6

I've been asked to distribute electronic certificates (they were originally paper), in a PDF format, but I'd like to sign them with gpg or something similar so users can upload them to my site to check that they've not been handed a fake copy.

So, I'd like to sign a PDF file (transparently, the user doesn't need to know about anything) and check if its valid.

Improve this question
4
  • 1
    PDFs have their own signing system; you should ask about it on stackoverflow.com, you'll get an answer there. Commented Jul 14, 2015 at 15:29
  • Questions on this topic could be posted on Stack Overflow if you're asking how to write a program to do this, or here if you're asking for an existing program that does this. @StephenKitt This question is on-topic here, asking for existing programs. Commented Jul 14, 2015 at 16:35
  • 3
    @Liczyrzepa Super User is not “another stackoverflow site”, it's another Stack Exchange site. Stack Overflow is about programming, Super User is about computers (mainly PC running Windows but also some other systems). This question would also be on-topic on Super User, but it's fine here on U&L. In any case, do not post the same question on multiple sites. Commented Jul 14, 2015 at 16:36
  • @Gilles Right, I stand corrected ;-). I suggested SO because I know there are a few PDF experts there. Commented Jul 14, 2015 at 16:50

2 Answers 2

Reset to default
12

You can do it with a separate signature file.

  1. Sign the Document:

    % gpg --output doc.pdf.sig --detach-sig doc.pdf

  2. Distribute doc.pdf and doc.pdf.sig

  3. Verify the Document:

    % gpg --verify doc.pdf.sig doc.pdf

Improve this answer
1
  • 1
    This is what I needed, although I won't distribute the .sig, I'll keep it to verify server-side Commented Jul 15, 2015 at 18:20
0

I don't think this question specifically requests that the original be perfectly unmodified, just that the signature be invisible to users. GPG, by default, signs to the pdf headers where they aren't seen by normal users (but can be read/verified with pdf or pgp software).

  1. Rename the original to a .orig (recommended)

    mv doc.pdf doc.pdf.orig

  2. Sign the original:

    gpg --not-dash-escaped --armor --output doc.pdf --clearsign doc.pdf.orig

  3. Now you can distribute the signed doc.pdf alone; it's a normal pdf and users won't see the signature. It's just a tiny bit bigger than the original.

  4. Verify it:

    gpg --verify doc.pdf

Notes:

  • The --not-dash-escaped flag avoids problems with PDF headers. In my experience, you need this even if the PDF does not contain LaTex. (source)

  • I like to use --armor and --clearsign (instead of --sign) because I think it makes the signature user-readable as a header in pdf software, even without PGP support. This might not be true... I couldn't find documentation but that's what's implied by the manpage.

  • Actually if anyone finds some documentation on GPG's behavior when writing PDF headers, please add some links to this answer.

  • .orig isn't an official standard, but it's in DIRCOLORS.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.