Digital Signature: Practical Example, How It Works and How to Verify It
Every day, millions of professionals sign contracts, financial statements and official documents with a single click. The European digital signature market reached USD 1.97 billion in 2024 and is projected to grow to USD 26.80 billion by 2032, at a compound annual growth rate of 38.8%, according to Fortune Business Insights. Those numbers tell a clear story: digital signatures are becoming the default for business transactions. Yet anyone searching for a concrete digital signature example still runs into vague explanations, abstract diagrams and persistent confusion between fundamentally different concepts.
The gap between daily usage and genuine understanding creates real risk. Many professionals still confuse a digital signature with a scanned image of a handwritten signature pasted onto a PDF. Others cannot tell the difference between a basic electronic signature and a digital signature with full legal standing. The consequences show up regularly: improperly signed documents, disputes in court, contracts challenged on validity grounds.
A digital signature is a cryptographic mechanism based on a pair of asymmetric keys. It guarantees authenticity (certainty about the signer's identity), integrity (the document has not been altered after signing) and non-repudiation (the signer cannot deny having signed). This guide walks through how the process works in practice, what a digitally signed document actually looks like, and how to verify its validity with official tools.
What is a digital signature and why it is not a scanned signature
A digital signature is a specific type of electronic signature that uses a digital certificate issued by a trusted certification authority and a public-key cryptography system to deliver legal equivalence to a handwritten signature. It has nothing in common with an image of a signature pasted onto a document. A scanned signature image contains no cryptographic information, does not bind the signer to the document in a unique and verifiable way, and provides no assurance that the content remained unchanged after the image was placed. In a legal dispute, a document bearing only a scanned signature image carries roughly the same evidentiary weight as an unsigned photocopy.
The distinction matters because legal frameworks governing electronic transactions across the European Union and beyond set clear technical requirements that separate genuine digital signatures from visual imitations. Under the eIDAS Regulation (EU 910/2014), only signatures meeting specific cryptographic and certification standards receive automatic legal recognition across all EU member states. The European Commission has confirmed that cross-border recognition applies to electronic signatures created with certificates issued by trusted service providers listed in national trusted lists.
The difference between simple, advanced and digital electronic signatures
The eIDAS Regulation (EU 910/2014) defines three tiers of electronic signatures, each with progressively stricter technical requirements and increasing legal weight. Knowing these tiers is the first step toward using the right level of signature for a given transaction.
A simple electronic signature covers any data in electronic form that is attached to or logically associated with other data for authentication purposes. The category is deliberately broad: a typed name at the bottom of an email, a checkbox on an online form, a PIN code entered at checkout. Simple electronic signatures carry limited evidentiary value, and their legal effectiveness depends on judicial assessment on a case-by-case basis. Article 25(1) of eIDAS states that an electronic signature shall not be denied legal effect solely on the grounds that it is in electronic form, but that baseline recognition leaves considerable room for challenge.
An advanced electronic signature (Article 26, eIDAS) must satisfy four cumulative requirements: it must be uniquely linked to the signatory, capable of identifying the signatory, created using data under the signatory's sole control, and linked to the signed data so that any subsequent change is detectable. These requirements raise the bar substantially, but the regulation does not mandate a specific technology for meeting them.
A digital signature sits at the highest level of this framework. It relies on a digital certificate issued by a trust service provider and on asymmetric cryptography. Under Article 25(2) of eIDAS, an advanced electronic signature based on a certificate issued by a trusted service provider carries the legal presumption of integrity and correct identification of the signatory. The Court of Justice of the EU has confirmed the principle of cross-border recognition: a digital signature created in one member state must be accepted in all others without additional requirements.
The regulatory framework: eIDAS and international standards
Two regulatory pillars govern digital signatures in cross-border transactions today. The eIDAS Regulation (EU 910/2014) sets the legal framework for electronic identification and trust services across all EU member states. Article 25 provides the core rule: an advanced electronic signature based on a certificate has legal effects equivalent to a handwritten signature. Articles 28 through 34 cover trust service providers, certificate issuance and supervision. Before eIDAS, each country had its own rules. The regulation replaced that patchwork with a single market for electronic trust services.
eIDAS 2.0 (EU 2024/1183), adopted in 2024, goes further. It introduces the European Digital Identity Wallet (EUDI Wallet), tightens requirements for electronic seals, and broadens the scope of trust services. Member states must make EUDI Wallets available to citizens by 2026. The goal is a single infrastructure for digital identity and signature across Europe (European Commission, Digital Strategy).
Outside Europe, the United States operates under the ESIGN Act (2000) and UETA (1999). Both grant electronic signatures the same legal standing as handwritten ones for most commercial transactions. These US frameworks take a technology-neutral approach rather than prescribing specific cryptographic methods, but the practical effect is similar: properly executed digital signatures are legally binding. Globally, ISO/IEC 27001 provides the information security management framework that many organizations follow when implementing digital signature infrastructure, so the underlying systems meet recognized security standards.
