FAQ
What happens if a signer's certificate expires?
The signer cannot sign new documents until an administrator issues a new Signing Certificate. Previously signed documents remain valid — the signature was valid at the time it was made.
What if someone modifies a signed PDF?
The signature becomes invalid. Any PDF viewer that checks PAdES signatures reports the document as tampered. The SHA-256 hash stored in the Signature Log won't match either — clear audit evidence.
Can a document be signed by multiple signers?
Currently each document supports one signature. After the first signature, the document's status changes to "Signed" and additional signing is disabled. Multi-signer support is on the roadmap.
What authenticator apps are supported?
Any TOTP-compatible app:
- Google Authenticator
- Authy
- Microsoft Authenticator
- 1Password
- Bitwarden Authenticator
- Duo Mobile
SMS-based 2FA is not supported (SIM-swap risk).
Can I sign without 2FA?
Only if the administrator has disabled Require 2FA for that DocType in Signable DocTypes. Not recommended for any regulated or customer-facing signing.
What if the Timestamp Authority is unavailable?
For PAdES-B-T and above, signing requires reaching the TSA. If unreachable, signing fails — no automatic fallback. Options:
- Wait and retry (typically the TSA returns within minutes)
- Configure a different TSA in Signing Settings (e.g., DigiCert)
- Temporarily switch the default level to PAdES-B-B (loses timestamp; emergency only)
How long are signatures valid?
| Level | Validity |
|---|---|
| B-B | As long as the certificate is valid (typically 2 years) |
| B-T | Timestamp proves signing time indefinitely; validation may require online CA access |
| B-LT | Self-contained — verifiable offline for years, even if the CA goes offline |
| B-LTA | Decades — protected against algorithm obsolescence |
See Signature Levels for details.
Where can I check the audit log?
Signature Log in the Frappe desk. Filter by document, signer, date range, or status. Every signing attempt (success and failure) is recorded.
Can a signed PDF be unsigned?
No. The signature is a cryptographic seal embedded in the PDF — removing it would invalidate the signature. The only way to "unsign" is to keep an unsigned copy separately before signing.
What's the difference between AES and QES?
- AES (Advanced Electronic Signature) — what this app provides. Identifies the signer uniquely, signer has sole control, document integrity guaranteed. Strong legal standing in the EU, especially with timestamping.
- QES (Qualified Electronic Signature) — adds a Qualified Certificate from an EU-Trust-List CA and (typically) a hardware token. Equivalent to a handwritten signature under eIDAS. Requires a Qualified Trust Service Provider.
For most business signing, AES is sufficient and legally binding. QES is required only for specific regulated cases.
Does this work offline?
Signing requires online access (TSA, optionally CRL distribution). Verification of B-LT and B-LTA signatures can be done offline. B-B and B-T verification typically requires online CA / CRL access.
Can signers use a hardware token (USB key)?
Not currently. The signer's private key is stored encrypted in the database. Hardware token support (PKCS#11) is on the roadmap for QES use cases.
How is GDPR handled?
The Signing Certificate contains the signer's name and (optionally) their professional identifier. The audit log records signing events including IP address. Both are processed on the legal basis of contract performance / legitimate interest depending on your setup. Signers can request access via the standard ERPNext data export tools.
Related
- Overview — basics
- Getting Started — admin setup
- Sign a Document — daily flow
- Signers & Certificates — managing signers
- Signature Levels — PAdES levels
- Verifying a Signature — for verifiers
- Security & Audit — security model