A signed PDF arrives from a counterparty you don't fully trust. The signature looks fine — but how do you know it hasn't been altered, or that the signature isn't pasted in from another document? Three checks.
Check 1: open the document in a tool that validates signatures
Adobe Acrobat, Preview on macOS, and most PDF readers have a signature panel that checks digital signatures against their certificates. If the document has a digital signature (PDF/A with embedded certificate), the panel will say 'Valid', 'Invalid' or 'Unknown'.
For electronic signatures (SES) without an embedded certificate, the signature is part of the document visually but verification happens through the platform's audit trail rather than within the PDF itself.
Check 2: cross-reference the audit trail
Open the certificate of completion from the signing platform. Match the document hash on the certificate against the hash you compute on the received PDF. If they match, the document is the one that was signed. If not, it's been altered.
Most signing platforms (Flint included) bundle the audit trail with the file or make it retrievable via a verification URL.
Check 3: confirm the signer
Read the audit trail. The signer's name, email, IP and timestamp should match what you'd expect. If the email was signed from Latvia at 3am by someone whose office is in Glasgow, that's worth investigating before accepting the contract.
For regulated industries, supplement with out-of-band verification — a phone call to a known number confirming the signing.
FAQ
What does 'signature valid' actually mean?
For digital signatures: the certificate chain validates against a trusted CA and the document hash matches the signed hash. For electronic signatures: the audit trail records the signing event with platform-verified integrity.
Can a signature be valid but the document be a fake?
If someone signs a fraudulent document, the signature is technically valid on that document — but the content is still fraud. