How to check the validity of a digital signature created via Penneo Sign
When signing a PDF document via Penneo Sign, digital signatures are created in XML format (based on the XAdES standard) with digital certificates. These signatures are attached to the PDF document, which is then sealed with a qualified electronic seal (based on the PAdES standard).
As a result, the final PDF holds evidence that the digital certificates were valid at the time of signing and that the digital signatures are legally binding.
In case of a dispute, the signed documents themselves contain all the evidence required to prove the authenticity of both the document and each individual signature.
Below are three methods you can use to validate digitally signed documents (including the XAdES-based signatures and PAdES-based seals).
1. Verifying the validity of digital signatures via a PDF reader
Most modern PDF readers, such as Adobe Reader, have built-in tools to validate digital signatures.
The seal ensures the probative value of the document. If the document is not legally valid, the bar will show the following text: Certification by Penneo A/S is invalid
.
The qualified electronic seal is applied by Penneo at the end of the signing process. Once the signers have signed the document, Penneo seals the signed document with the embedded XML signatures according to the PAdES standard. By applying the final seal to the document, it’s as if Penneo acted as the last and final signer of the document. The seal is incorporated directly within the signed PDF – as much as an ink signature becomes an integral part of a paper document.
This ensures that the document never loses its legal reliability, as the complete self-contained PDF file contains everything you need to verify the signatures’ validity and remain valid for long periods. At the same time, the PDF file can be copied, stored, and distributed as a simple electronic file.
You can click on the signature icon in the left tab or on the Signature Panel button to get additional details on the legal validity of the document seal.
You can read more about what Certified by Penneo A/S
means – i.e., the document can’t be edited, the certificate has been issued by a QTSP, and so on.
You can also click on Certificate Details to read information about the digital certificate included in the document.
You can also click on the paperclip icon in the left tab if you want to view the digital signatures in XML format and the timestamps for each signature.
Here, you can also access the audit trail, where all the steps of the signing process are recorded. The audit trail is in a human-readable format so that it can be used as evidence in court. It shows the time and IP associated with each activity, from opening and viewing the document to signing it.
Although all these cryptographic elements are embedded within the PDF, they can look different in other PDF readers.
2. Verifying digital signatures via Penneo’s Validator
You can also use the Penneo Validator to check the validity of digital signatures created via Penneo. Just access the validation platform and upload the signed document by clicking on Choose document to check
. The Penneo Validator validates both the individual signers’ XAdES signatures and the PAdES signature (Penneo’s seal) on the PDF document.
The Penneo Validator also validates that each XAdES signature belongs to that specific PDF document.
In the case that somebody tries to tamper with the document (for example, by removing the seal, replacing the attached XAdES signatures with new ones, and adding a new valid seal), the Penneo Validator would detect that the document has been compromised, and declare it invalid.
Similarly, it’s not possible to create a fake signed document by copying a XAdES signature from a legitimate signed document to another PDF, as the Penneo Validator would detect the manipulation and declare the document invalid.
You will then see the validation results. Review the results and compare them with your document.
If Social Security Number validation was enabled for a signer by the sender of the document, then you can also validate the signer’s identity by entering their social security number in the Check signer identity
field and clicking Check
. If the SSN you typed matches the SSN of the signer, the box will turn green; if it doesn’t, it will turn pink. Note that it will also turn pink if the Social Security Number validation feature wasn’t enabled for the signer.
3. Verifying digital signatures via the EU’s Commission Validation Platform
You can use the EU DSS Validator to verify the validity of PAdES and XAdES signatures. To validate a document signed via Penneo, upload the PDF to the EU DSS Validator and click Submit.
Below is an example of a Simple report, but you can click on the button Detailed Report to read more information about the document’s legal validity.
When validating a document signed via Penneo through the EU DSS Validator, the validation result will show, under Signatures status, that there is one valid signature on the document – regardless of the actual number of signatures that have been applied to it.
That is because a standard PDF validator, such as the EU DSS Validator, is only able to run a PAdES validation on a PDF document. So, if we submit signed PDFs produced by Penneo to the EU DSS Validator, all the XAdES signatures that are embedded into the PDFs will be ignored, and only the author signature produced by Penneo will be validated. In other words, the only element validated will be Penneo’s final (PAdES-based) seal.
If you want to verify the validity of the individual XAdES signatures included in the PDF – you can follow the process explained below:
- Download the XML signatures — you can do so by opening the signed PDF in Adobe Reader, clicking on the paperclip icon, selecting all the files whose description contains
Signature for (Name)
andSigned data for (Name)
, and downloading them. - Validate each signature separately by uploading the files into the EU DSS validator:
- Use the
Signature for (Name)
file in theSigned file
field - Use the
Signed data for (Name)
file in theOriginal file(s)
field, whenever this file is available for the signer (this file won’t be present when using certain signing methods, including but not limited to QES via itsme®).
- Use the
- Inspect the resulting report, which will tell you whether such signatures are valid.
- 3.1. Limitations: The EU DSS Validator validates that each signature is valid, but does not validate that they belong to the specific PDF document.Suppose the seal is removed from a signed document, the signatures (attached XML files) are replaced with new ones, and a new valid seal is added. The result will still look valid in the EU DSS Validator (and in Adobe Reader, for that matter). That’s because both the new seal and the new signatures are valid.Penneo’s own Validator, however, will detect that the document has been compromised as it also validates the unique relationship between each XAdES signature (attached XML file) and the content of the PAdES-based PDF document.
- 3.2. Why do the EU DSS Validator and Penneo’s validator not behave the same way? As mentioned above, the EU DSS Validator only runs PAdES validations. So when uploading a signed PDF with attached XML signatures and sealed with a PAdES seal, the EU DSS Validator will only reveal the validity of the PAdES seal. The only way to verify the validity of the XML signatures is by following the more complex process described above, which still doesn’t ensure that the signatures belong to the document.The Penneo Validator, instead, is custom-built to validate both the PAdES signature/s in the PDFs produced by Penneo and all the XAdES signatures that are embedded into the PDFs.Although standards exist for both XAdES and PAdES signatures, and Penneo fully adheres to both standards, a standard isn’t defined for how to embed XAdES signatures (XML format) in a PAdES document (PDF format) for visual presentation. Many signature providers do this, albeit in slightly different ways, which standard PDF validators don’t consider.