We are excited to announce a release focused on digital signature validation, certificate management, and improved image handling.
This update introduces several important new features and enhancements!
β οΈ Warning for pdfcpu backend users:
Due to a necessary force push, please make sure to perform a fresh clone or pull to avoid any inconsistencies.
1. Quickstart for current users
In order to get going with this release you need to reset your configuration.
Check the v0.9.1 Release notes for instructions.
Any pdfcpu CLI command will print a corresponding warning.
After the upgrade your config dir will look like:
v0.10.2 - pdfcpu Release Notes | AnnounceHQ
2. Validate Signatures
pdfcpu now provides support for validating digital signatures embedded in PDF documents:
$ pdfcpu sig val sample1.pdf
optimizing...
1 form signature (authoritative, visible, signed) on page 1
Status: signature is valid
Reason: document has not been modified
Signed: 2025-03-18 10:07:18 +0000
By using -full we can look at all the details:
$ pdfcpu sig val -full sample1.pdf
optimizing...
1:
Type: form signature (authoritative, visible, signed) on page 1
Status: signature is valid
Reason: document has not been modified
Signed: 2025-03-18 10:07:18 +0000
DocModified: false
Details:
SubFilter: ETSI.CAdES.detached
SignerIdentity: John Doe
SignerName: John Doe
ContactInfo:
Location: oesterreich.gv.at PDF Signatur
Reason: Signatur
SigningTime: 2025-03-18 10:07:18 +0000
Field: Signature15430ca9-5df6-4b11-b423-ab48ec2439d6
Signer:
Timestamp: false
LTVEnabled: false
PAdES: B-B
Certified: false
Authoritative: true
Certificate:
Subject: John Doe
Issuer: a-sign-premium-mobile-05
SerialNr: 614a81f67
Valid From: 2023-01-04 10:39:36 +0000
Valid Thru: 2028-01-04 10:39:36 +0000
Expired: false
Qualified: true
CA: false
Usage:
Version: 3
SignAlg: ECDSA
Key Size: 256 bits
SelfSigned: false
Trust: Status: ok
Reason: cert chain up to root CA is trusted
Revocation: Status: ok
Reason: not revoked (CRL check ok)
RootCA:
Subject: a-sign-premium-mobile-05
Issuer: A-Trust-Root-05
SerialNr: 36a009c2
Valid From: 2022-12-19 09:15:01 +0000
Valid Thru: 2029-07-10 07:15:01 +0000
Expired: false
Qualified: false
CA: true
Usage:
Version: 3
SignAlg: RSA
Key Size: 4096 bits
SelfSigned: false
Trust: Status: ok
Reason: CA
Each detected signature is categorized into one of the following:
| Type | Intention | Visibility |
|:----------------------------|:--------------------------------------------------|:-------------------------|
| Form Signature | Authenticate form data and signer identity | Visible or invisible |
| Page Signature | Authenticate page content and appearance | Visible or invisible |
| Document Timestamp Signature (DTS) | Prove document existence at a point in time | invisible |
| Usage Rights Signature | Define locked features, detect tampering | invisible |
-a(ll): Validate all signatures found in the document.
-f(ull): Comprehensive output, including certificate chain building and revocation checking (CRL/OCSP).
By default, pdfcpu will always attempt to validate as much as possible, even without the -full flag.
A -fast validation mode may be introduced in a future release to limit the depth of validation when speed is critical.
Instead of reporting PAdES levels like PAdES-E-BES (Basic Electronic Signature) and PAdES-E-EPES (Explicit Policy Electronic Signature) as suggested in the PDF 2.0 specification (ISO 32000-2), pdfcpu focuses on ETSI Basic Profile levels as laid out in ETSI EN 319 142-1 V1.2.1 (2024-01) 6.1.:
| PAdES Level | Description |
|:------------|:------------------------------------|
| B-B | Basic electronic signature |
| B-T | B-B with trusted timestamp or DTS |
| B-LT | B-T with embedded CRL and OCSP data |
| B-LTA | B-LT with DTS |
Current limitations mostly involve either older encryption standards restricted by the Go runtime for security reasons, or missing checks for permission violations after successful signature validation.
We are introducing three new configuration parameters:
# HTTP timeout in seconds for CRL revocation checking.
timeoutCRL: 10
# HTTP timeout in seconds for OCSP revocation checking.
timeoutOCSP: 10
# Preferred certificate revocation checking mechanism:
# crl
# ocsp
preferredCertRevocationChecker: crl
When performing revocation checks, pdfcpu must fetch CRLs (Certificate Revocation Lists) or make OCSP requests to remote servers. Network conditions vary, and without proper timeouts, validation could hang indefinitely.
Configurable timeouts allow better control over signature validation performance.
Some environments prioritize OCSP for real-time checks, while others prefer CRL based on organizational policies.
Allowing users to configure the preferred method gives flexibility and aligns with security and compliance requirements.
4. Manage Certificates
To facilitate signature validation, pdfcpu now supports certificate management.
Built-in trust store:
pdfcpu comes preloaded with a set of EU Root CAs backed by by the EU/EEA Trusted List to help verify European electronic signatures.
You can list, import, and reset your trusted certificates.
Certificate management commands:
pdfcpu certificates list
pdfcpu certificates import inFile...
pdfcpu certificates reset
Importing certificates ensures that only compatible certificates are accepted into the trust store.
Once imported, certificates can be freely organized within the pdfcpu config directory under certs/.
Right now pdfcpu cert import accepts .p7c and .pem files.
Support for additional certificate file formats like .cer is planned.