Available Now: Explore our latest release with enhanced accessibility and powerful IDP features

PDF/A Compliance with Digital Signatures

By Roger Dunham | 2024 Jun 19

Sanity Image

Summary: Learn what PDF/A and Digital Signatures are and how implementing them can help your company remain legally compliant – while reducing the risk of fraudulent modification of your documents.

Introduction

Copied to clipboard

Record keeping is a serious business, whether to comply with laws such as the Sarbanes-Oxley Act (SOX), regulations from financial regulatory bodies like the SEC, FINRA and ESMA, or for any other reason where long-term archiving of documents that have a known origin and have not been tampered with is required.

PDF/A and Digital Signatures, when implemented together, can provide a good solution.

In this article, we will look at how to implement an effective solution to document retention where documents look the same to all users and cannot be repudiated by the document creator.

We will look mostly at how to do this using the Apryse SDK, but we will also briefly mention other mechanisms that can be used to accomplish this.

Making Documents PDF/A Compliant

Copied to clipboard

PDF/A is a type of PDF specifically designed for the long-term preservation of electronic documents. PDF/A differs from a “normal” PDF by prohibiting features which might cause problems with long-term archiving like non-embedded fonts, JavaScript, encryption, and so on. The intention is that the document should remain viewable indefinitely, and importantly, should appear the same to everyone that looks at it.

Creating New Documents That are PDF/A Compliant

Copied to clipboard

Apryse offers several ways to create PDF/A compliant documents:

iText: You can use it to create PDF/A compliant documents as part of a document generation and archiving process.

Fluent: This document generation system takes templates created in Office and populates them with data from a huge range of sources to create documents, including PDF/A compliant ones.

Converting Existing Documents to Become PDF/A Compliant

Copied to clipboard

If you already have documents that are not PDF/A, like “normal” PDF, Office documents, scanned files, or images, conversion to PDF/A (rather than generation) is required. Apryse can still help you with Qoppa PDF Studio Pro, the Apryse SDK, or WebViewer, either as part of your own website or hosted at xodo.com.

Converting to PDF/A Using PDF Studio Pro

Copied to clipboard

Qoppa PDF Studio Pro has a straightforward UI that leads you through the PDF to PDF/A document conversion. It informs you that certain aspects of the PDF may be altered, and you should make sure those changes will not remove important information.

Blog image

Figure 1 – The UI in PDF Studio Pro when converting a PDF invoice to PDF/A-2b. The user is informed of what will happen.

Once the conversion succeeds, the PDF will be shown, indicating that the document is tagged as PDF/A compliant. If you wish, you can also get the software to verify compliance.

Blog image

Figure 2 – A PDF/A compliant document within PDF Studio Pro. It is clear that the PDF has been tagged as PDF/A compliant.

Converting a PDF to PDF/A Using the Apryse SDK

Copied to clipboard

The Apryse SDK is available in many languages - .Net, Java, Node.js, and Python to name but a few, and is available for Windows, Linux and macOS as well as the Web, and ships with many samples to help you get started (or you can access the sample directly from the documentation website).

At its simplest, conversion to PDF/A just needs a few lines of code. In the following snippet, the conversion is to PDF/A-2b, however all of the conformance levels including 4, 4e, and 4f are available.

                string sourceFile = "ExampleInvoiceV1.pdf"; 
                string outputFile = "ExampleInvoiceV1-pdfa.pdf"; 
                using (PDFACompliance pdf_a = new PDFACompliance(true, input_path + sourceFile, null, PDFACompliance.Conformance.e_Level2B, null, 10, false)) 
                { 
 
                    pdf_a.SaveAs(output_path + outputFile, false); 
                } 

While that code snippet will work, the full sample contains additional code that reports any PDF/A violations in the converted file, so you can be sure that the conversion succeeded.

Blog image

Figure 3 – Sample output showing that the initial file was not PDF/A compliant, but the generated one is.

