Add digital signature

This tool provides the means to digitally sign PDF documents by adding a new digital signature or sign already existent, and not yet signed, signature fields.

A digital signature, in the PDF context, grants to who receives a digital signed PDF that the document has not been tampered since the signature was applied, or, if changes are allowed after signature applied, the possibility to view it in the exact state of when it was signed. The process that validates a signed PDF easily detects any change made after signature applied, and PDF readers will flag that situation.
Digital signatures also identifies the signer person/entity, sign date and, optionally, additional information added by the signer, such as reason of sign.

The process relies in a public key/private key crypto-system. The private key is used by the signer to sign, and the public key by the recipient to verify that the signature is valid, and issued by the entity associated with a specific public key. The system works because only a specific content signed with a specific private key can be validate by its public key.

From the signers perspective the private key is associated to a Digital ID certificate. A digital id is like a national identification card or passport, that proves the signer identity. Usually ports his name and email address, identification of the entities that issued it, the expiration date, and the public key. Signed documents embed this certificate, so recipients can check all this information verify its validity, and validate the signature.

Setting up a digital signature

The process starts by choosing what Digital ID will be used, so we need a Digital ID. We can create our own self-signed digital ID, and the tool provides a create a self-signed digital ID wizard to create these, or get one from a third-party provider.

Add Digital ID tool screenshot

Self-signed digital IDs are good for private, or small-to-medium businesses working in a closed mutual trusted environment.

Digital IDs from third party providers, called certificate authorities, should be used in all the other scenarios. These certificate authorities are responsible for verifying the identity of the entity to who the Digital ID is issued. This type of digital IDs have, usually, a cost associated, and more trusted certificate authorities charge more for the service.

The tool digital ID selector will list all the digital IDs installed in the system logged user certificate private store, and provides also the means to use digital IDs kept in external files, or to start the create a self-signed ID wizard.

In the General tab we can add, all optional, the listed additional information. The type of hash algorithm, a cryptographic mechanism used by the sign process, is sometimes imposed by the recipient of the document to sign, so there is also the option to choose it. The default option should be used if no imposition exists.

The appearance tab is used to specify if the signature will have a visual representation, or if it should be invisible.

Digital signature appearance settings

The graphic option will produce a signature with a visual representation, that may be a company logo, or even a manual pencil made signature, scanned to a image file, that will visually mimic the usual manual sign process. The tool provides also a transparency color chooser, so we can easily hide the background of the chosen image, making the insertion of the image, on top of the document, look more natural.

The position tab is used to specify the document page where the signature will be placed, and, for non-invisible signatures, the position and size of its visual representation.

Digital signature position settings

Many times the PDFs that need to signed, usually formulary or contract type PDFs, already have not yet signed signature fields, so we can use the "Existing field" option to select what field to sign. In these cases the field is already positioned.
This option will not be available if the tool is started in batch mode, selecting more that one PDF, but if a previous used, or saved, template, uses this option, will have it selected, so we can setup this mode starting the tool with just one file, save the configuration to a template, and use it later in batch mode to sign various PDFs that have a same named signature field.

The digital signature always include the date when it was done, but that date is from the signers computer. Obviously this date can be easily forged just by changing the computers date. In the time stamp tab we have the option to time stamp the signature using the services of a certified TSA (Time Stamp Authority).

Digital signature time stamp settings

Once again this certification is usually done by third-party providers, but a small business may have its own TSA server running, if the time stamp is only need for internal reference. To configure it there is only the need to enter the TSA server URL, and the user name and password if the TSA requires authentication ito access the service.

Creating a self-signed digital ID

This create self-signed digital ID wizard, accessed from the tool digital ID selector, is used to create a special type of digital IDs, where the issuer entity is also the digital ID owner, so no third-party to certificate the owner identity, so usually not accepted for business signatures.

Create a self-signed digital ID tool screenshot

The identity information fields are straightforward, and only to top two are mandatory. The default general options should be used, if there are not specific requirements.

The "store in" section is used to specify where the digital ID will be saved. The first option, that requires a password to protect it and that must be provided each time the digital ID is used, will save it to an external file. The second option will add the new digital ID to your Windows private certificate store, and is protected by your Windows logon password.