Digital Signature Validation

The digital signature validation process consists of two steps.

• In the first step, we check if the signature certificate embedded during signing can be trusted. To do this, we need to obtain the trusted certificate chain up to the root authority that issued it. Both the Server and Standalone setups of PSPDFKit for Web allow you to specify the certificates to use for validation.

• In the second step, we verify the signature. This process essentially decrypts the signature with a public key from the certificate embedded in the PDF file on signing and compares it with the message digest built from the PDF file, excluding the signature itself.

Provide Trusted Root Certificates

PSPDFKit Server will search for certificate stores at the /certificate-stores path inside its container. You can mount a folder from the host machine containing your certificates. As an example, you can update the configuration in the Docker Compose file by adding the needed volume:

pspdfkit:
  ...
  volumes:
    - "./path-on-the-host:/certificate-stores"

Note that for performance reasons, PSPDFKit Server defers loading certificate files until a signature needs to be validated, so you will need to open a signed document to test that the files are loaded as expected.