A scribbled signature image and a cryptographic PAdES signature look the same in a PDF viewer — but legally and technically they're worlds apart. Knowing the difference matters whenever you sign contracts, approve documents, or accept signed PDFs from others.
Signature Types
| Type | Mechanism | Integrity proof | Typical use |
|---|---|---|---|
| Typed name | Plain text in a form field | None | Casual consent |
| Drawn / image signature | Pasted bitmap overlay | None | Informal documents |
| Click-to-sign (eSign platform) | Audit log + IP/email evidence | External log | Sales contracts, NDAs |
| Digital signature (PAdES-B) | Certificate + hash | Cryptographic | Internal approvals |
| PAdES-LT / LTA | Certificate + timestamp + revocation | Long-term cryptographic | Regulated industries, archives |
How Digital Signatures Are Embedded
A digital signature inserts a signature dictionary into the PDF. The dictionary declares a byte range covering everything in the file except the signature value placeholder. The signer's tool hashes that byte range, signs the hash with their private key, and writes the signed hash, signing certificate, and (optionally) a trusted timestamp into the placeholder. Verification reverses the process.
PAdES Profiles
- PAdES-B (Basic): certificate + signature hash. Minimum viable.
- PAdES-T: adds a trusted timestamp from a TSA. Proves when the signature existed.
- PAdES-LT (Long-Term): embeds revocation data (OCSP responses or CRLs) so the signature stays verifiable after the signing certificate expires.
- PAdES-LTA: adds archive timestamps that can be renewed before cryptographic algorithms become obsolete, extending validity decades.
Best Practices
- Use a certificate from a trusted CA — self-signed certificates trigger "unknown identity" warnings.
- Always include a trusted timestamp; without it, signatures become unverifiable after certificate expiry.
- Lock the document after the final signature so no further changes are possible.
- For multi-signer workflows, allow appended signatures and document each role explicitly.
- Validate signatures in a reference viewer (Adobe Acrobat or an eIDAS-conformant validator) before relying on them.
Which Signature Type Should You Use?
Match the method to the stakes, not the other way round:
- Low stakes (internal sign-off, casual consent): a typed name or drawn-image signature is fine. It carries no cryptographic proof, but for routine approvals that is acceptable.
- Business contracts (NDAs, sales agreements): a click-to-sign eSignature platform adds an audit trail — IP address, email, timestamp, and a tamper-evident log — which is what most commercial disputes actually hinge on.
- Regulated or high-value (finance, legal filings, public sector): a certificate-based digital signature with a trusted timestamp (PAdES-T or higher) gives cryptographic proof of both identity and integrity, and in the EU can meet eIDAS “advanced” or “qualified” requirements.
- Long-term archives: use PAdES-LT/LTA so the signature stays verifiable for years even after the original certificate expires.
When in doubt, a timestamped digital signature costs little and removes the “was this changed afterwards?” question entirely.
Combine Signed PDFs Together
Merge signed contracts and approvals into a single packet — fully client-side.
Merge PDF →