
How to Verify a Digital Signature in a PDF (2026)
A PDF signature panel that shows a name proves nothing on its own. Here's how to actually verify a digital signature and what the different status messages mean.
A PDF with a digital signature may show a name and a checkmark — but that visual indicator alone doesn't prove the signature is valid. Verification requires confirming three things: the signature was applied with a valid certificate, the document hasn't been modified since signing, and the certificate chain traces back to a trusted authority. Here's how to actually check all three.
What Signature Verification Confirms
When you verify a digital signature in a PDF, you're checking:
- Integrity: The document content hasn't changed since the signature was applied. If even one character was altered after signing, verification fails.
- Authenticity: The signature was created using a private key corresponding to the certificate in the PDF — only the certificate holder could have signed it.
- Trust: The certificate was issued by a Certificate Authority (CA) that your system trusts. An untrusted CA means you can't be sure the certificate holder is who they claim to be.
- Validity period: The certificate was valid at the time of signing and hasn't expired or been revoked.
A signature that passes all four checks is trustworthy. One that fails any of them has a problem worth investigating.
Method 1: Adobe Acrobat Reader (Most Common)
Acrobat Reader shows signature status directly in the document and provides detailed validation information.
Reading the signature panel:
- Open the signed PDF in Acrobat Reader
- A blue information bar typically appears at the top: "At least one signature has problems" or "Signed and all signatures are valid"
- Click the Signature Panel button in that bar, or go to View → Navigation Panels → Signatures
The Signatures panel shows each signature in the document. Each signature has a status icon:
- Green checkmark: Signature is valid — document hasn't changed, certificate is trusted
- Yellow triangle (warning): Signature is valid but has issues — expired certificate, unknown CA, or minor validation problem
- Red X: Signature is invalid — document was modified after signing, or the signature itself is corrupt
Getting full details:
- Click the signature in the panel to expand it
- Click "Signature Properties" or right-click → Properties
- The properties dialog shows: signer name, certificate issuer, signing time, validity period, and detailed validation results
Trusting a specific certificate: If Acrobat shows "Certificate is not trusted" but you know the sender and trust them:
- Open Signature Properties → Show Certificate
- Click Trust tab → Add to Trusted Certificates
- Acrobat will now trust documents signed by this certificate
This is appropriate for internal company certificates. For external or public documents, only trust certificates from recognized CAs.
Method 2: Browser-Based Verification (Chrome, Edge, Firefox)
Browser PDF viewers display a visual signature indicator but do not perform cryptographic verification. A "signed" badge in Chrome or Firefox tells you a signature field exists — it does not tell you whether the signature is valid.
For actual cryptographic verification, you must open the PDF in Acrobat Reader or use a dedicated verification tool. Don't rely on browser signature indicators for anything important.
Method 3: Signature Validation via Certificate Properties
For a deeper check — especially when Acrobat shows warnings — examine the certificate chain manually:
- Open the signed PDF in Acrobat
- Signatures panel → click the signature → Signature Properties → Show Certificate
- In the Certificate Viewer, check the Certificate Hierarchy tab
- Each level in the chain should trace back to a root CA listed in your trusted certificates
- Check the Details tab for:
- Valid From / Valid To: Was the certificate valid when the document was signed?
- Revocation: Check the CRL Distribution Points field — this is where revocation information is published
- Key Usage: Should include "Digital Signature"
Common certificate issues:
- Self-signed certificate: no CA chain — you only trust it if you trust the individual directly
- Expired certificate: was the document signed before expiry? (If timestamped, yes — the timestamp proves when signing occurred)
- Revoked certificate: the CA revoked the certificate (signer's private key was compromised) — treat the signature as untrusted
Method 4: Command Line (OpenSSL + pdfsig)
For technical users or scripted verification:
Using pdfsig (part of Poppler):
# Install on Linux
sudo apt-get install poppler-utils
# Verify all signatures in a PDF
pdfsig document.pdf
Output shows each signature's status, signer name, signing time, and whether the document was modified after signing. Returns exit code 0 for all-valid, non-zero for any problems.
