Before you begin
We're rolling out a new, more intuitive product experience. If the screen shown here doesn’t match your product interface, select help for your current experience.
Before you begin
We're rolling out a new, more intuitive product experience. If the screen shown here doesn’t match your product interface, select help for your current experience.
Digital signatures are a secure and efficient way to electronically sign and authenticate documents, ensuring their authenticity and integrity. By using digital signatures, you can sign documents quickly and easily, and be confident that they can’t be tampered with or forged.
When you receive a signed document, you may want to validate its signature to verify the signer and the signed content. Depending on how you’ve configured your application, validation may occur automatically. Signature validity is determined by checking the authenticity of the signature’s digital ID certificate status and document integrity.
To verify authenticity, the validator checks if the signer's certificate or its parent certificates are trusted. The validity of the signing certificate is also checked based on the user's Acrobat or Acrobat Reader settings.
To verify document integrity, the validator checks if the signed content was altered after signing. If changes were made, the verification ensures that the signer allowed the changes.
You can set verification preferences in advance so digital signatures are valid when you open a PDF and verification details appear with the signature. When Digital Signatures are validated, an icon appears in the document message bar to indicate the signature status.
Select the hamburger menu
(Windows®), or go to Acrobat (macOS)> Preferences.In the Preferences dialog box, from under categories, select Signatures.
From the Verification box in the Digital Signatures panel, select More...
In the 'Signature Verification Preferences' dialog that opens, you can control the following settings:
Note: Selecting these options can compromise security.
In Acrobat or Acrobat Reader, the signature of a certified or signed document is valid if you and the signer have a trust relationship. The trust level of the certificate indicates the actions for which you trust the signer.
You can change the trust settings of certificates to allow specific actions. For example, you can change the settings to enable the dynamic content and embedded JavaScript™ within the certified document.
Navigate to the hamburger menu
For identities & Trusted Certificates, select More...
From the left panel, select Trusted Certificates.
Select a certificate from the list and then select Edit Trust.
In the Edit Certificate Trust dialog that opens, select any of the following items to trust the certificate:
Allow Embedded high privilege JavaScript™ and Privileged system operations only for sources that you trust and work closely with. For example, use these options for your employer or service provider.
Select OK.
For more information, see the Digital Signature Guide at www.adobe.com/go/acrodigsig.
You can right-click a signature field in the Signatures panel to do most signature-related tasks, including adding, clearing, and validating signatures. In some cases, however, the signature field becomes locked after you sign it.
When document integrity is critical for your signature workflow, you can enable 'View documents in Preview mode', and then sign the document. This feature analyzes the document for content that may alter the look and feel of the document and suppresses such content to allow you to view and sign the document in a static and secure state.
By signing in preview mode, you can find if the document contains:
After reviewing the report, you can contact the author of the document about the problems listed in the report.
Navigate to the hamburger menu
(Windows) or the Acrobat menu (macOS) > Preferences > Signatures.For Creation & look and feel, select More...
Select View documents in Preview Mode checkbox.
On the PDF, select the signature field and select Sign Document.
The document message bar appears with the compliance status and options.
Optionally, from the document message bar, select View Report (if available) and select each item in the list to show details. Once done, close the PDF Signature Report dialog box.
If you’re satisfied with the compliance status of the document, from the document message bar, select Sign Document and add your digital signature.
Save the PDF using a different name than the original and close the document without making any further changes.
Certifying a PDF means approving its contents and specifying what changes are allowed for the document to remain certified. For example, a government agency creates a form with signature fields and certifies it, allowing users to only change form fields and sign the document. Removing pages or adding comments will result in losing the certified status.
A certifying signature can only be applied if the PDF has no other signatures. These signatures can be visible or invisible, and a blue ribbon icon in the Signatures panel confirms a valid certifying signature. Adding a certifying digital signature requires a digital ID.
Remove content that may compromise document security, such as JavaScripts, actions, or embedded media.
From the All tools menu, select Use a certificate.