Converting to PDF/A Using Apryse Web SDK

Copied to clipboard

If you are using Apryse WebViewer, then you can easily extend your code to convert a PDF to PDF/A once the WebViewer has been instantiated. In the following code the file to be converted is hardcoded, but you could specify a particular file to be converted.

  const { PDFNet, documentViewer } = instance.Core; 
 
  documentViewer.addEventListener('documentLoaded', async () => { 
 
   await PDFNet.initialize(); 
   async function main() { 
    const filename = 'https://pdftron.s3.amazonaws.com/downloads/pl/webviewer-demo.pdf'; 
    let except; 
    const pdfa = await PDFNet.PDFACompliance.createFromUrl(true, filename, '', PDFNet.PDFACompliance.Conformance.e_Level2B, except, 10); 
    const buf = await pdfa.saveAsFromBuffer(false); 
    //optionally save the blob to a file or upload to a server 
    const blob = new Blob([buf], { type: 'application/pdf' }); 
 
    // or display the blob - note that you will need to enable popups 
    //var fileURL = window.URL.createObjectURL(blob); 
    //let tab = window.open(); 
        //tab.location.href = fileURL; 
   } 
   await PDFNet.runWithCleanup(main); 
  }); 

If you want to try out converting a PDF to PDF/A using WebViewer then head over to the Apryse Showcase.

Converting to PDF/A Using Xodo.com

Copied to clipboard

As an alternative to converting an existing document to PDF/A within your own code, you can use Xodo.com within your web browser. As with the Apryse SDK, all of the variants including 4, 4e, and 4f are available.

All you need to do is drag the PDF into the browser, choose the PDF/A type, and press Convert.

Blog image

Figure 4 – Xodo.com indicating that the file was successfully converted to PDF/A

After a few seconds, the conversion will be complete, and you can save your file.

Blog image

Figure 5 – Xodo.com showing the UI for converting to PDF/A

This is a big subject, and this article is just a quick overview. For more information, check out our blog post on converting files to PDF/A using Apryse.

Being able to store documents long term is, however, only part of the solution. There is still a need to verify that the correct document was stored, and that it has not been modified. This is where digital signatures can help.

Working with Digital Signatures?

Copied to clipboard

For this article we will just look at digital signatures backed by AES (essentially a self-signed certificate) and QES (where the certificate is issued by a trusted Certificate Authority).

These can be used to prove that the document was signed by the person that claims to have signed it, and, also, that the document has not been subsequently modified.

E-signatures also exist but are not covered in this article. You can read more about them in the Ultimate Guide to Digital Signatures.

Apryse and Digital Signatures

Copied to clipboard

Just as with PDF/A conversion, there are multiple ways of adding a digital signature with Apryse:

1. Qoppa PDF Studio Pro

2. Apryse SDK

3. Apryse WebViewer

4. Xodo Sign (or XodoSign if you don’t use spaces)

We won’t look Xodo Sign in this article, since it deserves an article all of its own. But if you just can’t wait, head over to the help center. Suffice to say, it is a fully featured system that allows you to securely approve, send and sign documents online. It has a great and intuitive Web UI and can also be accessed via a secure API.

PDF Studio Pro

Copied to clipboard

PDF Studio Pro makes signing a document intuitive and easy. Just open the document, choose Secure then click on Digitally Sign.

You will need to choose a location where the signature will be shown within the document, although you can alter the appearance.

Blog image

Figure 6 – Adding a digital signature in PDF Studio Pro

Once the document is signed and saved, PDF Studio Pro will let you know that the document is signed and will verify (or not!) that the signature is valid. 

Blog image

Figure 7 – A digitally signed document in PDF Studio Pro. The blue banner and green tick mark in the signature box indicate that the signature is valid.

Signing Documents with the Apryse SDK

Copied to clipboard

The Apryse SDK can also digitally sign documents.

As we saw with PDF/A, the Apryse SDK comes with lots of sample code, including the ability to sign documents when you download the Apryse SDK. Alternatively, you can download the sample expliticly in a wide range of programming languages from https://docs.apryse.com/documentation/samples.

Blog image

Figure 8 – The range of programming languages that support the digital signature sample.

The sample code is a great place to get started, and performs various signing and signature verification tests.

