djoka/bentopdf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
Files
1b3df67c47b8d6e9fda01a3b9b0bd21617ffec40
bentopdf/docs/tools/validate-signature-pdf.md

75 lines
3.6 KiB
Markdown
Raw Normal View History

Add documentation for all PDF tools
2026-03-20 21:48:48 +05:30
---
title: Validate Signature
description: Verify digital signatures in PDF files. Check certificate validity, signer identity, document integrity, and trust chain status.
---
# Validate Signature
Upload a signed PDF and this tool extracts every digital signature, identifies the signer, checks certificate validity, and reports whether the document has been modified since signing. You can also provide a trusted certificate to verify the signature chain.
## How It Works
1. Upload a signed PDF file. Validation starts automatically.
2. The tool displays a summary: number of signatures found, how many are valid.
3. Each signature gets a detailed card showing signer name, issuer, dates, and status.
4. Optionally upload a **trusted certificate** (.pem, .crt, .cer, .der) to verify the signature against a specific trust anchor. Re-validation runs automatically.
## What Gets Checked
### Signature Parsing
The tool extracts PKCS#7 signature objects from the PDF, decodes the ASN.1 structure, and pulls out the signer's X.509 certificate along with any certificate chain embedded in the signature.
### Certificate Validity
- **Expiration**: Is the certificate currently within its valid date range?
- **Self-signed detection**: Is the certificate its own issuer?
- **Trust chain**: When a trusted certificate is provided, does the signer's certificate chain back to it?
### Document Coverage
- **Full coverage**: The signature covers the entire PDF file, meaning no bytes were added or changed after signing.
- **Partial coverage**: The signature covers only part of the file. This can indicate modifications were made after signing (not necessarily malicious -- incremental saves produce partial coverage).
## Signature Details
Each signature card shows:
- **Signed By**: Common name, organization, and email from the signer's certificate
- **Issuer**: The Certificate Authority that issued the signer's certificate
- **Signed On**: The timestamp embedded in the signature
- **Valid From / Valid Until**: The certificate's validity period
- **Reason**: Why the document was signed (if provided)
- **Location**: Where it was signed (if provided)
- **Coverage Status**: Full or Partial
- **Trust Badge**: Trusted or Not in trust chain (only when a custom certificate is provided)
### Technical Details
Expand the technical details section for:
- Serial number of the signer's certificate
- Digest algorithm (SHA-256, SHA-512, etc.)
- Signature algorithm (RSA with SHA-256, ECDSA with SHA-256, etc.)
- Error messages for invalid signatures
## Use Cases
- Verifying a digitally signed contract before countersigning
- Auditing signed documents to confirm they have not been tampered with
- Checking whether a certificate has expired since the document was signed
- Validating signatures against your organization's root certificate
- Inspecting the signing details of government or legal documents
## Tips
- A self-signed certificate does not mean the signature is invalid -- it means the signer's identity cannot be verified through a trusted third party. This is common for internal documents.
- Partial coverage does not always indicate tampering. Many PDF workflows add incremental updates (like a second signature) that create partial coverage.
- Upload your organization's root or intermediate certificate as the trusted certificate to get trust chain verification.
## Related Tools
- [Digital Signature](./digital-sign-pdf) -- sign PDFs with your own certificate
- [Flatten PDF](./flatten-pdf) -- flatten a PDF before signing to prevent post-signature modifications
- [Remove Metadata](./remove-metadata) -- clean a PDF before applying a signature
Reference in New Issue Copy Permalink