So the spouse and I are needed to digitally sign documents for releasing to clients/contractors/other people.
Having an image of our signatures over an empty digital form/document (pdfs/docx/etc) may not suffice because it could be tampered by changing the file contents along with its date and time, etc.
What are the alternative ways to do it properly? I am not against paying for online services provided they are from a reliable provider with a proven track record. I have not fully reviewed the pertinent local laws that may apply to me, but I would much rather keep the contents of the signed documents private.
I am thinking, if I self host the solution, am I potentially exposing my entire system to a future subpoena? Is a paid online solution the better way forward?
I think app based solution requires a something something x509 certificates? I dont exactly understand where to get those. My Google-fu seems failing me.
And I’d rather not use Adobe… Foxit seems sketching me out too…
I use Foxit and overall its great in large part because its NOT Adobe.
I use it to digitally sign personal documents but I have not looked deeply into the specifics of setting it up for clients.
Docusign is another platform frequently used but its not self housed/free.
I would recommend talking to Foxit and asking them what their solution entails because they will probably give you the key words you need to search for a OSS option.
You do want to use an x.509 certificate. They are the same type of certificates used for HTTPs (or any TLS/SSL connection), and used for code signing, and used for user certificate authentication.
They can be generated locally, no need to connect to the internet. OpenSSL can do this, Windows certificate store can do this, and Adobe Acrobat also can do this. This is termed a self-signed certificate.
Or they can be generated by a public certificate authority (CA). The certificate you get is the same, but the certificate is also signed by the certificate authority, and they have to do some validation that you are who you say you are. This is why they cost money.
This is one of the first results on google: Document Signing Certificate - PDF Signing | Sectigo® Official
In terms of validating when a document was signed, you can use a timestamp server. This basically sends the hash of the signing process to a website, and the website will sign that with a timestamp, and then that gets added after your signature. There are a bunch of services for this, and they are generally all free, as the only validation they need to do is to check the time when your timestamp request was received. I don’t know what applications support timestamping for pdf signatures, but that is something to check.
Instead of signing the document yourself, it is also possible to use a website, and they will have the certificate, and you upload documents for them to sign. I have no idea what legal things apply to these websites, and it probably depends where you are in the world.
1 Like
I am thinking of a silly way to do it. I sort of just woke up and still have do a lot more thinking and reading about this.
Instead of paying an online certificate authority to do this, I am thinking of just paying a lawyer to notarize the public key of the self signed x.509 certificate (again I still have to read about this so I could be wrong on how it works).
So now I have a public authority (the lawyer) that could verify my identity and public key and keep things relatively private as I sign pdfs.
I still dont have any idea how to implement the timestamps though…
@TheCakeIsNaOH The cheapest online provider is Sectigo/Comodo (at 299USD/year) and that company is a nope… The next cheap available is DocuSign but from what it looks like, I have to send the entire file/document to them and that is a big no no. Digicert sounds cool but it is asking for 500+ USD to get their 2000 signature per year package. They will send a hardware token to sign the documents and can use a FIPS Yubikey (but I just have the regular one).
@infinitevalence I have seen that but I dont have the home server running now because of electricity issues (I have to hire the electrician to rewire the house because the UPS is complaining of no ground connection). Also I am a bit paranoid because again, a subpoena could potentially grab the entire server for examination and I’d rather not that happen. Also I think its going to be hard to explain to the local judge and lawyers how it works if it is too complicated).
Im currently looking into PGP and asked an AI…
PGP (Pretty Good Privacy) is primarily used for email encryption and signing, and may not be the best choice for timestamping PDFs. However, it is possible to use PGP to sign and time stamp PDFs using tools such as GnuPG (Gnu Privacy Guard) or Kleopatra.
To sign and time stamp a PDF using GnuPG, you would first need to generate a key pair (public and private key). Then, you can use the following commands to sign and timestamp a PDF:
gpg --detach-sign --armor <pdf-file>
gpg --clearsign --armor <pdf-file>
The --detach-sign option creates a detached signature that is stored in a separate file from the PDF, while the --clearsign option creates a signature that is embedded in the PDF.
To add a timestamp to the signature, you can use the --timestamp option followed by a timestamping authority URL. For example:
gpg --detach-sign --armor --timestamp http://timestamp.server.com <pdf-file>
Note that the timestamping authority must be trusted and compliant with the RFC 3161 standard.
Kleopatra is a graphical user interface for managing OpenPGP keys and signatures and provides similar functionality. However, there may be other tools that are more specialized for timestamping PDF files.