in any case after he has changed his password.
M | Mobile ID and Mobile ID app
Please have a look at the Mobile ID FAQ, where you can find answers to many questions about Mobile ID.