You receive a PDF with the header "Digitally signed." But how do you know that signature is actually valid? And what is the difference between a document carrying a digital signature and one with a scanned image of a handwritten signature pasted in? These questions come up every week in legal, accounting and HR offices — and the confusion has a cost: documents without validity treated as valid, and valid documents rejected because the verifier does not understand the mechanism.
This guide explains, without unnecessary jargon, how digital signatures work, how to verify a PDF signature correctly, which standards are accepted, and what to do when the verification result is negative.
The difference that defines everything: digital signature vs. signature image
Before any verification, it is essential to clear up the most common confusion:
Signature image (also called a scanned or digitized signature) is a photo or scan of a handwritten signature inserted as a graphic element in the PDF. It looks like a signature, but technically it is just a rectangle of pixels — it can be copied from one document to another, is not mathematically bound to the content, and guarantees nothing about integrity or authorship.
Digital signature is a cryptographic mechanism: the signature is calculated from the document's content and the signer's private key, and is mathematically verifiable by anyone with the corresponding public key. It proves two things at once: that the signer actually signed (authorship) and that the document has not been modified since (integrity).
The practical distinction is clear: a scanned signature on a legal brief could be anything — a screenshot pasted in. A digital ICP-Brasil signature on a document is verifiable, traceable and carries a legal presumption of authenticity recognized by law.
How a digital signature works on the inside
The mechanism is elegant and worth understanding because it is often poorly described:
Each signer has a cryptographic key pair: a private key, which stays under the exclusive custody of the holder (on a physical USB token, an A1 certificate protected by password, or a hardware security module), and a public key, which can be freely distributed.
When someone digitally signs a PDF, the following happens:
- The software calculates the SHA-256 hash of the document (a 64-character sequence that uniquely represents that content — what a hash is, explained in detail);
- That hash is encrypted with the signer's private key — the result is the signature;
- The signature, along with the signer's digital certificate (which contains the public key and identity data), is embedded in the PDF file.
To verify the signature, the verifier takes the reverse path:
- Decrypts the signature using the signer's public key (obtained from the embedded certificate);
- Obtains the original hash that was signed;
- Recalculates the hash of the current document;
- Compares the two hashes: if they match, the signature is valid — the document has not changed since it was signed. If they differ, the document was modified after signing.
Digital certificates: ICP-Brasil and gov.br
A digital signature only proves authorship if the accompanying certificate is trustworthy — i.e. if a recognized certification authority confirms that that public key belongs to that person or company.
ICP-Brasil is the Brazilian Public Key Infrastructure, regulated by the ITI (National Institute of Information Technology). The most common ICP-Brasil certificates:
- A1 (software): installed directly on the computer or browser, valid for 1 year, protected by password. More convenient, but with a lower security level since the private key is in a file on disk;
- A3 (hardware): stored on a USB token or smart card, valid for up to 3 years. The private key never leaves the physical device — the standard required for higher-impact legal acts;
- e-CPF and e-CNPJ: the popular names for individual and corporate ICP-Brasil certificates.
gov.br signature is the digital signature service offered by the federal government, tied to a gov.br account. Three trust levels (bronze, silver, gold), with the gold level requiring biometric validation. It is accepted for most acts with public agencies and has growing acceptance in the private sector.
DocuSign, ClickSign, D4Sign and similar platforms are electronic signature platforms. They may operate with ICP-Brasil certificates, the gov.br signature, or proprietary mechanisms with lower evidentiary weight. Legal validity depends on which mechanism was used and what the applicable contract or regulation requires.
How to verify if a PDF is digitally signed — step by step
In Adobe Acrobat Reader (free)
Adobe Acrobat Reader displays a signatures panel that is the most accessible method for most users:
- Open the PDF in Adobe Acrobat Reader;
- If the document has a digital signature, a Signatures panel will appear in the left sidebar (badge icon) or a colored bar at the top of the screen;
- Click on the panel or the bar to see the details: signer name, date and time of signature, certification authority, validity status;
- A green tick (✓) indicates the signature is mathematically valid and the document has not been altered; a warning icon indicates a problem (see section below).
