Validating a Digital Signature


PSPDFKit Server has been deprecated and replaced by PSPDFKit Document Engine. All PSPDFKit Server and PSPDFKit for Web Server-Backed licenses will work as before and be supported until 15 May 2024 (we will contact you about license migration). To start using Document Engine, refer to the migration guide. With Document Engine, you’ll have access to robust new capabilities (read the blog for more information).

The digital signature validation process consists of two steps.

  • In the first step, it checks if the signature certificate embedded during signing can be trusted. To do this, the trusted certificate chain up to the root authority that issued it is necessary. Both PSPDFKit for Web Served-Backed and Standalone allow you to specify the certificates to use for validation.

  • In the second step, it verifies the signature. This process essentially applies the public key (from the certificate embedded in the PDF file) to the digital signature and compares the result with the message digest built from the PDF file, excluding the signature itself. If the result is the same, the signature is valid.

Providing Trusted Root Certificates

PSPDFKit Server will search for certificate stores at the /certificate-stores path inside its container. You can mount a folder from the host machine containing your certificates. As an example, you can update the configuration in the Docker Compose file by adding the needed volume:

    - "./path-on-the-host:/certificate-stores"

Note that for performance reasons, PSPDFKit Server defers loading certificate files until a signature needs to be validated, so you’ll need to open a signed document to test that the files are loaded as expected.