Two Terms, Two Very Different Things
"Digital signature" and "electronic signature" are used interchangeably in everyday speech, but they describe fundamentally different things. Using the wrong type for a contract or legal document can invalidate it. Understanding the distinction saves real problems.
An electronic signature is a broad category covering any electronic indication of intent to sign — a typed name, a click on "I Agree," or an image of a handwritten signature pasted into a document. It's the legal concept.
A digital signature is a specific cryptographic mechanism: a mathematical proof created with a private key that verifies both the signer's identity and the document's integrity. It's the technical implementation.
All digital signatures are electronic signatures, but most electronic signatures are not digital signatures. The legal weight each carries depends on the jurisdiction, the document type, and the technical implementation.
Electronic Signatures: The Legal Layer
What Makes a Signature "Electronic"
Under the U.S. Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), an electronic signature is broadly defined: any electronic sound, symbol, or process attached to a contract with intent to sign.
This definition deliberately encompasses:
- Typing your name at the end of an email
- Clicking "Accept" on a terms of service page
- Drawing your signature on a touchscreen
- Uploading a PNG of your handwritten signature into a document
- Using services like DocuSign, HelloSign, or Adobe Acrobat Sign
The legal validity rests on three factors:
- Intent — the signer intended the action to constitute a signature
- Consent — all parties agreed to use electronic signatures
- Record retention — the signed document is stored and retrievable
When Electronic Signatures Are Valid
In most U.S. and EU jurisdictions, electronic signatures are legally valid for:
- Business contracts and agreements
- Employment agreements and HR documents
- Sales contracts and purchase orders
- Lease agreements (with some state-specific exceptions)
- Healthcare consent forms (with HIPAA compliance)
- Real estate transactions (most types)
When Electronic Signatures Are NOT Valid
Some document types explicitly require wet (physical ink) signatures or notarization:
- Wills and testamentary documents (in most states)
- Court orders and legal filings
- Adoption papers
- Divorce decrees
- Notarized documents requiring in-person witness
- Some government forms
Check the specific requirements for your jurisdiction and document type before relying on an electronic signature for high-stakes legal matters.
Digital Signatures: The Technical Layer
The Cryptographic Mechanism
A digital signature uses public-key cryptography (PKI — Public Key Infrastructure). The process:
-
The signer has a certificate — a digital document containing their public key, issued by a trusted Certificate Authority (CA) like DigiCert, GlobalSign, or a government CA.
-
Signing the document — when signing, software creates a hash (a fixed-size fingerprint) of the document content. This hash is encrypted with the signer's private key. The resulting encrypted hash is the digital signature.
-
Verification — anyone can decrypt the signature using the signer's public key (included in the certificate). If the decrypted hash matches a fresh hash of the document, the signature is valid and the document hasn't been modified since signing.
This process provides two guarantees that simpler electronic signatures cannot:
- Authentication — proof that the specific certificate holder signed (assuming their private key is secure)
- Non-repudiation — the signer cannot later claim they didn't sign
- Integrity — any modification to the document after signing invalidates the signature
Certificate Authorities and Trust
Digital signature certificates come from Certificate Authorities, which operate in a trust hierarchy. Your operating system and browser trust a set of root CAs. Certificates issued by those root CAs are trusted by default.
For PDF digital signatures, the relevant trust store is often Adobe's Approved Trust List (AATL) or the European Union Trusted Lists (EUTL) for eIDAS compliance.
Types of signing certificates:
- Basic certificates — Validates that a key pair exists; no identity verification beyond email confirmation. Low assurance.
- Individual certificates — Identity verified (government ID required). Used for professional and legal signing.
- Organization certificates — Validates that a legal entity exists and the signer is authorized. Used for company-level signing.
- Qualified certificates — Highest EU standard under eIDAS. Equivalent to a wet signature in EU law.
