How to sign PDF with a x.509 signature/certificate

Question

tl;dr: I'm looking for a CLI tool that can be fed with a x.509 file and an input PDF and out comes a signed PDF. Best scenario for NodeJS

Hi there. I'm getting a little bit frustrated. I'm looking for a tool which can sign PDF files using the command line. I do use an online service called handy-signatur.at (A service from www.a-trust.at) that generates a x.509 certificate.

I found a page that mentions several tools but it seems that all of them are out of date.

I tried PortableSigner in particular, but that needs Java 6 and I couldn't get it to work on Ubuntu (Server and Desktop edition) 17.04.

/edit: I can't get PortableSigner to work because Java 6 and 7 is no longer available and probably not even safe to use.

Is there any commandline tool out there to sign PDFs?

Thank you guys so much!

Answer 1

Seems PortableSigner do the work.

If you are worried about Java 7 support. Try it with Java 8, probably the digital signature functions still work because nothing important has changed between 7&8

Alternatively, implementing a signature program with Java using libraries like PDFBox or itext is relatively easy. Here you have a full example with pdfbox. Note that it has a main

https://svn.apache.org/repos/asf/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignature.java

usage:

java org.apache.pdfbox.examples.signature.CreateSignature 
     <pkcs12_keystore> <password> <pdf_to_sign>

Answer 2

You can write your own Java scripts here is the reference http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_api_reference.pdf

var myEngine = security.getHandler( "Adobe.PPKLite" );
myEngine.login( "password", "/C/Users/username/Desktop/PrivateUser.pfx" );
var myInfo = {password: "password",
 reason: "SaveAs Test",
 mdp: "defaultAndComments"};
this.certifyInvisibleSign({
 oSig:myEngine,
 oInfo:myInfo,
 cDIPath:"/c/temp/sigSign.pdf",
 cLegalAttest: "Certified using JavaScript",
 bUI:false
});

Answer 3

As far as I could find, openSSL is the only maintained tool which might support inputting an x.509 file and a PDF in order to generate a signed PDF file.

See the openSSL man page for x509 .

I also found a PortableSigner2 project, but it also wasn't current.

Answer 4

PortableSigner is a tool to digitally sign PDFs with X.509 certificates.

It's a Java app so the installation of a compatible JRE is required (according to the website: 1.6 and 1.7).

You can refer the following link to get the detailed information for the same

http://portablesigner.sourceforge.net/

Answer 5

As others have mentioned, the openssl command can do this but it took me a while to find an example. Here's the website with a good example:

https://raymii.org/s/tutorials/Sign_and_verify_text_files_to_public_keys_via_the_OpenSSL_Command_Line.html

and the commands in case the link doesn't work:

To sign:

openssl dgst -sha256 -sign mycert.key -out sign.txt.sha256 sign.txt

Where mycert.key is the private key of your x509 certificate.

To verify:

openssl dgst -sha256 -verify  mycert.pub -signature sign.txt.sha256 sign.txt

Where mycert.pub is the public key of your certificate (NOT the certificate itself).