It appears that, for all intents and purposes, PGP is wholly incompatible with any of Microsoft Office's built-in digital signature functions. Ditto for Adobe Acrobat.
That is right. You will have to use X.509 instead – see below.
This is baffling, because PGP is a defined RFC, 4880
The fact that PGP is RFC-defined means nothing here – X.509 has more RFCs (1422 and 5280 being the primary ones), all of them based on several ITU-T standards (which is where the "X.509" name comes from).
It is very widely used in TLS (SSL), S/MIME (email), code signing (Authenticode, Java, Android, iOS), document signing (AdES), and so on. Even many governments use X.509-based PKI and issue "qualified" certificates having the same legal status as a handwritten signature. In Office 2010, XAdES-format digital signatures were added to help with that.
so I would imagine that it is possible for MS to integrate SOME kind of support for either X.509 or PGP.
Both Microsoft Office and Adobe Acrobat do in fact use X.509 certificates – any certificate in your Windows certstore can be immediately used in Office (provided, of course, that it has a private key stored and the proper usage bits enabled). In Office 2007, this is under Office → Prepare → Digital signature.
Adobe Reader lists Windows certificates under "Digital IDs → Windows Digital IDs" in the *Edit → Protection → Security Settings" menu.
I figured that if there was a way to export an X.509/PKCS-12 certificate based off of a public PGP key, [...] But this appears to be impossible. I mean, aren't both technically bog-standard PKI certificates?
No, they aren't. The only thing OpenPGP and X.509 have in common is their usage of cryptographic algorithms: RSA, DSA, SHA, et cetera; otherwise they are completely independent. The term "PKI" usually only covers X.509.
It's technically possible (and often quite easy) to re-use the key material – for example, take the RSA parameters of a PGP keypair to create an X.509 certificate. But this will not make them interchangeable:
PGP and X.509 use very different trust models – PGP is based on web of trust, while X.509 is hierarchical and requires the certificate to be signed by a single authority, so the key trust you have built up from key signatures simply won't carry over.
In addition, they store different user-visible information, starting with the basic "Subject" of Mantas M. <grawity@gmail.com>
versus /C=LT/O=Example Company/OU=Users/CN=Mantas M.
for example. (This may be related.)
In other words, converting a PGP cert to an X.509 cert achieves nothing more than increase the security risk (due to reusing the cryptographic key instead of generating a fresh one.)
Best Answer
@ThorX89 - you need to timestamp your signatures. This will solve your problem.
Basically you use a valid (at the time) certificate to sign the PDF, this is timestamped by a third party CA (most Certificate Authorities allow you use of their timestamp servers - check with your provider) and the time stamp itself is verified by a certificate issued by the CA.
In Adobe Acrobat (or Reader) Edit > Preferences > Security > Check Require Certificate revocation Checking to succeed whenever possible during signature verification - then in the box below chose the Secure Time (timestamping) option.
As long as your certificate is valid at the time of signing and the timestamp server is set correctly in Adobe, even if your certificate later expires or is revoked, Adobe checks to see if your certificate was valid at the secure time (i.e. timestamp) of the certificate as certified by a third party trust provider.
To set the time server in Adobe go to Advanced Menu > Security Settings and then on the left you will see time Stamp servers. Enter the New time stamp server and adobe will download a certificate from their server and that will be used to verify the time stamp.
Keep in mind, your Certificate issuer AND the timestamp server's CA both (in case they are different issuers) have to be on the Abode Approved Trust List (AATL) for their to be absolutely no signature verification errors presented to a viewer of the file when they open it in Adobe Acrobat 9.0 or newer. If the issuers are not on the list, they will be presented with 'cannot verify signature' even if it was timestamped. The only solution to this is that (yours and the timeserver's) certificates have to be trusted by the viewer in their Adobe software. Going for a AATL listed provider gets around this problem (for Adobe products).