Verifying the validity of digital signatures

Digital signatures are essential for verifying the identity of signers and safeguarding the integrity of signed documents. But how can you be sure a digital signature is truly valid? As more businesses rely on digital signatures for documents such as employment contracts, annual reports, and engagement letters, being able to verify their validity is more important than ever.

In this article, we’ll guide you through the three key methods for verifying the validity of digital signatures created via Penneo Sign.

What makes a digital signature valid?

The term “digital signature” is often used to describe both advanced and qualified electronic signatures. Under the eIDAS regulation, qualified electronic signatures carry the same legal weight as handwritten signatures.

Penneo Sign enables users to create both advanced and qualified electronic signatures. Advanced electronic signatures can be created using MitID, Swedish BankID, Norwegian BankID, Finnish Bank ID, and Mobiilivarmenne, while qualified electronic signatures can be created using itsme®.

For a digital signature to be valid, two key conditions must be met:

  • the signature must ensure that no modification has been made to the document after it has been signed
  • the signature must be supported by a certificate identifying the signatory, and that only the signatory can produce the signature

How to check the validity of a digital signature created via Penneo Sign

When signing a PDF document via Penneo Sign, digital signatures are created in XML format (based on the XAdES standard) with digital certificates. These signatures are attached to the PDF document, which is then sealed with a qualified electronic seal (based on the PAdES standard).

As a result, the final PDF holds evidence that the digital certificates were valid at the time of signing and that the digital signatures are legally binding.

In case of a dispute, the signed documents themselves contain all the evidence required to prove the authenticity of both the document and each individual signature.

Below are three methods you can use to validate digitally signed documents (including the XAdES-based signatures and PAdES-based seals).

1. Verifying the validity of digital signatures via a PDF reader

Most modern PDF readers, such as Adobe Reader, have built-in tools to validate digital signatures.

When you open the signed document in a PDF reader, the first thing you’ll notice is the document’s seal. In Adobe Reader, this seal appears as a blue bar at the top of the screen.

Seal of the document

For documents signed via Penneo Sign, the seal is a qualified electronic seal issued by Intesi Group, a Qualified Trust Service Provider (QTSP) listed on the EU Trust List.

The seal ensures the probative value of the document. If the document is not legally valid, the bar will show the following text: Certification by Penneo A/S is invalid.

The qualified electronic seal is applied by Penneo at the end of the signing process. Once the signers have signed the document, Penneo seals the signed document with the embedded XML signatures according to the PAdES standard. By applying the final seal to the document, it’s as if Penneo acted as the last and final signer of the document. The seal is incorporated directly within the signed PDF – as much as an ink signature becomes an integral part of a paper document.

This ensures that the document never loses its legal reliability, as the complete self-contained PDF file contains everything you need to verify the signatures’ validity and remain valid for long periods. At the same time, the PDF file can be copied, stored, and distributed as a simple electronic file.

You can click on the signature icon in the left tab or on the Signature Panel button to get additional details on the legal validity of the document seal.

Signature panel

You can read more about what Certified by Penneo A/S means – i.e., the document can’t be edited, the certificate has been issued by a QTSP, and so on.

You can also click on Certificate Details to read information about the digital certificate included in the document.

Certificate details

You can also click on the paperclip icon in the left tab if you want to view the digital signatures in XML format and the timestamps for each signature.

Signatures in XML format and timestamps

Here, you can also access the audit trail, where all the steps of the signing process are recorded. The audit trail is in a human-readable format so that it can be used as evidence in court. It shows the time and IP associated with each activity, from opening and viewing the document to signing it.

Audit trail

Although all these cryptographic elements are embedded within the PDF, they can look different in other PDF readers.

2. Verifying digital signatures via Penneo’s Validator

You can also use the Penneo Validator to check the validity of digital signatures created via Penneo. Just access the validation platform and upload the signed document by clicking on Choose document to check. The Penneo Validator validates both the individual signers’ XAdES signatures and the PAdES signature (Penneo’s seal) on the PDF document.

The Penneo Validator also validates that each XAdES signature belongs to that specific PDF document.

In the case that somebody tries to tamper with the document (for example, by removing the seal, replacing the attached XAdES signatures with new ones, and adding a new valid seal), the Penneo Validator would detect that the document has been compromised, and declare it invalid.

