Digitally signing PDFs for documents is becoming increasingly commonplace for official documents. This post will look at three Mac apps for digitally signing PDFs with signature images. It is important to note that these signatures do not cryptographically ensure the integrity of the document; rather, they are used to replicate a “wet ink” signature. If you want true verification of a document’s integrity, you need to use either Adobe Acrobat’s certificate-based signature system or a separate tool like PGP to produce a sidecar signature.
For signature images, there are concerns are around mutability, or how easily someone can move, remove, or modify the signature image; and extractability, the ability to re-purpose the signature image for use on another document. Because there is nothing to cryptographically seal the document, any actor with sufficient knowledge of and tools for the PDF format will be able mutate a PDF signature image. But for preventing casual actors from making deliberate or accidental changes, there are some meaningful differences in how programs on macOS produce signature images. None of the signature images methods examined prevent extraction of the signature via copy/paste or (obviously) via a screenshot.
Each of the programs evaluated allows you to produce a signature with just text in a stylized font, trackpad-drawn signature, or image-recognized signature. For the purposes of this evaluation, I’m using the trackpad-drawn signature image. The signature will be placed on a document that looks like this:
Using the iText RUPS PDF debugging tool, the structure of this simple PDF can be examined. It contains a single Page with one Contents stream that has an encoded length of 154 bytes:
We’ll now look at what happens when signing this document in various programs.
Preview comes installed in macOS by default. When a signature is added, Preview embeds the signature into the actual Page Contents stream. You can see this because the size of the Contents stream grows from 154 bytes to 3,528 after the signature is added:
The benefits of Preview’s signature image technique is that, after the file is saved, the signature image ceases to be an object that PDF viewers will recognize as movable. Preview rewrites the Page’s Contents to directly “bake in” the signature image onto the page background.
Acrobat is the most fully featured PDF viewer/editor on the Mac, but it’s both pricey and a somewhat
complex tool. The signature image flow in Acrobat is geared towards making a fillable form that
someone else signs. When self-signing a PDF in Acrobat, it creates an
AcroForm structure with a
FillSign element. The
FillSign references an
XObject that embeds an image element with the
signature image. This is a significantly more complex structure, but that’s because Acrobat is
geared towards PDF authors rather than signers. When signing in Acrobat, the resulting signature is
not mutable because the form is considered “filled.”
PDF Expert is a popular macOS and iOS PDF manipulation tool, fitting in
between the capabilities of Preview and Acrobat. PDF Expert adds signatures as an annotation to the
document. Annotations are mutable PDF objects, like text highlights, notes, and lines/arrows.
Most basic PDF viewers can move and delete annotation objects. You can see that the base Page’s
stream size has remained the same at 154 bytes, and a separate
Annots dictionary has been created.
However, PDF Expert also offers a Save as Flatten option. This rewrites the Page object into a series of Contents streams, which eliminates the mutable annotation object. Unlike Preview, which rewrites the document into a single Contents stream, PDF Expert retains the original 154-byte stream and adds an additional one for the signature image.
One caveat though is that flattening affects all objects in the PDF, not just the signature, which may not be a desired outcome.
For signing PDFs, my recommendation would be to use a cryptographic signature, but unfortunately most document recipients want to see squiggly lines rather than a certificate-based hash. I think Preview’s default signature image output is the best, and it is available to all Mac users. PDF Expert’s flattened output is good as well, but it does require the extra step to convert it to a flattened PDF. None of the signature image schemes prevent extraction, but each app has a way to produce a PDF that prevents signature image mutation by casual actors.