Understanding PDF signatures

Posted by Liaquat Khan on Jul 2, 2013 1:48:00 PM

PDF documents have been common use within business for many years. Protecting PDFs against change is fast becoming a hot topic. Digitally signing PDFs with a certifying signature protects the content and also shows who signed or approved the document. This article explains how you can easily digitally sign PDFs, what is needed to electronically sign PDF documents and the different types of PDF signatures.

How to digitally sign PDF documents

First, you need software that is capable of electronically signing PDFs, such as Ascertia's PDF Sign&Seal (a desktop application for manual creating PDF signatures) or our ADSS Signing Server (a server application for bulk, automated or web-services PDF signing ). 

The other thing you need is a document signing certificate (i.e. your cryptographic signing key). You can get a free key and certificate directly from our site here. This PDF document signing certificate proves your digital identity and shows that it was indeed you who signed a PDF document.

How to create a PDF signature

The PDF Signature is created by the PDF signing software using a simple process as follows: 

PDF-signature.jpg

Ascertia's PDF Signing applications make the process of signing a PDF document very simple. We support techniques, such as:

  • Signing multiple PDF documents at once
  • Converting Word and other common document types to PDF and then signing them
  • One-click PDF signing
  • Automated bulk signing

The main thing is that signing a PDF should be as simple as signing a paper document with a pen, and for bulk documents it should be much more efficient!

Of course, there are many types of PDF Signatures. The rest of this article explains some of these. The important thing to remember is that PDF signatures are standardised (ISO 32000-1 and ISO 19005-1).

It means when you sign a PDF document using standard software, then these signed PDF documents can be also be read and verified using other third-party PDF software including Adobe® Reader, Foxit® Reader and other standards-compliant providers.

Invisible PDF signatures

When you electronically sign a PDF, a cryptographic checksum is produced. It is based on the whole PDF document content and your private signing key. This cryptographic checksum or “digital signature” is then embedded within the PDF.

As a result, if even one bit of the PDF document changes perhaps by accident or perhaps by a malicious attacker, then the digital signature will no longer be valid when verified. As long as you protect your private PDF signing key then no one else can sign a PDF in your name.

Now, if you have created an invisible PDF signature then the actual visible content of your PDF (e.g. when you print the PDF to paper) will show no indication that the PDF document was signed. The embedded digital signature of the PDF has no visible characteristics. It is purely an electronic PDF signature stored inside the PDF document.

Invisible PDF signatures are very useful where the document content MUST not change as a result of the signing process. It is definitely needed in some business scenarios where the physical appearance of the document has to follow strict guidelines which must not be changed as part of signing process.

The only indication then that the PDF is signed is when it’s viewed and verified inside a PDF signature-compliant PDF reader, e.g.:

The following screenshot shows an invisible PDF signature being viewed inside Ascertia PDF Sign&Seal:

Invisible-PDF-Signature.jpg


Visible PDF signatures

Visible signatures are PDF signatures which actually create a visible “mark” on the PDF page to indicate that the PDF signature has been applied – this digital signature “appearance” is visible when the document is printed to paper.

The process of signing is very similar to before, however before creating the PDF signature the visible signature appearance is stamped on the PDF, and then the PDF is signed. The following screenshot shows a visible PDF signature inside PDF Sign&Seal: 

PDF-with-a-signature-pane.jpg

 

Of course the PDF signature appearance is fully customisable and can have company logos, hand-signature images and various other text details. Ascertia PDF signing software is at the leading edge of creating custom PDF signature appearance stamps, and also provides great flexibility on how these are positioned on the PDF page.

Signature-Appearance.jpg


Signature-Appearance.jpg


Signature-Appearance.jpg


All Ascertia datasheets and solution sheets are digitally signed and they are “certified” to protect against any data being added.

Certified PDF signatures

These are special PDF signatures which not only protect the document integrity and prove who signed the PDF document, but also protect any further changes to the document.

For example,. a certified PDF document can be locked to prevent or control additional data being entered or appended. Note these PDF signatures are often referred to as “Certification Signatures”.

Certified PDF signatures are particularly important where you want to present a PDF document or PDF form where the user can enter text only in specific areas.

So you can certify the document and lock its contents from change apart from allowing filling form fields and digitally signing in existing PDF blank fields. This ensures that your end-users will not edit the document in unwanted areas before returning to you.

