How to Verify PDF Digital Signatures and What Breaks Them

Digital signatures in PDFs provide a way to verify document authenticity and detect tampering. Understanding how they work is essential for anyone handling important documents.

What Is a PDF Digital Signature?

A digital signature is a cryptographic seal that:

• Verifies identity - Confirms who signed the document
• Ensures integrity - Detects any changes since signing
• Provides non-repudiation - Signer cannot deny signing

Unlike a scanned handwritten signature (which is just an image), a digital signature is mathematically tied to both the signer's identity and the document content.

How Digital Signatures Work

The Signing Process

1. Hash creation - A unique "fingerprint" is calculated from the document
2. Encryption - The hash is encrypted with the signer's private key
3. Embedding - The encrypted hash and certificate are added to the PDF
4. Timestamping (optional) - A trusted timestamp proves when signing occurred

The Verification Process

1. Certificate check - Is the signer's certificate valid and trusted?
2. Hash comparison - Does the document match the original hash?
3. Timestamp verification (if present) - When was it signed?
4. Result - Valid, Invalid, or Unknown

Checking Signature Status

In Adobe Acrobat/Reader

1. Open the PDF
2. Look for the signature panel (blue ribbon icon)
3. Click on the signature
4. Review the status: Valid, Invalid, or Unknown

Status Meanings

Valid (Green checkmark):

• Signer's identity confirmed
• Document unchanged since signing
• Certificate is trusted

Invalid (Red X):

• Document was modified after signing
• Certificate is revoked or expired
• Signature data is corrupted

Unknown (Yellow question mark):

• Certificate is not in trusted list
• Cannot verify signer's identity
• Signature may still be mathematically valid

What Breaks a PDF Signature

Any Content Modification

Changes that invalidate signatures:

• Editing text or images
• Adding or removing pages
• Modifying form fields (in most cases)
• Adding annotations (depends on signature settings)

Metadata Changes

Some metadata modifications can break signatures:

• Changing document properties
• Modifying XMP metadata
• Altering document info dictionary

Structural Changes

Technical modifications that invalidate:

• Re-saving with different PDF producers
• Optimizing or compressing the file
• Converting to different PDF versions

What Usually Doesn't Break Signatures

• Viewing the document
• Printing (doesn't modify the file)
• Adding signatures in allowed signature fields
• Some permitted annotations (if configured)

Types of PDF Signatures

Approval Signatures

• Indicates approval or agreement
• Multiple people can sign
• Later signatures don't invalidate earlier ones (if properly configured)

Certification Signatures

• Applied first, before other signatures
• Sets what changes are allowed
• More restrictive than approval signatures

Timestamp Signatures

• Proves document existed at a specific time
• Added by trusted timestamp authority
• Useful for legal compliance

Common Issues and Solutions

"Certificate Not Trusted"

Cause: Your PDF reader doesn't recognize the certificate authority.

Solutions:

• Add the certificate to your trusted list
• Download root certificates from the CA
• Verify through alternate means (contact signer)

"Document Modified"

Cause: Something changed after signing.

Solutions:

• Request a new signed copy
• Compare with original (if available)
• Investigate what changed

"Signature Expired"

Cause: Certificate validity period has passed.

Note: This doesn't mean the document wasn't validly signed originally. The signature was valid when applied.

"Timestamp Failed"

Cause: Cannot verify the timestamp server.

Solutions:

• Check internet connection
• Timestamp server may be unavailable
• The timestamp may still be valid

Verifying Signer Identity

Certificate Details

Check the certificate for:

• Subject name - Who the certificate was issued to
• Issuer - What CA issued the certificate
• Validity period - When the certificate is/was valid
• Usage - What the certificate can be used for

Trust Chain

Verify the certificate chain:

• Root CA should be trusted
• Intermediate certificates should be valid
• No revoked certificates in chain

Digital Signatures vs. Electronic Signatures

Best Practices

When Receiving Signed Documents

1. Check signature status - Don't just assume it's valid
2. Verify signer identity - Is this who should have signed?
3. Review certificate details - Is the certificate appropriate?
4. Check timestamp - When was it signed?
5. Save the original - Don't modify signed documents

When Signing Documents

1. Use trusted certificates - From recognized CAs
2. Include timestamps - Proves signing time
3. Set appropriate permissions - What changes should be allowed?
4. Verify before sending - Check the signature is valid

For Organizations

1. Establish signing policies - Who can sign what
2. Manage certificates properly - Secure storage, timely renewal
3. Train staff - How to verify and create signatures
4. Archive signed documents - Maintain original signed copies

Signature Verification Checklist

• Signature shows "Valid" status
• Signer identity matches expectations
• Certificate is from trusted CA
• Certificate is not expired or revoked
• Timestamp is present (for important documents)
• No warnings about modifications

Conclusion

PDF digital signatures provide valuable authenticity assurance, but only if properly verified:

1. Check status - Valid, Invalid, or Unknown
2. Verify identity - Is the signer who they should be?
3. Understand limitations - What breaks signatures
4. Preserve integrity - Don't modify signed documents

Digital signatures are powerful but require proper understanding to use effectively.

Note: CleanPDF's sanitization tools modify PDFs, which will invalidate digital signatures. This is by design—sanitization and signed documents serve different purposes. Always sanitize BEFORE signing, or create separate versions for sharing.