to select ↑↓ to navigate
Digital Signing

Digital Signing

eInvoicing eInvoicing ERPNext ERPNext Frappe Ecosystem Frappe Ecosystem Frappe Framework Frappe Framework Wiki Digital Signing Digital Signing
Edit
Open in ChatGPT
Ask ChatGPT about this page
Open in Claude
Ask Claude about this page

Verifying a Signature

Verifying a Signature

How to confirm a signed PDF is valid — in-app, in Adobe Acrobat, and what gets checked.

In the application

  1. Open a signed document
  2. Click Digital Signing → Verify Signature
  3. A dialog shows: validity, signer name, signing time, any warnings

What gets checked

Check Meaning
Integrity Document hasn't been modified after signing — any byte change invalidates the signature
Trusted Signer's certificate was issued by your CA (chains to the trusted root)
Timestamp Timestamp was issued by a trusted Timestamp Authority
Coverage Signature covers the entire file (not just a portion)
Signer Identity from the certificate — name, organisation, identifier

Verification uses your CA certificate as the trust root and the system CA store for timestamp validation (Sectigo, DigiCert, etc.).

In Adobe Acrobat Reader

External parties typically open signed PDFs in Adobe Acrobat Reader.

  1. Open the signed PDF
  2. The signature panel opens automatically
  3. With your CA installed: green checkmark — signature valid + signer identity verified
  4. Without the CA installed: "Signature valid but signer identity unverified" — integrity still confirmed, just not the issuer

Installing the CA certificate (one-time, for verifiers)

For external verifiers to see the green checkmark on every signed PDF:

Getting the CA certificate

  • Admin clicks Download CA Certificate on Signing Settings and sends the file, OR
  • Verifier downloads from https://[your-site]/api/method/digital_signing.api.signing.download_ca_certificate

Installing in Adobe Acrobat Reader

  1. Edit → Preferences → Signatures → Identities & Trusted Certificates → More
  2. Trusted Certificates → Import
  3. Select the signing-ca.crt file
  4. Check "Use this certificate as a trusted root"
  5. Click OK

After this one-time setup, all documents signed by your signers show a green checkmark in their Acrobat Reader.

Verification without installing the CA

The verifier can still:

  • Confirm the document hasn't been tampered with (integrity)
  • Inspect the signer's certificate details
  • Verify the timestamp via the TSA

They just can't automatically chain to your CA's trust root — they'd see a yellow warning instead of green, but cryptographic guarantees are unchanged.

What if the signature is invalid?

Symptom What it means
Integrity fail The PDF was modified after signing — tampered or corrupted
Certificate not trusted CA not installed (verifier setup issue), or signer's cert chain broken
Certificate revoked If revoked before signing time — signature is invalid. If revoked after, the timestamp proves the signature was made when valid (still valid).
Timestamp invalid TSA cert expired or untrusted — rare; contact the timestamp authority

Long-term verification

For PAdES-B-LT and B-LTA levels, all data needed for verification (CA cert chain, revocation lists, timestamps) is embedded into the PDF. Verifiers can validate the signature years later without contacting any server — useful for regulatory archives.

See Signature Levels for level-by-level details.

Last updated 2 days ago
Was this helpful?
Thanks!