Sign a PDF with a Certificate on Android

PSPDFKit enables signing both existing signature form elements and documents without a signature form element.

Information

If you want to use the Digital Signatures component, make sure it’s included in your license. Please contact Sales for more information.

Creating a Digital Signature

Adding a digital signature on a PDF document is both reliable proof of the document’s origin and protection against modification by third parties.

To create a digital signature, you need two things.

  • First, you need an X509 certificate that contains your public key and your signer information. PSPDFKit supports PEM-encoded and DER-encoded X509 certificates, as well as DER-encoded PKCS#7 certificates. You can check the encoding of a certificate file by using the OpenSSL command-line tool as follows:

openssl pkcs7 -noout -text -print_certs -in example.p7b

The above command will print an error message if “example.p7b” is not a PEM-encoded PKCS#7 certificate or certificate chain.

To verify if a PKCS#7 certificate file is correctly DER encoded, you can use this command instead:

openssl pkcs7 -inform der -noout -text -print_certs -in example.p7b

The above command will print an error message if “example.p7b” is not a DER-encoded PKCS#7 certificate or certificate chain.

  • Second, you need your private key.

Signing Process

The signing process produces the signature by encrypting the message digest from the PDF file with a private key. The certificate with its public key is added to the signature and saved in the PDF file. The SigningManager class allows signing of documents by adding a digital signature to a SignatureFormField. It allows both computation and saving of digital signatures to a definable output file.

PSPDFKit ships with two ways to sign your documents.

  1. The simplest approach takes a PrivateKey that was loaded by your app and uses it to sign a document directly:

val signerOptions = SignerOptions.Builder(signatureFormField, outputFileUri)
    .setPrivateKey(key)
    .build()

SigningManager.signDocument(context = context,
     signerOptions = signerOptions,
     type = digitalSignatureType,
     onFailure = {
         // Handle signing errors here.
             }
         ) {
             // The document was successfully signed!
             val signedDocument = Uri.fromFile(outputFile)
         }
  1. Another approach loads the signing certificates from a PKCS#12 file (usually with the .p12 file extension) and provides you with the flexibility to sign the byte array yourself:

val signerOptions = SignerOptions.Builder(signatureFormFields, outputFileUri)
     .setCertificates(getX509Certificates())
     .build()

SigningManager.signDocument(context = context,
     signerOptions = signerOptions,
     type = digitalSignatureType,
     customSigning = { data, hashAlgorithm ->
     // Here you're manually signing `ByteArray` with the provided `hashAlgorithm` and private key. This is a mandatory step if
     // the customer doesn't provide a private key in `SignerOptions`.
     data.signData(key, hashAlgorithm)
     },
     onFailure = {
         // Handle signing errors here.
             }
         ) {
             // The document was successfully signed!
             val signedDocument = Uri.fromFile(outputFile)
         }
Information

For an interactive example of digital signatures, check out DigitalSignatureExample and ManualSigningExample in the Catalog app.

Editing a Digitally Signed Document

When displaying digitally signed documents, PSPDFKit will allow annotation editing unless a DocMDP transform method is specified under the TransformMethod key of the signature information dictionary. When PSPDFKit is used for the signing process, this method is never set, which means annotation editing remains enabled.

Removing a Digital Signature

If you want to remove a signature, access the signed SignatureFormField and call removeSignature() or removeSignatureAsync(). This will remove the DigitalSignatureInfo from the given SignatureFormField.