PDF Digital Signatures: How They Work and Why They Matter
Β· 10 min read
Electronic vs Digital Signatures
These terms are often confused but mean different things:
| Feature | Electronic Signature | Digital Signature |
|---|---|---|
| Definition | Any electronic indication of intent to sign | Cryptographic signature using PKI certificates |
| Examples | Typed name, drawn signature, click-to-accept | Certificate-based signature with hash verification |
| Identity verification | Varies (email, phone, none) | Certificate Authority verifies identity |
| Tamper detection | No | Yes β any modification invalidates the signature |
| Legal weight | Valid in most cases | Highest legal weight, especially in EU (eIDAS) |
| Cost | Usually free | Certificate costs $20-200/year |
For most personal and business use, electronic signatures are sufficient. Digital signatures are required for government filings, regulated industries, and cross-border legal documents.
How Digital Signatures Work
A PDF digital signature uses Public Key Infrastructure (PKI) β the same technology that secures HTTPS websites:
- Hash creation β The PDF content is run through a cryptographic hash function (SHA-256), producing a unique fingerprint
- Encryption β The hash is encrypted with the signer's private key, creating the signature
- Embedding β The encrypted hash and the signer's public certificate are embedded in the PDF
- Verification β A reader decrypts the hash using the public key, computes a new hash of the document, and compares them. If they match, the document is unmodified
This process guarantees three things:
- Authentication β The signer is who they claim to be (verified by the certificate)
- Integrity β The document has not been altered since signing
- Non-repudiation β The signer cannot deny having signed (their private key was used)
Certificate Types
| Type | Issued By | Trust Level | Use Case |
|---|---|---|---|
| Self-signed | You | Low (recipient must manually trust) | Internal documents, testing |
| Organization-validated (OV) | Certificate Authority | Medium (CA verified the organization) | Business contracts, invoices |
| Extended Validation (EV) | Certificate Authority | High (thorough identity verification) | Legal documents, government |
| Qualified (QES) | Qualified Trust Service Provider | Highest (EU eIDAS qualified) | EU legal equivalence to handwritten |
Certificate Authorities trusted by Adobe Acrobat include DigiCert, GlobalSign, Entrust, and others on the Adobe Approved Trust List (AATL).
Signature Validation
When you open a signed PDF, the viewer checks:
| Check | Green β | Yellow β | Red β |
|---|---|---|---|
| Certificate trust | CA is on trusted list | Self-signed or unknown CA | Certificate revoked |
| Document integrity | Unmodified since signing | Allowed changes (form fill) | Content modified |
| Certificate validity | Not expired | Expiring soon | Expired |
| Timestamp | Trusted timestamp present | No timestamp | Timestamp invalid |
Long-Term Validation (LTV)
Certificates expire, CRLs (Certificate Revocation Lists) become unavailable, and OCSP responders go offline. LTV embeds all validation data (certificates, CRLs, OCSP responses) into the PDF at signing time, so the signature can be verified years later even if the CA no longer exists.
Timestamp Authorities
A timestamp proves when the document was signed. Without it, someone could backdate a signature. Trusted timestamp authorities include DigiCert, GlobalSign, and FreeTSA.org.
Legal Standing
| Jurisdiction | Law | Key Points |
|---|---|---|
| United States | ESIGN Act (2000), UETA | Electronic signatures are legally valid. No specific technology required. |
| European Union | eIDAS (2014) | Three levels: simple, advanced, qualified. Only QES has automatic legal equivalence to handwritten. |
| United Kingdom | Electronic Communications Act 2000 | Electronic signatures admissible as evidence. QES for highest assurance. |
| China | Electronic Signature Law (2005) | Reliable electronic signatures have same legal effect as handwritten. |
| India | IT Act 2000 | Digital signatures using asymmetric crypto are legally recognized. |
How to Sign a PDF
Free Options
- ThePDF Signature Tool β Draw or type your signature, add to any page. Runs in browser.
- LibreOffice Draw β Open PDF, insert signature image, export as PDF
- Okular β KDE's PDF viewer supports digital signatures with certificates
- JSignPdf β Free Java tool for certificate-based signing
Command Line (OpenSSL + pdfsig)
# Create a self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem \
-out cert.pem -days 365 -nodes \
-subj "/CN=Your Name/O=Your Org"
# Convert to PKCS#12
openssl pkcs12 -export -out cert.p12 \
-inkey key.pem -in cert.pem
# Sign with pdfsig (poppler-utils)
pdfsig --sign input.pdf output.pdf cert.p12Common Issues
- "Signature validity is unknown" β The CA is not on the viewer's trusted list. Import the CA certificate or use an AATL-listed CA.
- "Document has been altered" β Someone modified the PDF after signing. Even adding a comment or form field can trigger this if the signature doesn't allow it.
- "Certificate has expired" β The signing certificate's validity period has passed. LTV-enabled signatures remain valid even after certificate expiry.
- Signature not visible β Digital signatures can be invisible (no visual representation on the page). Check Document Properties > Security for signature details.
Frequently Asked Questions
What is the difference between electronic and digital signatures?
An electronic signature is any electronic indication of intent to sign (typed name, drawn signature, click-to-sign). A digital signature uses cryptographic certificates to verify identity and detect tampering. Digital signatures are a subset of electronic signatures.
Are PDF digital signatures legally binding?
Yes, in most jurisdictions. The US ESIGN Act, EU eIDAS regulation, and similar laws in 60+ countries recognize digital signatures as legally equivalent to handwritten signatures.
What does the green checkmark mean on a signed PDF?
It means the signature is valid: the signer's identity is verified by a trusted certificate authority, and the document has not been modified since signing.
Can I sign a PDF for free?
Yes. ThePDF's signature tool, LibreOffice Draw, and Okular allow free PDF signing. For legally binding digital signatures with identity verification, you need a certificate from a Certificate Authority.
What happens if a signed PDF is modified?
The signature becomes invalid. PDF viewers show a warning that the document was altered after signing. The cryptographic hash computed during verification no longer matches the original.