What PDF digital signatures are and why they are important
PDF documents are used to share all kinds of information, including that of a confidential nature or with a legal value, like a contract. To ensure a document hasn’t been modified by someone other than its author, and to verify that the author is who we expect and not somebody else, digital signatures are necessary.
Overview
A digital signature in a PDF is the equivalent of an ink signature on a paper document, but it’s much more secure. This piece of information is placed inside a document, and it lets Nutrient and other PDF readers check two important things:
-
That the document hasn’t been modified by an unknown person.
-
That the person who claims to have authored the document is really the person who created it.
How the integrity of a PDF document is checked
Imagine that somebody intercepts a PDF document with some important contractual agreement and tries to modify it to show different terms. Digital signatures in PDF documents use the concept of hashing to prevent such a scenario. A hash is a mathematical function that converts an arbitrary block of data into a fixed-size string. The result of this hash function is always identical, provided that the block of data hasn’t been modified.
When you sign a PDF document, this hash function is applied to almost all of the document’s contents and then stored inside it. However, this doesn’t completely solve the problem of document integrity. What if a malicious person guesses the hash function that was used, modifies the PDF document, and then stores the new hash in it? To solve this second problem, we need a public-key cryptosystem we can use to apply a tamper-proof digital signature of the content.
Public-key cryptosystems
If you want to send a message to another person and you don’t want it to fall into the wrong hands, you could use an algorithm to encrypt it and tell the other person to use the same algorithm to decrypt it. But this requires that both parties are able to securely and secretly communicate the encryption key they’re going to use beforehand.
Alternatively, in a public-key cryptosystem, the sender and the receiver use different keys. For the use case of digital signatures, the sender creates a digital signature of the message using a key that’s meant to be private (the “private key”) and shares the other key (the “public key”) with the receiver.
Then, two things need to occur. First, the receiver must be able to recover the original message from the digital signature using that public key. Second, nobody should have access to the private key except the sender. If these things are true, then both parties can be sure that the message was created by the sender and not somebody else.
To be efficient without compromising security, Nutrient doesn’t digitally sign the entire PDF document; rather, it only signs a hash of it. When the person you send a signed document to receives it, they can apply the public key to the digital signature and compute a hash of the same parts of the document they’ve received.
If both hashes match, then the document hasn’t been modified and was created by you. This whole process is automatically supported by Nutrient, so you don’t need to perform these steps manually.
How to validate a digitally signed document with Nutrient
To validate a signed PDF with Nutrient using a set of trusted certificates, create an instance of a PSPDFSignatureValidator
and initialize it with the PSPDFSignatureFormElement
you want to validate. Then call the verifySignatureWithTrustedCertificates()
method, like this:
let signatureFormElement = unsignedDocument.annotationsForPage(at: 0, type: .widget)?.first { annotation -> Bool in return annotation is PSPDFSignatureFormElement } let validator = PSPDFSignatureValidator(formElement: signatureFormElement) let certificates = PSPDFX509.certificates(fromPKCS7Data: certificateData) let signatureStatus = validator.verifySignaturewithTrustedCertificates(certificates)
The variable signatureStatus
will contain information about the digital signature, such as whether or not it’s valid, or its creation date.
How to sign a document with Nutrient
To sign a PDF document, first you need to create an instance of a PKCS#12 keystore (PSPDFPKCS12
) that contains your private key and certificate. After that, initialize an instance of a PSPDFPKCS12Signer
with that keystore. Optionally, you can set a reason for the signature:
let keystore = PSPDFPKCS12(data: p12data) let signer = PSPDFPKCS12Signer(displayName: "Your name", pkcs12: keystore) signer.reason = "Contract agreement"
Register this signer with the global PSPDFSignatureManager
and sign the document:
let signatureManager = PSPDFKit.sharedInstance.signatureManager signatureManager.register(signer) var signedDocument: PSPDFDocument? signer.sign(signatureFormElement, usingPassword: password, writeTo: path, appearance: appearance, biometricProperties: biometricProperties) { ... signedDocument = document })
You can embed the signedDocument
inside a PSPDFViewController
to display it however you like.
For more information about the digital signing process and the customization we support (including biometric signatures), take a look at our Digital Signatures guides. If you want to see how you can sign a document on Android, check out our blog post on how to programmatically sign a PDF on Android.
FAQ
Here are a few frequently asked questions about PDF digital signatures.
What is a PDF digital signature?
A PDF digital signature is the equivalent of a handwritten signature but much more secure, verifying both document integrity and authenticity.
How does a digital signature protect a PDF document?
It ensures that the document hasn’t been tampered with and confirms the identity of the document’s signer.
What is the difference between a digital and electronic signature?
A digital signature uses encryption to secure a document, while an electronic signature is often a simple image of a handwritten signature.
How can I validate a digital signature in a PDF?
You can use tools like Nutrient to verify a digital signature using trusted certificates.
Can I digitally sign a PDF on mobile devices?
Yes, with solutions like Nutrient, you can digitally sign PDFs on both iOS and Android.