What Is a PDF Digital Signature? How They Work and Why They Matter
A PDF digital signature cryptographically proves who signed a document and whether it changed after signing. Learn how they work, the types of signatures, and trust models.
A PDF digital signature is a cryptographic mechanism that serves two purposes: authentication (proving who created or approved the document) and integrity (proving the document hasn't been modified since signing). Unlike a scanned handwritten signature image — which can be copied and pasted into any document — a digital signature is mathematically tied to the document's content and the signer's private key.
How a Digital Signature Works
When you digitally sign a PDF, the following cryptographic operations happen:
- A cryptographic hash (SHA-256 or SHA-512) of the document content is computed
- This hash is encrypted using the signer's private key (from an X.509 certificate)
- The encrypted hash and the signer's public certificate are embedded in the PDF's signature field
To verify the signature later, the verifier: decrypts the hash using the public key from the embedded certificate, computes a fresh hash of the current document content, and compares the two hashes. If they match, the document hasn't changed since signing. If they differ, the document was modified and the signature is invalid.
Certificate Chains and Trust
A digital signature is only as trustworthy as the certificate. Certificates are issued by Certificate Authorities (CAs) — organizations that have verified the signer's identity before issuing a certificate. Adobe Reader trusts certificates from a curated list of CAs called the Adobe Approved Trust List (AATL). When you open a signed PDF and see a green checkmark, it means: the signature is valid (document unchanged) AND the certificate is trusted (issued by an AATL member CA). A blue information mark means valid but from an unknown or untrusted issuer.
Types of PDF Signatures
- Approval signatures: an individual approves or signs the document at a specific stage; multiple people can add approval signatures
- Certification signatures: the first signature on a document, certifying its origin and optionally specifying what changes are allowed without invalidating certification (e.g., filling forms is allowed, but not editing content)
- Document timestamp: a time-based signature from a Timestamp Authority proving the document existed at a specific time, without identifying a person
Digital Signatures vs. Electronic Signatures
These terms are often confused: Digital signatures are specific cryptographic implementations using certificates and keys — the mechanism described in this article. Electronic signatures is the broader legal term covering any electronic indicator of intent to sign — including typed names, scanned handwritten signatures, or checkbox clicks, as well as cryptographic digital signatures. All digital signatures are electronic signatures; most electronic signatures are not digital signatures. For legally binding agreements, which type is required depends on jurisdiction and contract terms.
Long-Term Validation (LTV)
For a digital signature to be validatable years after signing — when the signing certificate may have expired — PDF supports Long-Term Validation (LTV). LTV embeds the certificate revocation information (CRL or OCSP responses) and timestamp authority responses into the PDF at signing time, so the signature can be validated even if the CA's servers are later unavailable. PDF/A-2 and PDF/A-3 require LTV for digital signatures to be considered archivally valid.
Try Edit Pages Now — Free
Browser-based, private, and instant. No account or software required.
Open Edit Pages