Using OpenSSL to inspect the certificate:
# Extract the signature certificate from a signed PDF
# (requires pdftk and openssl)
pdftk document.pdf dump_data_fields | grep -i sig
# More detailed extraction requires parsing the PDF's xref structure
# Most scripted workflows use pyhanko (Python) instead
Using pyHanko (Python — most capable):
pip install pyhanko
python -m pyhanko sign validate document.pdf
pyHanko produces detailed validation output including certificate chain analysis, timestamp validation, and document modification detection. Used in legal and enterprise validation workflows.
What the Different Status Messages Mean
| Status | What it means | What to do |
|---|---|---|
| "Valid — document not modified" | Full verification passed | Accept the signature |
| "Valid — document has been modified" | Document changed after signing — by allowed modifications (form fills, annotations in allowed areas) | Check if modifications were permitted by the signature's Permission level |
| "Signature invalid — document has been modified" | Document changed after signing in ways the signer did not permit | Do not trust this document |
| "Certificate not trusted" | CA not in your trusted list | Check if it's a known CA; add to trust if appropriate |
| "Certificate expired" | Certificate expired after signing | If timestamp proves signing occurred before expiry, signature is still valid |
| "Certificate revoked" | CA revoked the certificate | Treat as untrusted — the private key was compromised |
| "Signature could not be verified" | Verification failed — may be corrupt signature or missing certificate | Investigate; don't trust |
Understanding Document Modification Levels
A signed PDF can contain a Permission level that controls what modifications are allowed after signing without invalidating the signature. There are three levels (defined in ISO 32000):
- No changes allowed: Any modification after signing invalidates the signature
- Form fills and signatures only: Filling form fields and adding signatures is permitted without invalidating the existing signature
- Annotations, form fills, and signatures: Adding comments and annotations is also permitted
Acrobat reports "Document has been modified since signing" even for permitted modifications — the details tell you what type of modification occurred and whether it was permitted.
Verifying a DocuSign or Adobe Sign Envelope
Documents from e-signature platforms like DocuSign don't use PKI digital signatures in the traditional sense — they use audit trail certificates. Verification works differently:
DocuSign: Each completed document comes with a "Certificate of Completion" PDF. Verify the certificate at verify.docusign.com using the Envelope ID from the document.
Adobe Sign: Similarly, Adobe Sign documents have a Transaction ID. Verify at Adobe's verification portal.
These verifications check the platform's own audit trail rather than a cryptographic signature embedded in the PDF.
FAQ
A PDF says "signed" but shows no name. What does that mean?
The signature field exists but is blank or was signed with an anonymous certificate. Open Signature Properties to check — if the certificate has no Common Name or Organizational Unit, the signer chose to remain anonymous (or the certificate was poorly issued). This provides tamper-evidence (any modification invalidates it) but no identity verification.
Can a digital signature be faked?
Practically no — not without access to the signer's private key. The cryptographic algorithm (typically RSA or ECDSA with SHA-256 or stronger) can't be broken with current computing power. What can be faked is the visual appearance of a signature — someone could create a PDF that looks like it has a valid signature badge without actually having one. This is why you must check the actual cryptographic validation, not just the visual indicator.
My signed PDF shows valid in Acrobat but invalid in another reader. Why?
Different PDF readers have different trusted certificate stores and different validation implementations. Acrobat uses Adobe's Approved Trust List (AATL) and optionally the European Union Trusted Lists (EUTL). A reader that doesn't trust the CA that issued the signer's certificate will show "untrusted" even for a cryptographically valid signature. The signature is valid — the reader just doesn't recognize the CA. Acrobat Reader is the most complete reference implementation for PDF signature validation.
Does adding an annotation to a signed PDF invalidate the signature?
It depends on the signature's Permission level. If the signature permits "Annotations, form fills, and signatures" (level 3), adding annotations after signing is allowed without invalidating the signature. If the permission is "No changes allowed" (level 1), even adding a highlight comment invalidates it. Check Signature Properties → Signing Certificate → Permissions to see what the signer allowed.


