This tool provides the means to digitally sign PDF documents, by adding a new digital signature, or by signing pre-existing unsigned signature fields.
A digital signature, in the PDF context, gives recipients of a digitally signed PDF the assurance that the document has not been tampered with since the signature was applied. If changes are allowed to be made after the signature is applied, recipients have the ability to view the document in its original state, when it was signed. The process that validates a signed PDF easily detects any change made after a signature applied, and PDF readers will be alerted.
Digital signatures also identify the signer's person/entity, sign date and, optionally, additional information added by the signer, such as the reason for signing the document.
The process relies on a public key/private key crypto-system. The private key is used by the signer to sign, and the public key by the recipient to verify that the signature is valid, and issued by the entity associated with a specific public key. The system works because only content signed with a specific private key can be validated by its public key.
From the signer's perspective the private key is associated to a Digital ID certificate. A digital ID is like a national identification card or passport, that proves the signer's identity. This usually includes his name and email address, identification of the entities that issued the certificate, the expiration date, and the public key. Signed documents embed this certificate, so recipients can check all of this information to validate the signature.
Setting up a digital signature
The process starts by choosing which Digital ID will be used, therefore a Digital ID is required. We can create our own self-signed digital ID, and the tool provides a create a self-signed digital ID wizard to create these, or one can be obtained from a third-party provider.
Self-signed digital IDs are good for private, or small-to-medium businesses working in a closed mutual trusted environment.
Digital IDs from third party providers, called certificate authorities, should be used in all the other scenarios. These certificate authorities are responsible for verifying the identity of the entity to whom the Digital ID is issued. This type of digital IDs usually has an associated cost and more trusted certificate authorities charge more for the service.
The tool digital ID selector will list all the digital IDs installed in the system logged user certificate private store, and provides also the means to use digital IDs kept in external files, or to start the create a self-signed ID wizard.
In the General tab we can add, all optional, the listed additional information. The type of hash algorithm, a cryptographic mechanism used by the sign process, is sometimes imposed by the recipient of the document to sign, so there is also the option to choose it. The default option should be used if no imposition exists.
The appearance tab is used to specify if the signature will have a visual representation, or if it should be invisible.
The graphic option will produce a signature with a visual representation, that may be a company logo, or even a manual pencil made signature, scanned to an image file, that will visually mimic the usual manual signing process. The tool also provides a transparency color chooser, so the background of the chosen image can be easily hidden, making the insertion of the image, on top of the document, look more natural.
The position tab is used to specify the document page where the signature will be placed, and, for non-invisible signatures, the position and size of its visual representation.
Many times, PDFs that need to signed, usually formulary or contract type PDFs, already have unsigned signature fields, therefore we can use the "Existing field" option and choose which field to sign. In these cases, the field is already positioned.
This option will not be available if the tool is started in batch mode, selecting more than one PDF, but if a previous used, or saved, template, uses this option, will have it selected, so we can setup this mode starting the tool with just one file, save the configuration to a template, and use it later in batch mode to sign various PDFs that have a same named signature field.
The digital signature always includes the date when it was signed, but that date is from the signers computer. This date can be easily forged by changing the computer's date. In the time stamp tab we have the option to time stamp the signature using the services of a certified TSA (Time Stamp Authority).
Once again this certification is usually done by third-party providers, but a small business may have its own TSA server running, if the time stamp is only need for internal reference. To configure it there is only the need to enter the TSA server URL, and the user name and password if the TSA requires authentication to access the service.
Creating a self-signed digital ID
This Create self-signed digital ID wizard, accessed from the tool digital ID selector, is used to create a special type of digital IDs, where the issuer entity is also the digital ID owner, so there is no third-party to certificate the owner identity. For this reason, these are usually not accepted for business signatures.
The identity information fields are straightforward, and only the top two are mandatory. The default general options can be used if there aren't specific requirements.
The "store in" section is used to specify where the digital ID will be saved. The first option, that requires a password to protect it and that must be provided each time the digital ID is used, will save it to an external file. The second option will add the new digital ID to your Windows private certificate store, and is protected by your Windows logon password.
Command line interface:
Function name: | AddSignature |
Options: | [] means optional parameter |
Template= | - Full path to a digital signature template file, that is an Add Digital Signature tool options previously set and saved to a file. |
[Password=] | - The password protecting the Digital ID private key. Required if the template file embeds the Digital ID certificate, or refers an external Digital ID Certificate file. |
[OutputPath=] | - Full path where to put the signed files. If not specified, the file source path is used instead. |
[-CreateBackup] | - If specified, create a backup file. |
[-s] | - Silent mode. Run without showing the interface (only available for licensed users) |
FilesList | - List of PDF files to Sign; Separate files using the semicolon";" char. Must be the last parameter |
Example: "C:\Program Files\PDF-ShellTools\PDFShellTools.exe" AddSignature OutputPath=C:\PDFs\Signed Template=c:\SignTemplates\MyDigitalSignature.sig C:\PDFs\contract.pdf |