TLDR: Missing newline before writeAppearanceStreamBuffer's endstream\n.

Bug Description

PDF/A validators fail when validating PDFs signed with visual signatures because the /Length value in appearance stream dictionaries doesn't match the actual stream length.

Error Message from veraPDF

Specification: ISO 19005-3:2012, Clause: 6.1.7.1, Test number: 1
The value of the Length key specified in the stream dictionary shall match the number
of bytes in the file following the LINE FEED (0Ah) character after the stream keyword
and preceding the EOL marker before the endstream keyword

Root Cause

The writeAppearanceStreamBuffer function in sign/appearance.go was not adding the required EOL marker (newline) before the endstream keyword, which is mandated by the PDF specification (ISO 32000).

According to the spec, the /Length value should count bytes from after the LF following stream up to (but not including) the EOL before endstream. The missing newline caused a mismatch between the declared length and actual stream content.

Steps to Reproduce

1. Sign a PDF with a visual signature that includes an image
2. Validate the resulting PDF with a PDF/A validator (e.g., VeraPDF)
3. Observe the validation failure on the appearance stream object

Expected Behavior

The signed PDF should pass PDF/A validation with correct stream length values.