This page lists some TODOs and known limitations of pyHanko.
Expand, polish and rigorously test the validation functionality. The test suite covers a variety of scenarios already, but the difference checker in particular is still far from perfect.
The most lenient document modification policy (i.e. addition of comments and annotations) is not supported. Comments added to a signed PDF will therefore be considered “unsafe” changes, regardless of the policy set by the signer.
For now, only signatures using the “RSA with PKCS#1 v1.5” mechanism and ECDSA are effectively supported. Expanding this to include the full gamut of what oscrypto supports is on the roadmap.
There is currently no support for signing and stamping PDF/A and PDF/UA files. That is to say, pyHanko treats these as any other PDF file and will produce output that may not comply with the provisions of these standards.
PKCS#11 support (esp. in the CLI) is limited to Belgian RSA-based cards, because my experience with (generic) PKCS#11 is very limited. Discussion and pull requests are certainly welcome, though!