iText
iText
Breadcrumbs

Digital Signatures Hub

This area is a central hub to collect our examples, FAQs, articles and other resources related to the topic of digitally signing PDF documents with iText.

eBooks

Digital Signatures for PDF Documents

Our Digital Signatures eBook is available as a free download from the linked page. Although it was originally written for iText 5/iTextSharp, many of the described concepts and operations are still relevant and transferable to the current versions of iText.

NOTE: The iText 5-based code snippets included in the eBook were accompanied by complete examples available on our website. Since then, they have been completely updated and rewritten for iText Core. This meant significant changes in some cases, and some examples were no longer applicable.

Digital Signatures for PDF Documents Examples

The following Java and .NET (C#) examples apply to the latest releases of iText.

Blockchain for PDF Documents

You've paid a digital invoice of your supplier, and afterwards it seemed to be fake - you were a victim of invoicing fraud. These issues and many more can now be solved by Blockchain. This eBook focuses on how you can use Blockchain in combination with PDFs to write applications.

Examples

Spotlighted Examples

To make porting old digital signing solutions and creating new ones from scratch easier, this series of articles describes the iText high level signing API and provides examples for using it with many kinds of signing devices currently in use.

iText Core Examples

Resources

This table represents the current support in iText Core for the ISO/TS 32001, ISO/TS 32002, ISO/TS 32003 and ISO/TS 32004:2024 extensions to the ISO 32000-2 (PDF 2.0) specification. For more information on the ISO/TS 32001 and ISO/TS 32002 extension standards and their initial implementation in iText Core version 8, see our article on the subject.

For details on how to use the dedicated signature validation module available in iText Core version 9 (and previewed in version 8.0.5), you can see the following articles.

iText Core 9.5.0 added preliminary support for creating and validating quantum-resistant digital signatures using Bouncy Castle. This is intended for experimentation and preparation as this is a pre-standard implementation, and so PQC-signed PDFs are not yet standards-compliant. Once the PDF standard is finalized, we will move from this proof-of-concept to a full implementation.

However, you can use this implementation to familiarize yourself with the post-quantum cryptography algorithms supported by Bouncy Castle, and develop internal expertise on the API and larger signature sizes required by PQC algorithms.

FAQs

iText FAQs

Articles/Tutorials

Digital Signing with iText

To make porting old digital signing solutions and creating new ones from scratch easier, this series of articles describes the iText high level signing API and provides examples for using it with many kinds of signing devices currently in use.

Digitally Signing PDFs with AWS KMS and iText

Securing and automating digital document workflows is increasingly important in the modern business world. A crucial part of creating secure digital signatures is generating public and private keys for signing, and cloud providers such as Amazon, Google, and Microsoft now offer highly-secure cryptographic key management services. Since iText is used by many businesses and signing services to integrate secure digital signatures into PDFs, this step-by-step article shows developers how to use iText and the AWS KMS APIs to generate a digital signature and add it to a PDF document.

Digital Signing Services and iText

When we want to sign a PDF with a digital signature, we need to generate a hash from the document’s data and sign it with a private key. A Digital Signing Service (or DSS) is usually cloud-based software that takes the responsibility of signing the document hash. One such signing service is GlobalSign, a widely-used WebTrust-certified certificate authority and provider of Identity Services. This tutorial demonstrates how to use the GlobalSign API and iText Core to sign a PDF document’s hash and then add the digital signature to the PDF.

PDF Digital Signature Vulnerabilities and Attacks

In February 2019, a team of security researchers published details of vulnerabilities in the digital signing system of many PDF viewers and online PDF digital signing services. After investigating these vulnerabilities, we found that updates to iText introduced in version 7.1.5 and the iText 5.5.13.1 maintenance release meant we were not vulnerable to the described attacks.

However, it was determined that the current names of the methods for checking and verifying signatures could be improved to better reflect their functionality. Therefore we decided to deprecate the SignatureUtil#verifySignature and PdfPKCS7#verify methods, and replace them with SignatureUtil#readSignatureData and PdfPKCS7#verifySignatureIntegrityAndAuthenticity which were introduced in iText 7.1.6. This blog was written for those who would like to know more about the three types of attacks described in the report and how iText document verification works.

Investigating PDF Shadow Attacks

On 22 July 2020, the same team of security researchers announced a novel series of vulnerabilities which they coined the PDF Shadow Attacks. Unlike the earlier vulnerabilities, the shadow attacks aren’t of a cryptographic nature, but are situated in the visual realm of PDF. As a result, independent PDF expert Michael Klink was invited on board as a technical consultant to vet iText against these new attacks.

Following a clean bill of health, we published a three-part series of articles dedicated to PDF Shadow Attacks, and highlighting how iText can be turned into an invaluable defense asset against such attacks.

Videos/Webinars

In this talk by Matthias Valvekens at FOSDEM 2022, we explore how the ever-continuing push for digitalization has increased our reliance on trust services of various kinds, filling various needs relating to document signing, code signing, authorization tokens, and so forth. Many of these trust services rely on public-key infrastructure (PKI) and X.509 certificates, however, the sensitive nature of these tools makes them difficult to use in a testing environment. On the one hand, exposing access to production keys in your CI is obviously a terrible idea. But on the other hand, setting up and maintaining a fully functional "mock" PKI environment is also pretty tricky. What can you do about that?

The push for paperless bureaucracy has been going on for quite some time, but the circumstances of the past year made the issue even more pressing than it already was. In this talk presented by iText Research Engineer Matthias Valvekens at FOSDEM 2021, we discuss how you can leverage PDF to build secure, yet user-friendly document workflows. We go over what it means to "trust" a digital signature, and how that trust is validated in practice. In addition, we touch upon some of the common pitfalls in PDF security that you should be aware of to prevent your documents from being exploited.

In this webinar from March 2020, iText Research Manager Michaël Demey and Duff Johnson from the PDF Association discuss PDF security options, focusing on encryption and digital signatures and how you can get started in securing your workflows and user experience right away with real examples using iText.

iText has always been at the forefront of digital signatures in PDF by supporting PAdES and being one of the first to support signatures in the latest PDF 2.0 specification. In this introduction to PDF digital signatures, Text Research Manager and digital signatures enthusiast Michaël Demey explores what digital signing is all about, and explains the key goals of integrity, authenticity, and non-repudiation. He then takes you through the core concepts of of hashing, encryption, and certificate authorities, before getting into the technical nitty-gritty like server and client-side signing and deferred signing, and demonstrates the Smart Certificate use case from our customer CVTrust.