Similarly, it’s not possible to create a fake signed document by copying a XAdES signature from a legitimate signed document to another PDF, as the Penneo Validator would detect the manipulation and declare the document invalid.

Choose document to check

You will then see the validation results. Review the results and compare them with your document.

Validation results

If Social Security Number validation was enabled for a signer by the sender of the document, then you can also validate the signer’s identity by entering their social security number in the Check signer identity field and clicking Check. If the SSN you typed matches the SSN of the signer, the box will turn green; if it doesn’t, it will turn pink. Note that it will also turn pink if the Social Security Number validation feature wasn’t enabled for the signer.

3. Verifying digital signatures via the EU’s Commission Validation Platform

You can use the EU DSS Validator to verify the validity of PAdES and XAdES signatures. To validate a document signed via Penneo, upload the PDF to the EU DSS Validator and click Submit.

EU Validator

Below is an example of a Simple report, but you can click on the button Detailed Report to read more information about the document’s legal validity.

Validation result

When validating a document signed via Penneo through the EU DSS Validator, the validation result will show, under Signatures status, that there is one valid signature on the document – regardless of the actual number of signatures that have been applied to it.

That is because a standard PDF validator, such as the EU DSS Validator, is only able to run a PAdES validation on a PDF document. So, if we submit signed PDFs produced by Penneo to the EU DSS Validator, all the XAdES signatures that are embedded into the PDFs will be ignored, and only the author signature produced by Penneo will be validated. In other words, the only element validated will be Penneo’s final (PAdES-based) seal.

If you want to verify the validity of the individual XAdES signatures included in the PDF – you can follow the process explained below:

  1. Download the XML signatures — you can do so by opening the signed PDF in Adobe Reader, clicking on the paperclip icon, selecting all the files whose description contains Signature for (Name) and Signed data for (Name), and downloading them.
    Download the XML signatures
  2. Validate each signature separately by uploading the files into the EU DSS validator:
    • Use the Signature for (Name) file in the Signed file field
    • Use the Signed data for (Name) file in the Original file(s) field, whenever this file is available for the signer (this file won’t be present when using certain signing methods, including but not limited to QES via itsme®).
    Validate each signature separately
  3. Inspect the resulting report, which will tell you whether such signatures are valid.
    Inspect the resulting report
    • 3.1. Limitations: The EU DSS Validator validates that each signature is valid, but does not validate that they belong to the specific PDF document.Suppose the seal is removed from a signed document, the signatures (attached XML files) are replaced with new ones, and a new valid seal is added. The result will still look valid in the EU DSS Validator (and in Adobe Reader, for that matter). That’s because both the new seal and the new signatures are valid.Penneo’s own Validator, however, will detect that the document has been compromised as it also validates the unique relationship between each XAdES signature (attached XML file) and the content of the PAdES-based PDF document.
    • 3.2. Why do the EU DSS Validator and Penneo’s validator not behave the same way? As mentioned above, the EU DSS Validator only runs PAdES validations. So when uploading a signed PDF with attached XML signatures and sealed with a PAdES seal, the EU DSS Validator will only reveal the validity of the PAdES seal. The only way to verify the validity of the XML signatures is by following the more complex process described above, which still doesn’t ensure that the signatures belong to the document.The Penneo Validator, instead, is custom-built to validate both the PAdES signature/s in the PDFs produced by Penneo and all the XAdES signatures that are embedded into the PDFs.Although standards exist for both XAdES and PAdES signatures, and Penneo fully adheres to both standards, a standard isn’t defined for how to embed XAdES signatures (XML format) in a PAdES document (PDF format) for visual presentation. Many signature providers do this, albeit in slightly different ways, which standard PDF validators don’t consider.

Explore more resources

Security and trust: How Penneo ensures compliance and protects data

Security and trust: How we ensure compliance and protect data 

READ MORE

Building trust in the age of AI: Reflections on competitiveness, democracy, and digital transformation

Building trust in the age of AI: Reflections on competitiveness, democracy, and digital transformation

READ MORE

9 essential features to consider in a digital signing tool

9 essential features to consider in a digital signing tool

READ MORE