User Guide    Editing PDFs    Signing Documents    Digital Signatures

Digital Signatures

The goal of a digital signature is to provide a way for the document's recipient to verify the identity of the one who signed it, and that nothing has changed since it was signed. To accomplish this, digitally signing a document means applying a digital certificate to the document. This certificate is the way to ensure the integrity and authenticity of the document once signed.

Integrity
Proves the document has not been altered. Nothing has been added, changed, or removed since the document was signed.

Authenticity
Proves the document originated from a specific individual or organization.

Digital Certificates

When you open a document that was digitally signed, PDFpen will validate the digital certificate it was signed with and inform you whether the certificate is from a trusted source.

In order for you to digitally sign a document, you need to obtain a digital certificate from a certificate provider, such as those on the Adobe Approved Trust List (AATL). This may involve purchasing a certificate and may involve installing software from the provider.

What is a Digital Certificate?

A digital certificate is a piece of data, typically stored in files or on an external device, such as a secure USB dongle, which contains:

  • Identity information for a person or company, for example, a name, country, and location
  • Public key used to sign documents
  • Digital signature, typically of a trusted third party

Along with your digital certificate, you create a private key. Unlike the public key which helps make up the certificate, the private key is typically stored on your system keychain where other secure items, like passwords, are stored. Documents are signed using this private key. Your digital certificate, containing your public key, along with your identity information and the digital signature, is embedded in any documents you sign. It's safe to give your public key to others. You must keep your private key secure.

Security

Digital certificates have a "chain of trust", which begins with a root certificate, may include intermediary certificates, and ends with the certificate of a person or company. Adobe's applications only trust signatures with root certificates from the Adobe Approved Trust List (AATL).

Just because a certificate is verified as trusted does not mean it always must be so. For example, if you lose your laptop or your secure USB dongle someone else could gain access to your private key, which means the integrity of the certificate has been compromised. In an event such as this it's possible to revoke the digital certificate.

Issuers of digital certificates maintain systems to check whether a digital certificate has been revoked or remains valid. One system is called the Online Certificate Status Protocol (OSCP), and the other is Certificate Revocation Lists (CRLs). PDFpen is capable of checking both, as necessary.

Validation

When you open a PDF with a digital signature using PDFpen, the following steps occur to validate the signature:

  • The signed content of the document is validated to ensure it hasn't changed
  • The signature of the certificate is tested to ensure the certificate is valid
  • The chain of trust of the certificate is validated
  • The expiration date of the certificate is considered
  • The certificate is checked against OSCP or CRLs to ensure it hasn't been revoked

States of Validation

When you view a signed document in PDFpen the document will display one of three states:

Pass
You see a green badge in the upper right corner of the document. The document passed all of the above tests.

Conditional Pass
You see a yellow badge in the upper right corner of the document. The document passed all of the above tests, but the root certificate is not trusted.

Fail
You see a red badge in the upper right corner of the document. The document failed one or more of the above tests.

Hover your cursor over the validation icon badge for information about the validation. Click on it to see the certificate details.

Signing a PDF with a Digital Signature

  1. Add a signature field to the document. You can either select the Signature Field tool by clicking the down arrow next to the Form button in the Toolbar or choose Tools > Signature Field from the menu bar.
  2. Double-click on the signature field and draw your signature.
  3. Click Apply Digital Signature and choose your digital certificate from the Select Signing Identity drop-down menu.
  • You may see several options in the drop-down list, look for the issuer of your certificate.
  • You may be prompted to allow PDFpen to access your keychain. You must allow this to apply the digital signature.

Please note that only digital certificates from Adobe Approved Trust List (AATL) issuers are trusted by the Adobe applications.

Testing as of February 2016, suggests that only DigiCert and GlobalSign offer digital certificates compatible with use on macOS. Each requires special driver software from the certificate issuer.

Self-Signed Certificates

It's possible to create your own digital certificate, rather than obtaining one from an issuer. This is called a self-signed certificate. Self-signed certificates do not have a chain of trust and cannot be revoked. Therefore, they are not suitable for establishing the authenticity of a document. They're only suitable for verifying document integrity.

Create a Self-Signed Certificate

  1. Add a signature field to the document. You can either select the Signature Field tool by clicking the down arrow next to the Form button in the Toolbar or choose Tools > Signature Field from the menu bar.
  2. Double-click on the signature field and draw your signature.
  3. Click Apply Digital Signature. In the menu which appears click Create A New Identity.
  4. Enter your Name and Email address and click Create.
  5. Select your new certificate from the list.