On the ITI Validator (official Brazilian reference)
The ITI provides the Signature Validator at validar.iti.gov.br — the official reference for verifying ICP-Brasil signatures:
- Access the portal and upload the file;
- The report indicates: who signed, when, which certification authority issued the certificate, whether the certificate was valid on the date of signing, and whether the document was not modified after signing.
For documents that should never leave your computer, the Acrobat Reader verifier processes locally — and to verify file integrity without relying on signatures, RoseLab's integrity checker calculates the SHA-256 hash locally, without sending the file to any server.
What signature alerts mean
Not every "invalid signature" alert means fraud. The most common cases have technical explanations:
"Document modified after signing" This is the most serious alert: the file was altered after it was signed. It may indicate tampering, but it can also result from PDF compression, splitting into parts, removing pages or even inadvertent re-export. Before concluding fraud, check the file's history. If you want to identify what changed relative to the originally signed version, open the two versions in the PDF comparison tool with automatic difference highlighting enabled.
"Unknown certificate" or "Untrusted certificate" The PDF reader could not verify the certification chain — it could not confirm that the signer's certificate was issued by a recognized authority. This frequently occurs with ICP-Brasil certificates when the chain roots are not installed on the computer. Solution: install the ICP-Brasil root certificates available on the ITI website and re-verify.
"Revoked certificate" The signer's certificate was cancelled before or after the signature. If revoked before signing, the signature is not valid. If revoked afterwards, the signature may remain valid — what matters is the status on the date of signing, and a trusted timestamp is the evidence. More on this in the document cryptography guide.
"Expired certificate" Similar to revocation: what matters is whether the certificate was valid at the time of signing, not on the verification date. A contract signed in 2022 with a certificate valid at that time remains a 2022 signature, even if the certificate expired in 2023.
Digital signatures and the correct PDF manipulation flow
Once you understand how digital signatures work, the operational rule becomes clear:
All PDF manipulation comes before signing. If the document needs to be compressed, split into parts, have pages removed, be merged with other files or have images converted — all of this must happen before collecting any digital signatures.
After signing, the file is untouchable. Store the original signed file with its hash registered (checker) and work only on copies when you need to manipulate the file.
For a complete view of the document preparation, comparison and filing workflow, read the complete guide to comparing documents and proving what changed.
Frequently asked questions
Does a digital signature have legal validity in Brazil without ICP-Brasil? Law No. 14,063/2020 establishes that electronic documents are valid as evidence, evaluated case by case. An ICP-Brasil signature carries a legal presumption of authenticity (the burden of proving falsity is on whoever contests it). Signatures by other mechanisms (gov.br, private platforms) have contractual validity between parties that accepted them, but the legal presumption is lower.
Can I sign a PDF for free? The gov.br signature is free and legally recognized for most acts. An ICP-Brasil certificate has an issuance cost (varies by certification authority, generally R$ 150–400 for individuals). Platforms like DocuSign and ClickSign have free plans with document limits.
How do I know if my PDF has a digital signature or just a signature image? The simplest way: open the PDF in Adobe Acrobat Reader. If no Signatures panel or signature status bar appears, what you see is just an image — with no cryptographic value. A digital signature always generates a verification panel in Acrobat.
Can I verify the signature without installing anything? For basic integrity verification, RoseLab's checker works directly in the browser, without installation, calculating the hash locally. For formal verification of ICP-Brasil digital signatures, the ITI Validator at validar.iti.gov.br is the official reference and also works in the browser.
How many people can sign the same PDF? Multiple digital signatures can be embedded in the same PDF — each signer signs the document in the state it was in at the time of signing. If the document is modified after the first signature, only the signatures prior to the modification become invalid; signatures made afterwards (on the already-modified document) remain valid with respect to the content they cover.
Ready to put it into practice?
Free, no sign-up — and your files never leave your computer.
Verify my document's integrity — free