It’s important to note that a PDF certified signature must be the first signature on a PDF document. For example,. a document that is already signed cannot later be “certify” signed.

The following screenshot shows how to configure PDF Sign&Seal for certified signatures and the options available:

Security-Pane-Signing-Dialog.jpg



The following screenshots shows how PDF Sign&Seal displays certified signatures:



Certified-Signature.jpg

It's interesting to note that certified PDF Signatures can be either visible or invisible PDF signatures.

Approval PDF signatures

This is a special name given to PDF signatures within ISO 32000-1, where the PDF signature is applied as part of an approval process after having certified a PDF document.

These approval PDF signatures are applied within existing blank signature fields inside the PDF document. Multiple approval PDF signatures can be applied if multiple blank fields exist.

Advanced, long-term PDF signatures and PAdES

The need for long-term PDF Signatures is described in more detail in this hot topic. Basically such an advanced PDF signature creates a PDF signature and embeds a cryptographic timestamp from a Time Stamp Authority (TSA).

It proves what time the signature took place, and also the signer’s certificate status to prove that the signer’s key and certificate were valid at time of the signing.

The following diagram illustrates the process:

 PDF-signature.jpg

The following screenshot shows a long-term PDF signature being verified in PDF Sign&Seal:

Timestamped-Signature.jpg



Click here to download an example long-term signed document. You'll see the signature appearance at bottom of page two. All Ascertia's datasheets are signed with long-term advanced PDF digital signatures.

Please note: Long-term PDF signatures can be either invisible or visible PDF signatures.

 

Adobe® CDS signatures

When verifying a PDF signature an important step is validating the signer’s certificate to ensure it was issued by a trusted Certificate Issuer (aka Certificate Authority or CA).

Within latest versions of Adobe® Reader (v7+) Adobe by default only had its own Root CA as the final trust point. This meant in order to automatically get your PDF signatures verified successfully (and hence a green tick) you needed a signing certificate which was issued by one of the recognised subordinate CAs authorised by the Adobe Root CA (these included GlobalSign, GeoTrust etc).

This ensured that your signing certificate chained to the Adobe Root CA. Such certificates are called Adobe CDS certificates. CDS stands for Certified Document Services. Ascertia PDF Sign&Seal and also ADSS Signing Server both support CDS certificates as standard.

Of course an alternative option to getting your PDF signatures trusted within Adobe Reader is to add the new CA to the list of trusted CAs. We provide a brief note on how to configure this here.

This allows you to trust a preferred certificate authority however sometimes even making this simple one-time configuration change in Adobe Reader is too much of a burden for end-users and hence Adobe CDS certificate are valuable in such cases.

What is the Adobe Approved Trust List (AATL)?

Since Reader v9, Adobe now allows other CA’s to be added to Adobe Root Trust Anchor list as final trust points. Essentially, both Acrobat® and Reader have been programmed to reach out to a web page to periodically download a list of trusted 'root CA' digital certificates.

Any digital signature created with a PDF signing certificate that can chain back to one of these CAs will be trusted by Acrobat and Reader 9.0 and above.

If you want to verify that the Trust List is enabled, go to Edit (Windows) / Acrobat (Mac)->Preferences->Trust Manager and be sure that the “Load trusted root certificates from an Adobe server...” check box is checked.

You can click the “Update Now” button in that same dialog box to download the latest version of the Trust List from Adobe.

trust-list.jpg


PDF signatures summary

Signing a PDF is essential for protecting the document’s integrity, proving who has signed and approved the PDF data and when this PDF signature took place. PDF signatures can be invisible or visible.

PDF documents can be locked with certified PDF signatures, although approval signatures can still be applied to such documents if there are existing blank signature fields before the certified signature was applied.

Advanced PDF Signatures (referred to as PAdES signatures) with embedded trusted timestamps and signer certificate status information, are essential for verifying PDF documents in the long-term.

When verifying PDF signatures it is important to determine whether the PDF signing certificate “chains” to a final trust point or trusted CA.

There are three options:

  • Your certificate should chain to Adobe Root CA - In this case, you have a CDS certificate

  • Your certificate chains to a third-party CA and Adobe Reader has been configured to trust this CA

  • Your certificate chains to a CA that is part of the Adobe AATL program and you are using Reader version 9 or newer to verify the signature

Ascertia products support all popular PDF signature types:


PDF.png