How a digital signature works: the technical process explained simply
A digital signature relies on three technical components. Asymmetric cryptography generates the signature itself. The digital certificate ties it to the signer's verified identity. And the hash function makes sure the document cannot be altered after signing without detection. If any one of these breaks, the whole thing falls apart.
The foundation is a mathematical principle called asymmetric cryptography, first developed in the 1970s by researchers including Whitfield Diffie and Martin Hellman. The idea: two cryptographic keys exist as a mathematically linked pair, but neither can be derived from the other through computation. The signer holds a private key, stored on a secure device: a smart card, USB token or remote Hardware Security Module (HSM). The public key is embedded in the digital certificate and accessible to anyone who needs to verify the signature. Modern implementations increasingly favor remote signing, where the private key resides on an HSM server and the signer authenticates via OTP or biometric verification before each operation.
Asymmetric cryptography: public and private keys
When a professional signs a document, the signing software first calculates a unique digital fingerprint of the file: the hash, a fixed-length alphanumeric string produced by a one-way mathematical function (typically SHA-256 or SHA-512). The software then encrypts this hash with the signer's private key. The result is the digital signature itself: a block of cryptographic data that gets attached to or embedded within the document.
The recipient verifies the signature by using the signer's public key (obtained from the digital certificate) to decrypt the signature block. If the decrypted value matches the hash of the received document, the verification confirms two things at once: the document has not been modified since signing, and the signature was created by whoever controls the corresponding private key. If even a single character in the document has changed, the hashes will differ and verification fails on the spot.
The role of the digital certificate and the certification authority
The digital certificate is the electronic document that binds the public key to the signer's verified identity. A trust service provider (also called a Certification Authority) issues it after a rigorous identity verification process. That provider must appear on the relevant national trusted list. Under eIDAS, each EU member state maintains such a list, and the European Commission publishes the aggregated List of Trusted Lists.
A standard digital certificate contains the holder's full name and unique identifier, the public key, the certificate's validity period (typically one to three years), the issuing certification authority's name, and the certificate's serial number. The certificate itself is signed by the certification authority. This creates a chain of trust: verifiers trust the certificate because they trust the authority that issued it, and that authority's own certificate is anchored to a root certificate maintained at the national level.
Hash, timestamp and document integrity
The hash function is the integrity guarantee. Any modification to the document after signing, even adding a single space, produces a completely different hash value. This property makes any post-signature tampering immediately detectable through a straightforward mathematical comparison.
A timestamp adds another layer of certainty: it attests to the exact moment the signature was created, with legal effect enforceable against third parties. Timestamps become particularly valuable when a certificate expires after the signing date. If the timestamp was applied while the certificate was still valid, the signed document retains its legal standing indefinitely, years after the certificate's expiration. Digital signature plus timestamp: a document whose integrity, authorship and placement in time are all cryptographically guaranteed.
Digital signature example: how it looks on a PDF and how to recognize it
A digitally signed PDF looks different depending on the signature format, but in the most common format (PAdES), the file keeps its standard .pdf extension and opens in any PDF reader. The visible difference is a signature panel or notification bar indicating the presence of one or more digital signatures, along with their validation status.
Adobe Acrobat Reader, for a practical digital signature example, displays a blue or green bar at the top of the document stating "Signed and all signatures are valid," or a warning if problems exist. Clicking the signature panel reveals the details: the signer's name, date and time of signing, the certification authority that issued the certificate, and the certificate's current validity status. This visual presentation shows a clear distinction between a digital signature and an electronic seal: the signature identifies a natural person, while the seal identifies an organization.
How a digitally signed PDF document looks
In PAdES format, the signer can optionally insert a visible signature field within the body of the document: a rectangular area displaying the name, date and a graphical indicator. This visible field is cosmetic. It carries no additional legal weight beyond the underlying cryptographic signature. The actual signature resides in the PDF's metadata layer, not in any visible image or graphic element. The absence of a visible signature field does not mean the document is unsigned: always check the signature panel.
In CAdES format, the experience is quite different. The original document gets wrapped inside a cryptographic envelope, and the resulting file carries a .p7m extension. Opening it requires dedicated software capable of processing CAdES containers. The .p7m file holds both the original document and the signature data, but it cannot be read with a standard PDF viewer. This format remains common in government filings and judicial proceedings across several EU member states.
Signature formats: CAdES (.p7m), PAdES (PDF), XAdES (XML)
Three standardized signature formats exist across Europe, each designed for different use cases. All three carry full legal validity under eIDAS. The choice depends on the document type and the workflow requirements of the parties involved.
| Format | Extension | File type | Visible signature | Primary use |
|---|---|---|---|---|
| CAdES | .p7m | Any file (cryptographic envelope) | No | Government, judicial proceedings |
| PAdES | PDF only | Yes (optional) | Contracts, daily business use | |
| XAdES | .xml | XML only | No | Electronic invoicing, structured data |
CAdES (CMS Advanced Electronic Signatures) wraps the document inside a cryptographic envelope with a .p7m extension. It works with any file type, not just PDFs, which makes it the most versatile format technically. Government agencies and judicial systems in several EU countries mandate CAdES for official filings and court submissions.
