Blog Post

What PDF digital signatures are and why they are important

Illustration: What PDF digital signatures are and why they are important

PDF documents are used to share all kinds of information, including that of a confidential nature or with a legal value, like a contract. To ensure a document hasn’t been modified by someone other than its author, and to verify that the author is who we expect and not somebody else, digital signatures are necessary.

Overview

A digital signature in a PDF is the equivalent of an ink signature on a paper document, but it’s much more secure. This piece of information is placed inside a document, and it lets Nutrient and other PDF readers check two important things:

  • That the document hasn’t been modified by an unknown person.

  • That the person who claims to have authored the document is really the person who created it.

How the integrity of a PDF document is checked

Imagine that somebody intercepts a PDF document with some important contractual agreement and tries to modify it to show different terms. Digital signatures in PDF documents use the concept of hashing to prevent such a scenario. A hash is a mathematical function that converts an arbitrary block of data into a fixed-size string. The result of this hash function is always identical, provided that the block of data hasn’t been modified.

Creating a document hash.

When you sign a PDF document, this hash function is applied to almost all of the document’s contents and then stored inside it. However, this doesn’t completely solve the problem of document integrity. What if a malicious person guesses the hash function that was used, modifies the PDF document, and then stores the new hash in it? To solve this second problem, we need a public-key cryptosystem we can use to apply a tamper-proof digital signature of the content.

Public-key cryptosystems

If you want to send a message to another person and you don’t want it to fall into the wrong hands, you could use an algorithm to encrypt it and tell the other person to use the same algorithm to decrypt it. But this requires that both parties are able to securely and secretly communicate the encryption key they’re going to use beforehand.

Alternatively, in a public-key cryptosystem, the sender and the receiver use different keys. For the use case of digital signatures, the sender creates a digital signature of the message using a key that’s meant to be private (the “private key”) and shares the other key (the “public key”) with the receiver.

Then, two things need to occur. First, the receiver must be able to recover the original message from the digital signature using that public key. Second, nobody should have access to the private key except the sender. If these things are true, then both parties can be sure that the message was created by the sender and not somebody else.

Signing the document, applying the private key to the document’s hash.

To be efficient without compromising security, Nutrient doesn’t digitally sign the entire PDF document; rather, it only signs a hash of it. When the person you send a signed document to receives it, they can apply the public key to the digital signature and compute a hash of the same parts of the document they’ve received.

Validating a signature by comparing the document’s hash to the result of applying the public key to the hash.

If both hashes match, then the document hasn’t been modified and was created by you. This whole process is automatically supported by Nutrient, so you don’t need to perform these steps manually.

How to validate a digitally signed document with Nutrient

To validate a signed PDF with Nutrient using a set of trusted certificates, create an instance of a PSPDFSignatureValidator and initialize it with the PSPDFSignatureFormElement you want to validate. Then call the verifySignatureWithTrustedCertificates() method, like this:

let signatureFormElement = unsignedDocument.annotationsForPage(at: 0, type: .widget)?.first { annotation -> Bool in
    return annotation is PSPDFSignatureFormElement
}
let validator = PSPDFSignatureValidator(formElement: signatureFormElement)
let certificates = PSPDFX509.certificates(fromPKCS7Data: certificateData)
let signatureStatus = validator.verifySignaturewithTrustedCertificates(certificates)

The variable signatureStatus will contain information about the digital signature, such as whether or not it’s valid, or its creation date.

How to sign a document with Nutrient

To sign a PDF document, first you need to create an instance of a PKCS#12 keystore (PSPDFPKCS12) that contains your private key and certificate. After that, initialize an instance of a PSPDFPKCS12Signer with that keystore. Optionally, you can set a reason for the signature:

let keystore = PSPDFPKCS12(data: p12data)
let signer = PSPDFPKCS12Signer(displayName: "Your name", pkcs12: keystore)
signer.reason = "Contract agreement"

Register this signer with the global PSPDFSignatureManager and sign the document:

let signatureManager = PSPDFKit.sharedInstance.signatureManager
signatureManager.register(signer)

var signedDocument: PSPDFDocument?
signer.sign(signatureFormElement, usingPassword: password,
    writeTo: path, appearance: appearance, biometricProperties: biometricProperties) { ...
        signedDocument = document
    })

You can embed the signedDocument inside a PSPDFViewController to display it however you like.

For more information about the digital signing process and the customization we support (including biometric signatures), take a look at our Digital Signatures guides. If you want to see how you can sign a document on Android, check out our blog post on how to programmatically sign a PDF on Android.

FAQ

Here are a few frequently asked questions about PDF digital signatures.

What is a PDF digital signature?

A PDF digital signature is the equivalent of a handwritten signature but much more secure, verifying both document integrity and authenticity.

How does a digital signature protect a PDF document?

It ensures that the document hasn’t been tampered with and confirms the identity of the document’s signer.

What is the difference between a digital and electronic signature?

A digital signature uses encryption to secure a document, while an electronic signature is often a simple image of a handwritten signature.

How can I validate a digital signature in a PDF?

You can use tools like Nutrient to verify a digital signature using trusted certificates.

Can I digitally sign a PDF on mobile devices?

Yes, with solutions like Nutrient, you can digitally sign PDFs on both iOS and Android.

Author
Daniel Martín Core Engineer

Daniel is part of the Core Team at Nutrient and has worked on multiple topics, ranging from cryptography and text systems, to file format support and JavaScript engines. Outside of work, he likes spending time with his family, football, reading books, and watching films.

Explore related topics

Related products
Share post
Free trial Ready to get started?
Free trial