From the Use a certificate menu on the left, select one of the following options:
Follow the onscreen instructions to place the signature (if applicable), specify a digital ID, and select the Permitted Actions After Certifying option if required.
If signing in Preview mode is enabled, select Sign Document in the document message bar.
Save the PDF using a different filename than the original file, and then close the document without making more changes. It’s a good idea to save it as a different file so that you can retain the original unsigned document.
Acrobat allows users to add a document timestamp to a PDF without needing an identity-based signature. To timestamp a PDF, a timestamp server is needed. See how to configure a timestamp server.
A timestamp guarantees the authenticity and existence of a document at a specific time and complies with ETSI 102 778 PDF Advanced Electronic Signatures (PAdES) standard.
Open the document to which you want to add a timestamp.
From the All tools menu, select Use a certificate.
From the Use a certificate menu on the left, select Timestamp.
In the Choose Default Timestamp Server dialog that opens, select a default timestamp server from the list, or add a new default timestamp server.
Select Next and then save the document with the timestamp.
If the signature status is unknown or unverified, manually validate it to identify the issue and find a potential solution. In case the signature status is invalid, you must contact the signer to resolve the issue.
For more information about signature warnings, and valid and invalid signatures, see Digital Signature Guide.
You can assess the validity of a digital signature and timestamp by checking the signature properties.
Open the PDF containing the signature and then select the signature.
The Signature validation status dialog box describes the validity of the signature.
For more information about the Signature and Timestamp, select Signature Properties.
In the Signature properties dialog box, review the Validity Summary that may display one of the following messages:
For details about the signer’s certificate, such as trust settings or legal restrictions of the signature, select Show signer’s certificate in the Signature properties dialog box.
If the document was modified after it was signed, check the signed version of the document and compare it to the current version.
Open the PDF for which you want to validate all digital signatures.
From the global bar in the upper-left, select All tools.
From the All tools pane, select Use a certificate > Validate all signature.
Select OK in the confirmation dialog box. Once all the signatures are validated. You get a confirmation message.
Whenever a certificate is used to sign a document, a signed version of the PDF is created and saved along with the original PDF. The saved versions are in an append-only format, meaning the original PDF can’t be modified. The Signatures panel provides access to all digital signatures and their corresponding versions.
To view previous versions, open the Signature panel and then select Options > View Signed Version.
The previous version opens as a new PDF, with the version information and the name of the signer in the title bar. To return to the original document, choose the document name from the Windows® menu.
After a document is signed, you can display a list of the changes made to the document after the last version.
To compare the previous versions, open the Signatures panel and then select the signature. Then, select Options > Compare Signed Version To Current Version.
Once you're done, close the temporary document.
To trust a certificate, it must be added to the user's trusted identity list in the Trusted Identity Manager. Also, its trust level must be set manually. End users can exchange certificates or add them directly from signed documents and set their trust levels. However, enterprises may require employees to validate signatures without any manual intervention. Acrobat trusts all certificates that are signed and certified by a trust anchor. Therefore, administrators can preconfigure client installations or allow end users to add a trust anchor. For more information on trusting certificates, see About certificate-based signatures.
Digital signatures that were added using a self-signed certificate can’t be automatically validated by Adobe as the certificate isn’t in the list of Trusted Identities that Adobe uses to validate signatures. A self-signed certificate is a certificate that you’ve generated yourself using a third-party application. You won’t be able to manually validate the signature until the certificate is trusted by Adobe. If you open such a PDF, you’ll see a warning At least one signature has problems.
For security reasons, Adobe doesn’t recommend adding a self-signed certificate, or any random certificate to the Adobe's list of Trusted Identities.
To add the certificate that was used to apply the digital signature into Adobe’s list of Trusted Identities, do the following:
Open the Signature panel.
Right-click the signature and then select Show Signature Properties.
In the Signature Properties dialog box, select Show Signer's Certificate.
In the Certificate Viewer dialog box, select Trust > Add To Trusted Certificates.
