What Is PDF Digital Signature Verification?
A digital signature on a PDF document provides cryptographic proof of two things:
- Identity: The document was signed by the claimed signer
- Integrity: The document hasn't been modified since it was signed
Unlike a scanned handwritten signature (just an image), a digital signature is a mathematical construct based on public-key cryptography that provides strong, verifiable guarantees.
How PDF Digital Signatures Work
The Signing Process
- A hash of the PDF content is computed (e.g., SHA-256)
- The hash is encrypted using the signer's private key
- The encrypted hash (the signature) is embedded in the PDF
- The signer's certificate (containing their public key) is also stored in the PDF
The Verification Process
- Extract the signature and certificate from the PDF
- Decrypt the signature using the public key from the certificate
- Independently compute the hash of the current PDF content
- Compare: if both hashes match, the signature is valid and the document hasn't changed
Trust Chain
A certificate by itself doesn't prove identity — anyone could generate one. Trust is established through a Certificate Authority (CA) chain:
- Your certificate is signed by an intermediate CA
- The intermediate CA's certificate is signed by a root CA
- Root CAs are pre-installed in operating systems and browsers as trusted
Types of PDF Signatures
Approval Signature
Signs the document at a point in time. Additional signatures can be added afterward (each covers the content at the time of signing).
Certification Signature (DocMDP)
Controls what changes are permitted to the document after signing:
- Level 1: No changes allowed
- Level 2: Only form filling and annotations allowed
- Level 3: Form filling, annotations, and page additions allowed
Invisible Signature
Cryptographic signature without a visible graphical element in the document.
Visible Signature
Includes both the cryptographic signature and a visible representation (often a signature image, name, date, and reason).
PDF Signature Validation States
When verifying a PDF signature, the result can be:
Valid
- Signature cryptographically verifies
- Certificate chain is trusted
- No modifications since signing
Valid but with Issues
- Signature is mathematically valid
- Certificate may be expired, untrusted, or revoked
- Document may have been modified in allowed ways (approved changes)
Invalid
- Document has been modified after signing
- The computed hash doesn't match the signature
Unknown
- Cannot verify without internet access (for OCSP/CRL checks)
- Certificate chain leads to an untrusted root
Long-Term Validation (LTV)
Standard signatures can become unverifiable over time as certificates expire. Long-Term Validation (LTV) embeds all verification information in the PDF itself:
- Certificate chain
- OCSP responses (certificate validity proof)
- Timestamps from trusted timestamping authorities
LTV-enabled PDFs can be verified years or decades after signing without internet access.
PAdES, CAdES, and XAdES Standards
Different signature standards are used in different contexts:
- PAdES (PDF Advanced Electronic Signatures): European standard for PDF signatures, required for legal compliance in EU
- CAdES: For arbitrary data, not just PDFs
- XAdES: For XML documents
The EU's eIDAS regulation defines signature levels:
- SES (Simple): Basic digital signature
- AdES (Advanced): Signer identity linked to signature
- QES (Qualified): Highest legal value, equivalent to handwritten signature in EU law
Common Signature Issues
Self-Signed Certificates
Many PDF signing tools allow creating certificates without CA involvement. These are "self-signed" — the certificate is signed by its own private key. They provide integrity guarantees but no identity assurance.
Expired Certificates
A signature made with a certificate that was valid at signing time remains valid if properly timestamped. LTV handles this correctly. Without LTV, expired certificates may cause false "invalid" warnings.
Incremental Updates
PDFs can be modified by appending new data (incremental updates) without overwriting the original signed content. Partial signatures cover only the original content; understanding this is important when reviewing signed PDFs that were later modified.
Using the PDF Signature Checker
Our tool:
- Upload a PDF via drag-and-drop or file picker
- Extracts all signatures from the document
- Verifies each signature cryptographically
- Shows certificate details — issuer, subject, validity period
- Indicates trust status — trusted CA, self-signed, or unknown
- Reports modification status — whether document was changed after signing
- Processes client-side — your PDF is never uploaded to a server
Use it for verifying signed contracts, checking certificate-signed documents, auditing PDF integrity, and understanding what digital signatures actually prove about a document.