Digitally signing PDFs for documents is becoming increasingly commonplace for official documents. This post will look at three Mac apps for digitally signing PDFs with signature images. It is important to note that these signatures do not cryptographically ensure the integrity of the document; rather, they are used to replicate a “wet ink” signature. If you want true verification of a document’s integrity, you need to use either Adobe Acrobat’s certificate-based signature system or a separate tool like PGP to produce a sidecar signature.

For signature images, there are concerns are around mutability, or how easily someone can move, remove, or modify the signature image; and extractability, the ability to re-purpose the signature image for use on another document. Because there is nothing to cryptographically seal the document, any actor with sufficient knowledge of and tools for the PDF format will be able mutate a PDF signature image. But for preventing casual actors from making deliberate or accidental changes, there are some meaningful differences in how programs on macOS produce signature images. None of the signature images methods examined prevent extraction of the signature via copy/paste or (obviously) via a screenshot.

Each of the programs evaluated allows you to produce a signature with just text in a stylized font, trackpad-drawn signature, or image-recognized signature. For the purposes of this evaluation, I’m using the trackpad-drawn signature image. The signature will be placed on a document that looks like this:

A blank document with a single line labeled "Name" followed by underscores to placeholder the signature.

Using the iText RUPS PDF debugging tool, the structure of this simple PDF can be examined. It contains a single Page with one Contents stream that has an encoded length of 154 bytes:

Hierarchical tree structure of the un-signed PDF.

Comparison

We’ll now look at what happens when signing this document in various programs.

Preview

Preview comes installed in macOS by default. When a signature is added, Preview embeds the signature into the actual Page Contents stream. You can see this because the size of the Contents stream grows from 154 bytes to 3,528 after the signature is added:

Hierarchical tree structure of the PDF signed with Preview, showing a large Contents stream length.

The benefits of Preview’s signature image technique is that, after the file is saved, the signature image ceases to be an object that PDF viewers will recognize as movable. Preview rewrites the Page’s Contents to directly “bake in” the signature image onto the page background.

Adobe Acrobat

Acrobat is the most fully featured PDF viewer/editor on the Mac, but it’s both pricey and a somewhat complex tool. The signature image flow in Acrobat is geared towards making a fillable form that someone else signs. When self-signing a PDF in Acrobat, it creates an AcroForm structure with a FillSign element. The FillSign references an XObject that embeds an image element with the signature image. This is a significantly more complex structure, but that’s because Acrobat is geared towards PDF authors rather than signers. When signing in Acrobat, the resulting signature is not mutable because the form is considered “filled.”

Hierarchical tree structure of the PDF signed with Acrobat, showing complex AcroForm structure.

PDF Expert

PDF Expert is a popular macOS and iOS PDF manipulation tool, fitting in between the capabilities of Preview and Acrobat. PDF Expert adds signatures as an annotation to the document. Annotations are mutable PDF objects, like text highlights, notes, and lines/arrows. Most basic PDF viewers can move and delete annotation objects. You can see that the base Page’s stream size has remained the same at 154 bytes, and a separate Annots dictionary has been created.

Hierarchical tree structure of the PDF signed with PDF Expert, showing the added signature annotation.

However, PDF Expert also offers a Save as Flatten option. This rewrites the Page object into a series of Contents streams, which eliminates the mutable annotation object. Unlike Preview, which rewrites the document into a single Contents stream, PDF Expert retains the original 154-byte stream and adds an additional one for the signature image.

Hierarchical tree structure of the PDF signed with PDF Expert, showing the annotation replaced with multiple Contents streams.

One caveat though is that flattening affects all objects in the PDF, not just the signature, which may not be a desired outcome.

Recommendation

For signing PDFs, my recommendation would be to use a cryptographic signature, but unfortunately most document recipients want to see squiggly lines rather than a certificate-based hash. I think Preview’s default signature image output is the best, and it is available to all Mac users. PDF Expert’s flattened output is good as well, but it does require the extra step to convert it to a flattened PDF. None of the signature image schemes prevent extraction, but each app has a way to produce a PDF that prevents signature image mutation by casual actors.