1pdfsig(1)                   General Commands Manual                  pdfsig(1)
2
3
4

NAME

6       pdfsig - Portable Document Format (PDF) digital signatures tool
7

SYNOPSIS

9       pdfsig [options] [PDF-file] [Output-file]
10

DESCRIPTION

12       pdfsig verifies the digital signatures in a PDF document.  It also dis‐
13       plays the identity of each signer (commonName field  and  full  distin‐
14       guished  name of the signer certificate), the time and date of the sig‐
15       nature, the hash algorithm used for signing, the type of the  signature
16       as  stated in the PDF and the signed ranges with a statement wether the
17       total document is signed.  It can  also  sign  PDF  documents  (options
18       -add-signature or -sign).
19
20       pdfsig  uses  the  trusted  certificates stored in the Network Security
21       Services (NSS) Database.
22
23       pdfsig also uses the Online Certificate Status Protocol  (OCSP)  (refer
24       to  http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) to
25       look up the certificate online and check if it has been revoked (unless
26       -no-ocsp has been specified).
27
28       The NSS Database is searched for in the following locations:
29
30       •      If  the  -nssdir option is specified, the directory specified by
31              this option.
32
33       •      The NSS Certificate database in  the  default  Firefox  profile.
34              i.e. $HOME/.mozilla/firefox/*.default.
35
36       •      The NSS Certificate database in /etc/pki/nssdb.
37

OPTIONS

39       -nssdir [prefix]directory
40              Specify  the  database  directory containing the certificate and
41              key database files. See certutil(1) -d option for details of the
42              prefix. If not specified the other search locations described in
43              DESCRIPTION are used.
44
45       -nss-pwd password
46              Specify the password needed to access the NSS database (if any).
47
48       -nocert
49              Do not validate the certificate.
50
51       -no-ocsp
52              Do not perform online OCSP certificate revocation  check  (local
53              Certificate Revocation Lists (CRL) are still used).
54
55       -aia   Enable  the  use of Authority Information Access (AIA) extension
56              to fetch missing certificates to build the certificate chain.
57
58       -dump  Dump all signatures into current directory.
59
60       -add-signature
61              Add a new signature to the document.
62
63       -new-signature-field-name  name
64              Specifies the field name to be used when adding a new signature.
65              A random ID will be used by default.
66
67       -sign  field
68              Sign  the  document  in the specified signature field present in
69              the document (must be unsigned).   Field  can  be  specified  by
70              field  name (string) or the n-th signature field in the document
71              (integer).
72
73       -nick  nickname
74              Use the certificate with the  given  nickname  for  signing.  If
75              nickname starts with pkcs11:, it's treated as PKCS#11 URI.
76
77       -kpw  password
78              Use  the given password for the signing key (this might be miss‐
79              ing if the key isn't password protected).
80
81       -digest  algorithm
82              Use the given digest algorithm for signing (default: SHA256).
83
84       -reason  reason
85              Set the given reason string for the signature (default: no  rea‐
86              son set).
87
88       -etsi  Create  a  signature  of  type  ETSI.CAdES.detached  instead  of
89              adbe.pkcs7.detached.
90
91       -list-nicks
92              List available nicknames in the NSS database.
93
94       -v     Print copyright and version information.
95
96       -h     Print usage information.  (-help and --help are equivalent.)
97

EXAMPLES

99       pdfsig signed_file.pdf
100              Displays signature info for signed_file.pdf.
101
102       pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick  my-
103       cert -reason 'for fun!'
104              Creates  a  new  pdf  named  output.pdf with the contents of in‐
105              put.pdf signed by the 'my-cert' certificate.
106
107       pdfsig input.pdf  output.pdf  -add-signature  -nss-pwd  password  -nick
108       'pkcs11:token=smartcard0;object=Second%20certificate;type=cert'
109              Same,  but uses a PKCS#11 URI as defined in IETF RFC 7512 to se‐
110              lect the certificate to be used for signing.
111
112       pdfsig input.pdf output.pdf -sign 0  -nss-pwd  password  -nick  my-cert
113       -reason 'for fun!'
114              Creates  a  new  pdf  named  output.pdf with the contents of in‐
115              put.pdf signed by the 'my-cert' certificate. input.pdf must have
116              an already existing un-signed signature field.
117

AUTHOR

119       The  pdfsig  software and documentation are copyright 1996-2004 Glyph &
120       Cog, LLC and copyright 2005-2015 The Poppler Developers  -  http://pop
121       pler.freedesktop.org
122

SEE ALSO

124       pdfdetach(1),  pdffonts(1),  pdfimages(1),  pdfinfo(1),  pdftocairo(1),
125       pdftohtml(1),  pdftoppm(1),  pdftops(1),  pdftotext(1)  pdfseparate(1),
126       pdfunite(1) certutil(1)
127
128
129
130                                28 October 2015                      pdfsig(1)
Impressum