NAME

       pdfsig - Portable Document Format (PDF) digital signatures tool

SYNOPSIS

       pdfsig [options] [PDF-file] [Output-file]

DESCRIPTION

       pdfsig  verifies  the digital signatures in a PDF document.  It also displays the identity of each signer
       (commonName field and full distinguished name of the signer  certificate),  the  time  and  date  of  the
       signature,  the  hash  algorithm used for signing, the type of the signature as stated in the PDF and the
       signed ranges with a statement wether the total document is signed.   It  can  also  sign  PDF  documents
       (options -add-signature or -sign).

       pdfsig  uses the trusted certificates stored either in the Network Security Services (NSS) Database or in
       GnuPG's S/MIME system (gpgsm).

       pdfsig    also    uses    the    Online    Certificate    Status    Protocol     (OCSP)     (refer     to
       http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)  to  look  up the certificate online and
       check if it has been revoked (unless -no-ocsp has been specified).

       If the NSS backend is used, the NSS Database is searched for in the following locations:

       •      If the -nssdir option is specified, the directory specified by this option.

       •      The    NSS    Certificate    database     in     the     default     Firefox     profile.     i.e.
              $HOME/.mozilla/firefox/*.default.

       •      The NSS Certificate database in /etc/pki/nssdb.

       If the GPG backend is used, the S/MIME certificate is read from $GNUPGHOME, defaulting to $HOME/.gnupg

OPTIONS

       -nssdir [prefix]directory
              Specify  the database directory containing the certificate and key database files. See certutil(1)
              -d option for details of the prefix. If not specified the  other  search  locations  described  in
              DESCRIPTION are used.

       -nss-pwd password
              Specify the password needed to access the NSS database (if any).

       -nocert
              Do not validate the certificate.

       -no-ocsp
              Do  not perform online OCSP certificate revocation check (local Certificate Revocation Lists (CRL)
              are still used).

       -no-appearance
              Do not add appearance information when signing existing fields (signer name and date).

       -aia   Enable the use of Authority Information Access (AIA) extension to fetch  missing  certificates  to
              build the certificate chain.

       -dump  Dump  all  signatures  into  current  directory in their native format. Most likely it is either a
              unpadded or zero-padded CMS/PKCS7 bundle.

       -add-signature
              Add a new signature to the document.

       -new-signature-field-name  name
              Specifies the field name to be used when adding a new signature. A  random  ID  will  be  used  by
              default.

       -sign  field
              Sign  the  document  in  the specified signature field present in the document (must be unsigned).
              Field can be specified by field name  (string)  or  the  n-th  signature  field  in  the  document
              (integer).

       -nick  nickname
              Use  the  certificate  with  the given nickname for signing (NSS backend). If nickname starts with
              pkcs11:, it's treated as PKCS#11 URI (NSS backend). If the nickname is given as a fingerprint,  it
              will be the certificate used (GPG backend)

       -backend  backend
              Use the specified backeng for cryptographic signatures

       -kpw  password
              Use  the  given  password  for  the  signing  key (this might be missing if the key isn't password
              protected).

       -digest  algorithm
              Use the given digest algorithm for signing (default: SHA256).

       -reason  reason
              Set the given reason string for the signature (default: no reason set).

       -etsi  Create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached.

       -list-nicks
              List available nicknames in the NSS database.

       -list-backends
              List available backends for cryptographic signatures

       -v     Print copyright and version information.

       -h     Print usage information.  (-help and --help are equivalent.)

EXAMPLES

       pdfsig signed_file.pdf
              Displays signature info for signed_file.pdf.

       pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick my-cert -reason 'for fun!'
              Creates a new pdf named output.pdf  with  the  contents  of  input.pdf  signed  by  the  'my-cert'
              certificate.

       pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick
       'pkcs11:token=smartcard0;object=Second%20certificate;type=cert'
              Same,  but uses a PKCS#11 URI as defined in IETF RFC 7512 to select the certificate to be used for
              signing.

       pdfsig input.pdf output.pdf -sign 0 -nss-pwd password -nick my-cert -reason 'for fun!'
              Creates a new pdf named output.pdf  with  the  contents  of  input.pdf  signed  by  the  'my-cert'
              certificate. input.pdf must have an already existing un-signed signature field.

AUTHOR

       The  pdfsig  software  and documentation are copyright 1996-2004 Glyph & Cog, LLC and copyright 2005-2015
       The Poppler Developers - http://poppler.freedesktop.org

SEE ALSO

       pdfdetach(1),  pdffonts(1),   pdfimages(1),   pdfinfo(1),   pdftocairo(1),   pdftohtml(1),   pdftoppm(1),
       pdftops(1), pdftotext(1) pdfseparate(1), pdfunite(1) certutil(1)

                                                 28 October 2015                                       pdfsig(1)