Provided by: poppler-utils_23.08.0-2ubuntu1_amd64 bug

NAME

       pdfsig - Portable Document Format (PDF) digital signatures tool

SYNOPSIS

       pdfsig [options] [PDF-file] [Output-file]

DESCRIPTION

       pdfsig  verifies  the digital signatures in a PDF document.  It also displays the identity
       of each signer (commonName field and full distinguished name of the  signer  certificate),
       the  time  and date of the signature, the hash algorithm used for signing, the type of the
       signature as stated in the PDF and the signed ranges with a  statement  wether  the  total
       document is signed.  It can also sign PDF documents (options -add-signature or -sign).

       pdfsig  uses  the  trusted  certificates  stored  in  the  Network Security Services (NSS)
       Database.

       pdfsig  also  uses   the   Online   Certificate   Status   Protocol   (OCSP)   (refer   to
       http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)    to    look    up   the
       certificate online and check if it has been revoked (unless -no-ocsp has been specified).

       The NSS Database is searched for in the following locations:

       •      If the -nssdir option is specified, the directory specified by this option.

       •      The   NSS   Certificate   database   in   the   default   Firefox   profile.   i.e.
              $HOME/.mozilla/firefox/*.default.

       •      The NSS Certificate database in /etc/pki/nssdb.

OPTIONS

       -nssdir [prefix]directory
              Specify  the  database directory containing the certificate and key database files.
              See certutil(1) -d option for details of the prefix. If  not  specified  the  other
              search locations described in DESCRIPTION are used.

       -nss-pwd password
              Specify the password needed to access the NSS database (if any).

       -nocert
              Do not validate the certificate.

       -no-ocsp
              Do  not  perform  online  OCSP  certificate  revocation  check  (local  Certificate
              Revocation Lists (CRL) are still used).

       -aia   Enable the use of Authority Information Access (AIA)  extension  to  fetch  missing
              certificates to build the certificate chain.

       -dump  Dump  all  signatures into current directory in their native format. Most likely it
              is either a unpadded or zero-padded CMS/PKCS7 bundle.

       -add-signature
              Add a new signature to the document.

       -new-signature-field-name  name
              Specifies the field name to be used when adding a new signature. A random  ID  will
              be used by default.

       -sign  field
              Sign the document in the specified signature field present in the document (must be
              unsigned).  Field can be specified by field name (string)  or  the  n-th  signature
              field in the document (integer).

       -nick  nickname
              Use  the certificate with the given nickname for signing (NSS backend). If nickname
              starts with pkcs11:, it's treated as PKCS#11 URI (NSS backend). If the nickname  is
              given as a fingerprint, it will be the certificate used (GPG backend)

       -backend  backend
              Use the specified backeng for cryptographic signatures

       -kpw  password
              Use  the given password for the signing key (this might be missing if the key isn't
              password protected).

       -digest  algorithm
              Use the given digest algorithm for signing (default: SHA256).

       -reason  reason
              Set the given reason string for the signature (default: no reason set).

       -etsi  Create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached.

       -list-nicks
              List available nicknames in the NSS database.

       -list-backends
              List available backends for cryptographic signatures

       -v     Print copyright and version information.

       -h     Print usage information.  (-help and --help are equivalent.)

EXAMPLES

       pdfsig signed_file.pdf
              Displays signature info for signed_file.pdf.

       pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick  my-cert  -reason  'for
       fun!'
              Creates  a  new  pdf  named output.pdf with the contents of input.pdf signed by the
              'my-cert' certificate.

       pdfsig     input.pdf     output.pdf     -add-signature     -nss-pwd     password     -nick
       'pkcs11:token=smartcard0;object=Second%20certificate;type=cert'
              Same,  but uses a PKCS#11 URI as defined in IETF RFC 7512 to select the certificate
              to be used for signing.

       pdfsig input.pdf output.pdf -sign 0 -nss-pwd password -nick my-cert -reason 'for fun!'
              Creates a new pdf named output.pdf with the contents of  input.pdf  signed  by  the
              'my-cert'  certificate. input.pdf must have an already existing un-signed signature
              field.

AUTHOR

       The pdfsig software and documentation  are  copyright  1996-2004  Glyph  &  Cog,  LLC  and
       copyright 2005-2015 The Poppler Developers - http://poppler.freedesktop.org

SEE ALSO

       pdfdetach(1),   pdffonts(1),   pdfimages(1),   pdfinfo(1),   pdftocairo(1),  pdftohtml(1),
       pdftoppm(1), pdftops(1), pdftotext(1) pdfseparate(1), pdfunite(1) certutil(1)

                                         28 October 2015                                pdfsig(1)