The following snippet is based on (but simplified from) the method SignPDF:

// Open an existing PDF 
using (PDFDoc doc = new PDFDoc(in_docpath)) 
{ 
// Retrieve the unsigned approval signature field. 
Field found_approval_field = doc.GetField(in_approval_field_name); 
DigitalSignatureField found_approval_signature_digsig_field = new DigitalSignatureField(found_approval_field); 
 
// (OPTIONAL) Add an appearance to the signature field. 
Image img = Image.Create(doc, in_appearance_img_path); 
SignatureWidget found_approval_signature_widget = new SignatureWidget(found_approval_field.GetSDFObj()); 
found_approval_signature_widget.CreateSignatureAppearance(img); 
 
// Prepare the signature and signature handler for signing. 
found_approval_signature_digsig_field.SignOnNextSave(in_private_key_file_path, in_keyfile_password); 
 
// The actual approval signing will be done during the following incremental save operation. 
doc.Save(in_outpath, SDFDoc.SaveOptions.e_incremental); 
} 

How the Code Works

Copied to clipboard

A signature field is a requirement for digital signatures. As such, the code finds the signature field, places an image at that location (which will be a visual representation of a wet signature), sets up the field to be signed with a certificate (based on the ‘private key’ file and its password), then saves the PDF.

There are a lot of things to get your head around, but once you do, the process itself is simple.

The full sample code is more complex, and also demonstrates adding a certifying signature and verifying that the signed document is valid.

Blog image

Figure 9 – Output from the sample code (which is similar to, but different from, the snippet above) which adds a signature and verifies that the signature is valid.

The sample code ships with a suitable key file – pdftron.pfx. But for production use, you will need to get your own. Other signing technologies, including custom signature handlers, can also be used.

Adding a Digital Signature Using WebViewer

Copied to clipboard

WebViewer allows you to add a signature field and apply an e-signature very easily.

Blog image

Figure 10 - WebViewer - showing how an eSignature can be inserted.

However, straight out of the box, this is not a digital signature. WebViewer can, however, be used to add an approval signature to a document, entirely within your browser.

You can see a walkthrough that demonstrates working with digital signatures using the Apryse Showcase.

Start the walkthrough by clicking where it says Sign here. If you jump ahead and create a signature straight away, before clicking on ‘Sign here’ then the instructions in the PDF won’t work, so reload the page and start again.

Blog image

Figure 11 - The start of the Digital Signature walk-through. Begin by clicking on ‘Sign here’ within the red rectangle.

The walkthrough allows you to enter a visual representation of your signature. Once you have done that, the option to Apply Approval Signature will be enabled. Click on that and the document will be digitally signed.

You can verify the signature either programmatically or by opening the Panel and clicking on the Signatures tab.

Blog image

Figure 12 - The final digitally signed document. You can see that the signature is valid. You would also be able to see what changes can be made to the document without invalidating the signature.

Does a Digital Signature Stop the Document Being Changed?

Copied to clipboard

No. Although many software tools won’t allow you to alter a digitally signed document, others do. However, when a document is digitally signed the state of the document is recorded allowing changes to be detected.

The SDK allows you to control what can be done to the signed file without invalidating the signature. For example, it may be necessary to get multiple digital signatures on the same file – for example, a contract – where all parties need to sign the document, but no changes should be possible to the content of the contract.

Alternatively, it may be desirable to be able to add annotations to a signed document without invalidating it. Again, that option can be controlled by the SDK.

All changes made to the signed document will be recorded, but if any of the changes were not permitted, for example, a change to a clause in a contract, then the digital signature will become invalid, and this will be recognizable.

Wrapping Up

Copied to clipboard

PDF/A is great for archiving data in a way that is designed to be readable in years, or decades, to come. Combined with a digital signature, they are a great way to verify the origin and validity of a document.

Apryse has your back. The Apryse product suite allows you to generate and convert documents to PDF/A, then digitally sign and verify those signatures. Depending on how you want to work, this functionality can be accessed within a desktop app, a web-based solution, or a server-based API.

There is a wealth of documentation available for both of these techniques, as well as for the other functionality that Apryse offers. While PDF/A and digital signatures may be today’s only requirements, Apryse can also help when your requirements expand, for example to redaction or supporting multiple users annotating the same document.

As a final word, the subjects covered in this article are complex, so feel free to reach out to us on Discord if you need any further assistance.

Sanity Image

Roger Dunham

Share this post

email
linkedIn
twitter