正在加载,请稍候…

PDF Digital Signatures: How to Verify Document Authenticity

Check digital signatures in PDF files. Learn how PDF signatures work and how to verify document authenticity.

What Is PDF Digital Signature Verification?

A digital signature on a PDF document provides cryptographic proof of two things:

  1. Identity: The document was signed by the claimed signer
  2. Integrity: The document hasn't been modified since it was signed

Unlike a scanned handwritten signature (just an image), a digital signature is a mathematical construct based on public-key cryptography that provides strong, verifiable guarantees.

How PDF Digital Signatures Work

The Signing Process

  1. A hash of the PDF content is computed (e.g., SHA-256)
  2. The hash is encrypted using the signer's private key
  3. The encrypted hash (the signature) is embedded in the PDF
  4. The signer's certificate (containing their public key) is also stored in the PDF

The Verification Process

  1. Extract the signature and certificate from the PDF
  2. Decrypt the signature using the public key from the certificate
  3. Independently compute the hash of the current PDF content
  4. Compare: if both hashes match, the signature is valid and the document hasn't changed

Trust Chain

A certificate by itself doesn't prove identity — anyone could generate one. Trust is established through a Certificate Authority (CA) chain:

  • Your certificate is signed by an intermediate CA
  • The intermediate CA's certificate is signed by a root CA
  • Root CAs are pre-installed in operating systems and browsers as trusted

Types of PDF Signatures

Approval Signature

Signs the document at a point in time. Additional signatures can be added afterward (each covers the content at the time of signing).

Certification Signature (DocMDP)

Controls what changes are permitted to the document after signing:

  • Level 1: No changes allowed
  • Level 2: Only form filling and annotations allowed
  • Level 3: Form filling, annotations, and page additions allowed

Invisible Signature

Cryptographic signature without a visible graphical element in the document.

Visible Signature

Includes both the cryptographic signature and a visible representation (often a signature image, name, date, and reason).

PDF Signature Validation States

When verifying a PDF signature, the result can be:

Valid

  • Signature cryptographically verifies
  • Certificate chain is trusted
  • No modifications since signing

Valid but with Issues

  • Signature is mathematically valid
  • Certificate may be expired, untrusted, or revoked
  • Document may have been modified in allowed ways (approved changes)

Invalid

  • Document has been modified after signing
  • The computed hash doesn't match the signature

Unknown

  • Cannot verify without internet access (for OCSP/CRL checks)
  • Certificate chain leads to an untrusted root

Long-Term Validation (LTV)

Standard signatures can become unverifiable over time as certificates expire. Long-Term Validation (LTV) embeds all verification information in the PDF itself:

  • Certificate chain
  • OCSP responses (certificate validity proof)
  • Timestamps from trusted timestamping authorities

LTV-enabled PDFs can be verified years or decades after signing without internet access.

PAdES, CAdES, and XAdES Standards

Different signature standards are used in different contexts:

  • PAdES (PDF Advanced Electronic Signatures): European standard for PDF signatures, required for legal compliance in EU
  • CAdES: For arbitrary data, not just PDFs
  • XAdES: For XML documents

The EU's eIDAS regulation defines signature levels:

  • SES (Simple): Basic digital signature
  • AdES (Advanced): Signer identity linked to signature
  • QES (Qualified): Highest legal value, equivalent to handwritten signature in EU law

Common Signature Issues

Self-Signed Certificates

Many PDF signing tools allow creating certificates without CA involvement. These are "self-signed" — the certificate is signed by its own private key. They provide integrity guarantees but no identity assurance.

Expired Certificates

A signature made with a certificate that was valid at signing time remains valid if properly timestamped. LTV handles this correctly. Without LTV, expired certificates may cause false "invalid" warnings.

Incremental Updates

PDFs can be modified by appending new data (incremental updates) without overwriting the original signed content. Partial signatures cover only the original content; understanding this is important when reviewing signed PDFs that were later modified.

Using the PDF Signature Checker

Our tool:

  1. Upload a PDF via drag-and-drop or file picker
  2. Extracts all signatures from the document
  3. Verifies each signature cryptographically
  4. Shows certificate details — issuer, subject, validity period
  5. Indicates trust status — trusted CA, self-signed, or unknown
  6. Reports modification status — whether document was changed after signing
  7. Processes client-side — your PDF is never uploaded to a server

Use it for verifying signed contracts, checking certificate-signed documents, auditing PDF integrity, and understanding what digital signatures actually prove about a document.