Verifying Digital Signatures

Introduction

This chapter discusses…

Managing Digital ID Certificates

It’s not necessary to “trust” the signer of a digitally-signed document in order to verify that the document has not been tampered. Digital signatures will reveal tampering regardless of whether the certificate used to sign the file remains valid at the time it’s checked.

However, if you need to verify that the signer remains authorized and their certificate is still valid, you’ll need to add their certificate to your list of trusted certificates.

Each desktop application has a distinct method for adding and managing digital ID certificates. In Adobe Acrobat X & XI, you’ll find “Manage Trusted Identities” under the Tools pane in the Sign & Certify section. In Adobe Reader X & XI, you’ll find “Manage Trusted Identities” under the “Edit” menu in Protection > Manage Trusted Identities.

If you use other desktop software for viewing digitally-signed PDF documents, you’ll need to find the equivalent functionality in that application in order to manage trusted identities.

How to Verify Digital Signatures

Digital signatures serve two distinct purposes in PDF documents.

  • To ensure the document hasn’t been altered since it was signed.
  • To verify that the signing credentials of the person (or entity) signing the document remain in effect.

While SecurSign provides these functions on a server, most users experience digital signatures on the desktop when they use digital-signature-aware software such as Adobe Acrobat or Reader to open digitally-signed PDF files. Here we provide some basic information on how to understand digital signature messages in Adobe Acrobat X or Reader X.

Note: This information is not intended to serve as a substitute for desktop software product documentation. Even Adobe’s interface for digital signatures has evolved over time. Other digital-signature-aware applications should provide similar messages in similar circumstances.

When a user first encounters a digitally-signed PDF file they may see one of two types of messages:

Self-signed documents:

Message from self-signed certificate

Trusted Documents:

Signed by Trusted certificate

If the PDF was signed by a user with a self-signed certificate, it’s possible to verify that the file was not altered since signing, but it is not possible to ascertain whether or not the signer remains authorized to sign the document.

Verifying Self-Signed Documents

Even though you may see a message indicating that “at least one signature has problems” most users simply want to know whether the document has been tampered.  It is still possible to verify that a self-signed PDF document has not been tampered since it was signed.

Open the Signature panel and review the signature details. If the document remains unmodified, you’ll see something like the following:

The signature panel in a self-signed PDF showing that the document has not been modified since signing.

Verifying Documents Signed by a Trusted Entity

If the PDF was signed by a user you’ve accepted as a “trusted identity”, it’s possible to check the signature for current validity (ie, to know whether the signing certificate has been revoked or not). This is also true if the PDF was signed by a user who is trusted by your software as a function of the signer’s Certificate Authority (CA) chain.

In such cases, you’ll open the signature panel to see something like this:

Signature panel showing a trusted signature.

Digital Signature Fields

Another method of verifying digital signatures is to simply click on the signed digital signature field. Depending on whether the document is self-signed or signed by a verifiable certificate, the user will receive different messages. The following messages are encountered in Adobe Reader X:

Self-Signed Documents:

Self signed status

Trusted Documents

Certified signed status

Note that in both cases (self-signed and certificate-signed), it’s possible to determine whether or not the document has been tampered.

If any changes are made to the document following verification, Adobe Acrobat, Reader or other digital-signature-aware software will report that the document has been modified since it was signed.