Select OK.
You can sign component PDFs within a PDF Portfolio, or sign the PDF Portfolio as a whole. Signing a component PDF locks the PDF for editing and secures its content. After signing all the component PDFs, you can sign the entire PDF Portfolio to finalize it. Alternatively, you can sign the PDF Portfolio as a whole to lock the content of all component PDFs simultaneously.
To sign a component PDF, see Signing PDFs. The signed PDF is automatically saved to the PDF Portfolio.
To sign a PDF Portfolio as a whole, sign the cover sheet (View > Portfolio > Cover Sheet). Once you sign the PDF Portfolio as a whole, you can’t add signatures to the component documents. However, you can add more signatures to the cover sheet.
You can add signatures to attachments before signing the cover sheet. To do so:
A properly signed or certified PDF Portfolio has one or more signatures that approve or certify the PDF Portfolio. The most significant signature appears in a Signature badge in the toolbar. Details of all signatures appear on the cover sheet.
To view the name of the organization or person that signed the PDF Portfolio, hover the pointer over the Signature Badge.
To view details about the signature that appears on the Signature Badge, click the Signature Badge. The cover sheet and the Signatures pane on the left are open with details.
If the PDF Portfolio approval or certification is invalid or has a problem, the Signature Badge shows a warning icon. To view an explanation of the problem, hover the pointer over a Signature Badge with a warning icon. Different warning icons appear for different situations.
For a list and explanation of each warning, see the DigSig Admin Guide.
Acrobat and Acrobat Reader support XML data signatures that are used to sign data in XML Forms Architectures (XFA) forms. The form author provides XML signing, validating, or clearing instructions for form events, such as button click, file save, or submit.
XML data signatures conform to the W3C XML-Signature standard. Like PDF digital signatures, XML digital signatures ensure integrity, authentication, and non-repudiation in documents.
However, PDF signatures have multiple data verification states. Some states are called when a user alters the PDF-signed content. In contrast, XML signatures only have two data verification states, valid and invalid. The invalid state is called when a user alters the XML-signed content.
Long-term signature validation allows you to verify the signature's validity long after the document was signed. To achieve this, all the necessary elements for signature validation must be embedded in the signed PDF. These elements can be embedded during the document signing process or added afterward.
If certain information is not included in the PDF, the signature can only be validated for a limited time because certificates related to the signature eventually expire or are revoked. When a certificate expires, the issuing authority is no longer responsible for providing revocation status, rendering the signature unverifiable.
The necessary elements for signature validity include the signing certificate chain, certificate revocation status, and possibly a timestamp. If these elements are embedded during signing, the signature can be validated without requiring external resources.
Acrobat and Acrobat Reader can embed the necessary elements if available, and the PDF creator must enable usage rights for Acrobat Reader users by going to the hamburger menu
(Windows) or the Acrobat menu (macOS) > Save as other > Acrobat Reader extended PDF.Embedding timestamp information requires an appropriately configured timestamp server. In addition, the signature validation time must be set to Secure Time by navigating to Preferences > Security > Advanced Preferences > Verification tab.
CDS certificates can add verification information, such as revocation and timestamp into the document without requiring any configuration from the signer. However, the signer must be online to fetch the appropriate information.
To add verification information while signing:
If all the elements of the certificate chain are available, the information is added to the PDF automatically. If a timestamp server has been configured, the timestamp is also added.
In certain workflows, signature validation information may be unavailable during the signing but can be obtained later. For instance, a company official may sign a contract on a laptop while traveling without internet access. When internet access is later available, anyone validating the signature can add timestamping and revocation information to the PDF. Subsequent signature validations can also make use of this information.
To add verification information after signing:
Information and methods used to include this long-term validation (LTV) information in the PDF comply with Part 4 of the ETSI 102 778 PDF Advanced Electronic Signatures (PAdES) standard.
The command is unavailable if the signature is invalid, or is signed with a self-signed certificate. The command is also unavailable in case the verification time equals the current time.