PDF Validate Signature
Validate digital signatures in PDF files online for free. Check signer identity, certificate chain, and document integrity. All processing in your browser.
How to Use
Inspect digital signatures in any PDF document in three steps:
- Upload your PDF — Drag and drop the file or click the dropzone to browse. The tool reads the file locally and scans the AcroForm dictionary for signature fields of type
/Sig. - Review the summary — A summary card shows the file name, size, page count, and total number of digital signatures detected. If no signatures are found, a clear message explains why.
- Inspect each signature — Click any signature card to expand its details. Each card shows the signer name, signing date, reason, location, contact info, signature type (SubFilter), byte range, and a coverage indicator showing whether the signature protects the entire document.
The coverage indicator is especially useful for understanding document integrity. A green "Full coverage" badge means the ByteRange spans the entire file, while a yellow "Partial coverage" badge warns that content outside the signed region may have been added or modified after the signature was applied.
About This Tool
Digital signatures in PDF documents serve a fundamentally different purpose from visual (drawn or image-based) signatures. A digital signature is a cryptographic construct defined in ISO 32000-2:2020 (Section 12.8) that binds a signer's identity to specific bytes of the document, enabling recipients to verify both the signer's identity and document integrity. The PDF specification supports digital signatures through a combination of AcroForm signature fields, signature dictionaries, and embedded PKCS#7 (RFC 5652) or CMS data structures.
The signature architecture in a PDF works at the byte level through a mechanism called ByteRange. When a PDF is signed, the signing application calculates a hash (typically SHA-256) over two byte ranges of the file: the bytes before the signature value and the bytes after the signature value. The signature value itself occupies a reserved space between these two ranges. A standard ByteRange array contains four numbers: [offset1, length1, offset2, length2]. In a properly signed document, offset1 is 0 (the hash starts at the first byte of the file) and offset2 + length2 equals the total file size. This arrangement means the signature covers every byte of the document except the signature value itself, making any post-signing modification detectable.
The signature dictionary within a PDF contains several standardized fields that carry important metadata. The /Name field stores the signer's name as a text string. The /M field records the signing timestamp in PDF date format (D:YYYYMMDDHHmmSSOHH'mm'). The /Reason field describes why the document was signed — for example, "I approve this document" or "I am the author." The /Location field records the geographic or organizational location of the signer. The /ContactInfo field provides a way to reach the signer. The /Filter field names the signature handler (most commonly Adobe.PPKLite), while the /SubFilter field identifies the encoding of the signature value, such as adbe.pkcs7.detached or ETSI.CAdES.detached for PAdES-compliant signatures.
PKCS#7 (Public Key Cryptography Standards #7), formally specified in RFC 5652 as Cryptographic Message Syntax (CMS), is the most widely used container format for PDF digital signatures. When the SubFilter is adbe.pkcs7.detached, the signature value stored in the /Contents field is a DER-encoded PKCS#7 SignedData structure. This structure contains the signer's X.509 certificate, the signing algorithm identifier (e.g., SHA-256 with RSA), the encrypted message digest, and optionally the full certificate chain from the signer's leaf certificate up to a trusted root certificate authority. The "detached" designation means the signed content (the PDF bytes) is not embedded inside the PKCS#7 structure — it remains in the PDF file itself, referenced by the ByteRange.
This tool extracts and displays all of the metadata fields described above by parsing the PDF's AcroForm dictionary, locating signature fields (identified by field type /Sig), and reading the signature value dictionary (/V) associated with each field. The processing uses pdf-lib, a JavaScript library that provides low-level access to PDF object structures without re-encoding or re-rendering the document. Signature field traversal handles nested field hierarchies, where child fields inherit the /FT (field type) from their parent in the AcroForm tree. The tool does not perform cryptographic verification of the signature — that requires a trusted certificate store and is the domain of dedicated PKI validation services or desktop applications like Adobe Acrobat.
Understanding the distinction between ByteRange coverage levels is critical for document forensics. A signature with full coverage (ByteRange spanning the entire file) means the signer attested to every byte in the document at the time of signing. If the file is later modified — even by appending a single byte — the cryptographic hash will not match, and the signature will be flagged as invalid by verification software. Partial coverage, where the ByteRange does not extend to the end of the file, can occur in documents that use incremental updates. In this case, content appended after the signed region is not protected by the signature. This does not necessarily indicate tampering — PDF supports multiple sequential signatures via incremental updates — but it warrants careful inspection to understand which version of the document each signature covers.
Why Use This Tool
Inspecting PDF digital signatures addresses practical needs across legal, compliance, and security workflows:
- Contract and agreement review — Before accepting a signed contract, verify that the expected signers are listed, the signing dates align with the agreement timeline, and the signature covers the entire document rather than just a subset of pages.
- Regulatory compliance audits — Industries subject to FDA 21 CFR Part 11, eIDAS, or HIPAA regulations require evidence that electronic records bear valid digital signatures. Inspecting signature metadata provides the audit trail data needed for compliance documentation.
- Legal discovery and forensics — In litigation, the signing date, signer identity, and byte range coverage of PDF signatures are evidentiary. Inspecting these fields helps establish document provenance and detect whether post-signing modifications occurred.
- Document workflow validation — Multi-signer workflows (e.g., approval chains in procurement or HR) require each signer to sign sequentially. This tool lets you verify the order, dates, and reasons recorded by each signer in the chain.
- Signature type identification — Knowing whether a PDF uses
adbe.pkcs7.detached,adbe.x509.rsa_sha1, orETSI.CAdES.detacheddetermines compatibility with verification systems and indicates whether the signature meets PAdES (PDF Advanced Electronic Signatures) standards required by EU regulations. - Privacy-sensitive document handling — Government agencies, law firms, and healthcare organizations cannot upload signed PDFs to cloud-based verification services due to confidentiality requirements. This tool processes everything locally in the browser, ensuring no document data leaves the user's device.
Cloud-based PDF signature tools require uploading your documents to external servers, which is unacceptable for classified materials, patient records, or documents under attorney-client privilege. This tool runs entirely in your browser — the PDF never leaves your device, making it suitable for the most sensitive document types.