1pdfsig(1)                   General Commands Manual                  pdfsig(1)
2
3
4

NAME

6       pdfsig - Portable Document Format (PDF) digital signatures tool
7

SYNOPSIS

9       pdfsig [options] [PDF-file] [Output-file]
10

DESCRIPTION

12       pdfsig verifies the digital signatures in a PDF document.  It also dis‐
13       plays the identity of each signer (commonName field  and  full  distin‐
14       guished  name of the signer certificate), the time and date of the sig‐
15       nature, the hash algorithm used for signing, the type of the  signature
16       as  stated in the PDF and the signed ranges with a statement wether the
17       total document is signed.  It can  also  sign  PDF  documents  (options
18       -add-signature or -sign).
19
20       pdfsig  uses  the  trusted  certificates stored in the Network Security
21       Services (NSS) Database.
22
23       pdfsig also uses the Online Certificate Status Protocol  (OCSP)  (refer
24       to  http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) to
25       look up the certificate online and check if it has been revoked (unless
26       -no-ocsp has been specified).
27
28       The NSS Database is searched for in the following locations:
29
30       •      If  the  -nssdir option is specified, the directory specified by
31              this option.
32
33       •      The NSS Certificate database in  the  default  Firefox  profile.
34              i.e. $HOME/.mozilla/firefox/*.default.
35
36       •      The NSS Certificate database in /etc/pki/nssdb.
37

OPTIONS

39       -nssdir [prefix]directory
40              Specify  the  database  directory containing the certificate and
41              key database files. See certutil(1) -d option for details of the
42              prefix. If not specified the other search locations described in
43              DESCRIPTION are used.
44
45       -nss-pwd password
46              Specify the password needed to access the NSS database (if any).
47
48       -nocert
49              Do not validate the certificate.
50
51       -no-ocsp
52              Do not perform online OCSP certificate revocation  check  (local
53              Certificate Revocation Lists (CRL) are still used).
54
55       -aia   Enable  the  use of Authority Information Access (AIA) extension
56              to fetch missing certificates to build the certificate chain.
57
58       -dump  Dump all signatures into current directory in their native  for‐
59              mat.  Most  likely  it  is  either  a  unpadded  or  zero-padded
60              CMS/PKCS7 bundle.
61
62       -add-signature
63              Add a new signature to the document.
64
65       -new-signature-field-name  name
66              Specifies the field name to be used when adding a new signature.
67              A random ID will be used by default.
68
69       -sign  field
70              Sign  the  document  in the specified signature field present in
71              the document (must be unsigned).   Field  can  be  specified  by
72              field  name (string) or the n-th signature field in the document
73              (integer).
74
75       -nick  nickname
76              Use the certificate with the given  nickname  for  signing  (NSS
77              backend).  If  nickname  starts  with  pkcs11:,  it's treated as
78              PKCS#11 URI (NSS backend). If the nickname is given as a finger‐
79              print, it will be the certificate used (GPG backend)
80
81       -backend  backend
82              Use the specified backeng for cryptographic signatures
83
84       -kpw  password
85              Use  the given password for the signing key (this might be miss‐
86              ing if the key isn't password protected).
87
88       -digest  algorithm
89              Use the given digest algorithm for signing (default: SHA256).
90
91       -reason  reason
92              Set the given reason string for the signature (default: no  rea‐
93              son set).
94
95       -etsi  Create  a  signature  of  type  ETSI.CAdES.detached  instead  of
96              adbe.pkcs7.detached.
97
98       -list-nicks
99              List available nicknames in the NSS database.
100
101       -list-backends
102              List available backends for cryptographic signatures
103
104       -v     Print copyright and version information.
105
106       -h     Print usage information.  (-help and --help are equivalent.)
107

EXAMPLES

109       pdfsig signed_file.pdf
110              Displays signature info for signed_file.pdf.
111
112       pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick  my-
113       cert -reason 'for fun!'
114              Creates  a  new  pdf  named  output.pdf with the contents of in‐
115              put.pdf signed by the 'my-cert' certificate.
116
117       pdfsig input.pdf  output.pdf  -add-signature  -nss-pwd  password  -nick
118       'pkcs11:token=smartcard0;object=Second%20certificate;type=cert'
119              Same,  but uses a PKCS#11 URI as defined in IETF RFC 7512 to se‐
120              lect the certificate to be used for signing.
121
122       pdfsig input.pdf output.pdf -sign 0  -nss-pwd  password  -nick  my-cert
123       -reason 'for fun!'
124              Creates  a  new  pdf  named  output.pdf with the contents of in‐
125              put.pdf signed by the 'my-cert' certificate. input.pdf must have
126              an already existing un-signed signature field.
127

AUTHOR

129       The  pdfsig  software and documentation are copyright 1996-2004 Glyph &
130       Cog, LLC and copyright 2005-2015 The Poppler Developers  -  http://pop
131       pler.freedesktop.org
132

SEE ALSO

134       pdfdetach(1),  pdffonts(1),  pdfimages(1),  pdfinfo(1),  pdftocairo(1),
135       pdftohtml(1),  pdftoppm(1),  pdftops(1),  pdftotext(1)  pdfseparate(1),
136       pdfunite(1) certutil(1)
137
138
139
140                                28 October 2015                      pdfsig(1)
Impressum