Every completed document is sealed with a CA-issued PKCS#7 digital signature — the same standard used by governments and regulated industries. Any byte-level modification after sealing is detectable by any PDF reader. No extra API calls required.
Start free →A legal concept: any electronic process that indicates a person's intent to sign a document. Could be a typed name, a drawn mark, or a click on "I agree." Defined by ESIGN/UETA/PIPEDA.
A cryptographic operation: a hash of the document encrypted with a private key, verifiable with the corresponding public key. Proves who produced the document and that it has not been changed.
Both. GetSigned collects legally valid electronic signatures from signers, then applies a service-level PKCS#7 digital signature to the entire completed document — providing both the legal e-sign record and the cryptographic tamper-evidence.
All signature fields drawn or typed by signers are flattened into the PDF as permanent graphical content.
An audit certificate page is appended, listing every signing event with timestamps, IPs, and document hashes.
A SHA-256 hash of the entire PDF (with fields flattened and cert page appended) is computed.
The hash is signed with the service's CA-issued private key, producing a PKCS#7 signature object.
The PKCS#7 signature is embedded in the PDF's /ByteRange signing structure. The signed bytes cover the entire file.
Any PDF reader (Adobe Reader, Preview, Foxit) reads the embedded PKCS#7, re-hashes the document, and reports VALID or INVALID.
A digital signature API applies a cryptographic signature to a document on behalf of your application. Unlike an electronic signature (a legal concept about signer intent), a digital signature is a technical proof: it uses a CA-issued private key to sign a hash of the document, so anyone with the public certificate can verify that (1) the document was produced by the signing service, and (2) not a single byte has changed since it was signed. GetSigned's digital signature API seals every completed envelope with PKCS#7 — the same standard used by DocuSign, Adobe, and government signing authorities.
PKCS#7 (also known as CMS — Cryptographic Message Syntax) is the standard for embedding digital signatures in PDF files. It is the format understood by Adobe Reader, Microsoft Edge, Apple Preview, and every major PDF validator. When a PDF is sealed with PKCS#7, the signature covers the entire file — any bit-level modification invalidates the signature. This is why PKCS#7 provides stronger tamper-evidence than a watermark, a hash embedded in metadata, or a blockchain timestamp.
No. GetSigned uses a single service-level PKCS#7 seal applied after all signers complete. This is not a limitation — it is the legally correct design for commercial e-signatures under ESIGN, UETA, and PIPEDA. The service seal proves "this document left the GetSigned service in this exact state, and has not been modified since." The legal attribution to specific signers comes from the electronic signature capture (consent + OTP + audit log), not from per-signer PKI certificates. Per-signer PKI is only required for qualified signatures (eIDAS Level 3, not relevant to Canada/US commercial e-signatures).
The digital signature is applied automatically by GetSigned on every envelope completion — you do not need to call a separate sealing endpoint. Your workflow is: create the envelope (POST /v1/envelopes), send it (POST /v1/envelopes/{id}/send), and when all signers complete, the envelope.completed webhook fires and the sealed document is available at GET /v1/envelopes/{id}/document. The PKCS#7 seal is already applied to the downloaded document.
Use iTextSharp, PDFsharp, or any PKCS#7-aware PDF library to read the signature object embedded in the PDF. The signature includes the signing certificate chain, the signed byte range, and the PKCS#7 CMS object. Verify: (1) the certificate chain is valid and the certificate is issued by a trusted CA; (2) the computed hash of the signed byte range matches the hash in the PKCS#7 object; (3) the signing time is within the certificate's validity period. A simpler approach: open the document in Adobe Acrobat and inspect the Signatures panel — Acrobat performs all three checks automatically.
The PKCS#7 signature includes a signing timestamp from the service. For long-term validity (e.g., if the signing certificate expires years from now), a Trusted Timestamp Authority (TSA) counter-signature can be embedded — this proves the document was signed while the certificate was valid, even after the certificate expires. GetSigned embeds TSA timestamps on sealed documents for long-term verifiability.
Related: E-sig vs digital sig · PDF signature API · Audit trail guide · Compliance guide
No configuration required. Every completed envelope is sealed before the webhook fires.
Get free API keys →