PDF Signatures: Digital vs Electronic Explained

A scribbled signature image and a cryptographic PAdES signature look the same in a PDF viewer — but legally and technically they're worlds apart. Knowing the difference matters whenever you sign contracts, approve documents, or accept signed PDFs from others.

Signature Types

TypeMechanismIntegrity proofTypical use
Typed namePlain text in a form fieldNoneCasual consent
Drawn / image signaturePasted bitmap overlayNoneInformal documents
Click-to-sign (eSign platform)Audit log + IP/email evidenceExternal logSales contracts, NDAs
Digital signature (PAdES-B)Certificate + hashCryptographicInternal approvals
PAdES-LT / LTACertificate + timestamp + revocationLong-term cryptographicRegulated industries, archives

How Digital Signatures Are Embedded

A digital signature inserts a signature dictionary into the PDF. The dictionary declares a byte range covering everything in the file except the signature value placeholder. The signer's tool hashes that byte range, signs the hash with their private key, and writes the signed hash, signing certificate, and (optionally) a trusted timestamp into the placeholder. Verification reverses the process.

PAdES Profiles

  • PAdES-B (Basic): certificate + signature hash. Minimum viable.
  • PAdES-T: adds a trusted timestamp from a TSA. Proves when the signature existed.
  • PAdES-LT (Long-Term): embeds revocation data (OCSP responses or CRLs) so the signature stays verifiable after the signing certificate expires.
  • PAdES-LTA: adds archive timestamps that can be renewed before cryptographic algorithms become obsolete, extending validity decades.

Best Practices

  1. Use a certificate from a trusted CA — self-signed certificates trigger "unknown identity" warnings.
  2. Always include a trusted timestamp; without it, signatures become unverifiable after certificate expiry.
  3. Lock the document after the final signature so no further changes are possible.
  4. For multi-signer workflows, allow appended signatures and document each role explicitly.
  5. Validate signatures in a reference viewer (Adobe Acrobat or an eIDAS-conformant validator) before relying on them.

Which Signature Type Should You Use?

Match the method to the stakes, not the other way round:

  • Low stakes (internal sign-off, casual consent): a typed name or drawn-image signature is fine. It carries no cryptographic proof, but for routine approvals that is acceptable.
  • Business contracts (NDAs, sales agreements): a click-to-sign eSignature platform adds an audit trail — IP address, email, timestamp, and a tamper-evident log — which is what most commercial disputes actually hinge on.
  • Regulated or high-value (finance, legal filings, public sector): a certificate-based digital signature with a trusted timestamp (PAdES-T or higher) gives cryptographic proof of both identity and integrity, and in the EU can meet eIDAS “advanced” or “qualified” requirements.
  • Long-term archives: use PAdES-LT/LTA so the signature stays verifiable for years even after the original certificate expires.

When in doubt, a timestamped digital signature costs little and removes the “was this changed afterwards?” question entirely.

Combine Signed PDFs Together

Merge signed contracts and approvals into a single packet — fully client-side.

Merge PDF →

Frequently Asked Questions

"Electronic signature" is the broad legal term for any digital indication of intent — even a typed name. A "digital signature" is a specific technology: a certificate and cryptographic hash that bind the signature to both the signer's identity and the exact document bytes, so any later change is detectable. All digital signatures are electronic; not all electronic signatures are digital.
Editing the bytes a signature covers invalidates that signature — that is the whole point. However, PDFs support incremental updates, so additional signatures or form fills can be appended after a signature without breaking it, as long as the document's signature locks permit it. Always re-validate in a trusted viewer after any change.
ETSI profiles (B, T, LT, LTA) for PDF signatures aligned with eIDAS.
Recompute hash, verify with public key, check certificate chain and revocation.
Appended changes are allowed per signature locks; modifying signed bytes invalidates the signature.
Sometimes admissible but weak. For higher value, use digital signatures with audit trails.