PDF Signature Types
Adobe's PDF specification defines several signature field types:
| Type | What It Does | When to Use |
|---|---|---|
| Approval signature | Records that a specific person approved the document | Contract signing, approvals |
| Certification signature | Locks the document and defines what changes are permitted | Author certifies the original |
| Usage rights signature | Unlocks features in Adobe Reader (comment, save, etc.) | Limited use cases |
| Document timestamp | Applies a trusted timestamp without signer identity | Proving document existed at a point in time |
For most use cases, approval signatures (and certification signatures for the document originator) are what you want.
eIDAS: The EU Standard
The EU's Electronic Identification, Authentication and Trust Services (eIDAS) regulation defines three signature levels:
| Level | What It Is | Legal Effect |
|---|---|---|
| Simple Electronic Signature (SES) | Any electronic indication of intent | Admissible as evidence; weight determined by court |
| Advanced Electronic Signature (AdES) | Uniquely linked to signatory, detects changes | Stronger evidential weight |
| Qualified Electronic Signature (QES) | AdES + qualified certificate from accredited CA + qualified device | Equal to handwritten signature in EU law |
For legally binding EU contracts, Qualified Electronic Signatures provide the strongest protection. QES requires a qualified certificate from an accredited trust service provider and, in practice, usually involves identity verification in person or via video.
How to Add a Digital Signature to a PDF
Using Adobe Acrobat (Full Version)
- Open the PDF in Acrobat
- Go to Tools > Certificates > Digitally Sign
- Draw a signature field on the document
- Select your digital ID (certificate) from the list
- Configure appearance (visible signature image, text)
- Click Sign and save
If you don't have a digital ID, Acrobat can create a self-signed certificate — this provides integrity verification but not identity verification from a trusted CA, making it unsuitable for third-party contracts.
Using a Certificate from a Trusted CA
For professionally valid digital signatures, you need a certificate from a trusted CA. Process:
- Purchase or obtain a personal signing certificate from DigiCert, Comodo, GlobalSign, or a government PKI
- Install the certificate in your operating system's certificate store or a hardware token (YubiKey, smart card)
- Use Acrobat, LibreOffice, or a PDF command-line tool to apply the signature
For high-security use cases, the certificate private key should never touch a network-connected computer — hardware tokens keep the private key on the device and only perform signing operations on-device.
Using the Sign PDF Tool
For adding visual signature fields, initials, typed names, or a drawn signature image without cryptographic PKI signatures, the sign PDF tool handles this directly in the browser without software installation. This creates an electronic signature (legally valid for most commercial uses) but not a cryptographic digital signature.
For purely visual signatures — filling in name, date, initials — browser-based signing tools are the most practical option for individual users.
Command Line (for Automation)
Signing PDFs in batch or automated workflows:
# Using pdfsig (from Poppler utilities)
pdfsig -add-signature \
-cert signing_cert.p12 \
-reason "Approved by finance" \
-location "New York" \
input.pdf output_signed.pdf
# Using LibreOffice macro (via command line)
libreoffice --headless --invisible \
--infilter="writer_pdf_import" \
--outdir /output/ input.pdf
For programmatic signing in production workflows, libraries like pdf-lib (JavaScript), PyHanko (Python), or iText (Java/C#) provide complete digital signature APIs.
Verifying a Digital Signature
When you open a digitally signed PDF in Adobe Acrobat or Reader:
- A blue ribbon or lock icon appears at the top
- "Signed and all signatures are valid" confirms the document hasn't changed
- "Signature validity is unknown" means the signing certificate isn't trusted by your system's trust store
- "At least one signature has problems" means the document was modified after signing
Checking signature validity from the command line:
# Using pdfsig
pdfsig input_signed.pdf
# Output shows:
# Digital Signature Info of: input_signed.pdf
# Signature #1:
# - Signer Certificate Common Name: John Doe
# - Signing Time: Apr 07 2026 10:30:22
# - Signature Validation: Signature is Valid.
# - Certificate Validation: Certificate is Trusted.
Signature Appearance in PDFs
Digital signatures can be invisible (just the cryptographic data, no visual element) or visible (displaying an image, text, or both).