PAdES (PDF Advanced Electronic Signatures) is the format most professionals use day to day. The signature gets embedded directly within the PDF file, which stays readable in any standard PDF viewer without additional software. Contracts, proposals, corporate documents: PAdES handles them all, and it supports multiple signatures on the same document without generating separate files. For most business use cases, PAdES strikes the best balance between security, accessibility and usability.
XAdES (XML Advanced Electronic Signatures) has a narrower scope: XML-based documents, primarily electronic invoicing and structured data exchange with government agencies. You will encounter it mainly where data must be machine-readable and the document format is XML by definition.
How to verify a digital signature
Verifying a digital signature means confirming three things: the signer's certificate was valid and not revoked at the time of signing, the certificate was issued by a recognized trust service provider, and the document has not been altered since the signature was applied. With the right tools, this takes seconds.
Verification is not optional. In professional and legal contexts, a digitally signed document holds value only if the signature can be validated at the point of reliance. An expired certificate, a revoked certificate, a document modified after signing, a certificate from an unrecognized provider: any of these conditions can undermine the entire document's legal standing. With the European digital signature market projected to reach USD 26.80 billion by 2032 according to Fortune Business Insights, the volume of signatures requiring verification will only grow. Knowing how to verify a digital signature is as necessary as knowing how to create one.
Official validators: eIDAS tools and dedicated software
The European Commission developed EU DSS (Digital Signature Service), an open-source verification tool that validates digital signatures in any format (CAdES, PAdES, XAdES) against the eIDAS framework. It is the reference implementation for cross-border signature verification between member states. EU DSS checks the signature against the trusted lists maintained by each country and returns a standardized result regardless of where the signature was created.
Commercial software also provides verification capabilities built into broader document management workflows. Adobe Acrobat, for instance, includes built-in signature verification that checks certificates against the Adobe Approved Trust List (AATL) and the European Union Trust List (EUTL). Organizations handling high volumes of signed documents can automate verification through APIs instead of checking each file by hand.
What to check: certificate, timestamp, integrity
A complete verification covers three aspects. Getting any one of them wrong can be costly.
The signer's certificate must be valid at the relevant point in time: not expired, not suspended, not revoked. Verification software automatically checks Certificate Revocation Lists (CRLs) or queries the Online Certificate Status Protocol (OCSP) maintained by the issuing certification authority. If the certificate was revoked even an hour before you run the check, the signature is no longer valid. The practical advice: verify signatures when you receive the document, not weeks later.
The timestamp, when present, attests to the exact moment the signature was applied, with legal effect enforceable against third parties. Its role becomes critical when the signer's certificate expires after the document was signed. If the timestamp was applied while the certificate was still valid, the document retains its legal standing indefinitely. Without a timestamp, the validity of the signature is tied to the certificate's validity period: a time-limited guarantee that weakens as the expiration date approaches.
Integrity verification means recalculating the document's hash and comparing it against the hash stored within the signature. Matching hashes: the document is unchanged. A mismatch, even from a single altered character: verification fails. Treat the document as potentially compromised.
How document certification completes the digital signature process
Document certification is the step that transforms a signed document into evidence with full probative value. TrueScreen is the Data Authenticity Platform that integrates digital signature capabilities into its certification workflow, combining signer authentication (via OTP SMS or biometric video verification, compliant with eIDAS) with the automatic application of a timestamp and a digital seal. The result is a document that is signed, certified and rendered immutable from the point of origin, with verifiable metadata attesting to the entire chain of custody. The difference matters most when the signed document needs to stand up as admissible digital evidence in proceedings, not just sit in a folder as a signed file.
Digital signature integrated into the certification workflow
The process within TrueScreen follows a precise sequence. The user uploads the document to the platform. The system authenticates the signer's identity through OTP via SMS or biometric video verification, meeting eIDAS requirements for strong authentication. The digital signature is applied. TrueScreen then adds a timestamp and a digital seal automatically, locking the document so it cannot be altered and remains verifiable over time.
This integration solves a recurring problem in how signed documents are managed: the gap between the act of signing and the ongoing guarantee of integrity. A digitally signed document can be copied, moved, renamed or even partially altered in non-signed areas without anyone noticing. Digital provenance and forensic certification add the evidentiary layer that ties the document to its original context, its creation circumstances, and its unbroken chain of custody from the moment of signing forward.
From signature to complete evidentiary proof
The difference between a document that is simply signed and one that is certified lies in the depth of the guarantee. A digital signature attests to who signed and confirms the content has not changed. Certification adds when it was signed (timestamp enforceable against third parties), under what circumstances (device metadata, geolocation, acquisition parameters), and that the entire process is traceable.
For legal teams and compliance officers working in contentious or regulatory contexts, this distinction carries weight. A digitally signed contract proves the parties' consent. The same contract, signed and certified with digital provenance, also proves the document existed in that exact form at that precise moment, with no possibility of backdating or undetected alteration. When evidentiary standards are high, the certification layer can mean the difference between a document that is accepted and one that gets challenged.