Visible signature components typically include:
- Signer name
- Organization
- Signing date and time
- Reason for signing
- Location
- A graphical signature image
For official documents, a visible signature with the signer's name and date provides a clear record for readers who don't know how to verify cryptographic signatures. For automated machine-to-machine workflows, invisible signatures avoid adding clutter to document pages.
Signature placement should not overlap text or critical document content — it's best placed in a designated signature field or at the bottom of the final page. Use the edit PDF tool to prepare a document with proper signature fields before distribution.
Timestamping
A trusted timestamp proves a document existed at a specific point in time, independent of when you can prove you signed it. This matters for:
- Contract disputes about signing sequence
- Intellectual property priority disputes
- Compliance record-keeping (when audit records must show exact signing times)
Timestamps are provided by Time Stamping Authorities (TSAs) that sign a hash of your document with a trusted certificate. RFC 3161 is the standard protocol.
Adding a trusted timestamp in Adobe Acrobat: Preferences > Security > Advanced Preferences > Time Stamp Servers — configure a TSA URL (many CAs provide free TSA services).
Which Type Do You Need?
| Use Case | Recommended Type |
|---|---|
| Business contracts (US) | Electronic signature (typed name, drawn sig, or DocuSign) |
| EU business contracts | AdES digital signature or QES for high value |
| Internal company approvals | Electronic signature or basic digital signature |
| Government submissions | Check specific agency requirements |
| NDAs and employment agreements | Electronic signature |
| Wills and testamentary documents | Wet signature (physical) in most jurisdictions |
| Financial account opening (KYC) | Digital signature + identity verification |
| Code signing (software releases) | Digital signature with code-signing certificate |
| PDF document integrity verification | Digital signature (cryptographic) |
Frequently Asked Questions
Is a DocuSign signature legally binding?
Yes, in most U.S. and EU jurisdictions. DocuSign creates a legally compliant electronic signature with an audit trail showing who signed, when, from what IP address, and in what sequence. It meets the requirements of ESIGN, UETA, and EU eIDAS Simple Electronic Signature level.
Can someone forge a digital signature?
A cryptographic digital signature from a trusted CA is computationally infeasible to forge without access to the signer's private key. The security assumption is that the signer secures their private key — if the private key is stolen or a certificate is issued fraudulently, the signature can be misused. Certificate authorities have revocation mechanisms (CRL and OCSP) to invalidate compromised certificates.
What happens if I sign a PDF and then compress it?
Compressing a digitally signed PDF typically invalidates the signature because compression changes the binary content of the file. Always compress PDFs before signing, never after. If you need to reduce a signed PDF's size, some tools can re-save with reduced image quality while preserving signature data, but this is complex and risky — test carefully. Use the compress PDF tool before the signing step.
Do digital signatures expire?
Signing certificates have expiration dates (typically 1-3 years). After expiration, the signature's validity "unknown" state makes verification uncertain unless a trusted timestamp was applied at signing time. The timestamp proves the signature was valid when created, even after the certificate expires. This is why professional signing workflows always include RFC 3161 timestamps.
Can I sign a password-protected PDF?
In most tools, you must unlock the PDF first (with unlock PDF), then sign it. Some password-protected PDFs with restrictions also prevent signature fields — the document owner must remove these restrictions before signing is possible.
Conclusion
For everyday business use — contracts, approvals, consent forms — an electronic signature from a reputable provider is legally valid, practical, and sufficient. When you need cryptographic proof of identity and document integrity for regulated industries, legal proceedings, or EU-regulated transactions, a PKI-based digital signature with a trusted certificate is required.
Add visual signatures and initials to PDFs using the sign PDF tool, and use password protect PDF to secure documents before distribution. The how to sign PDF online post covers the practical steps for common signing scenarios in more detail.
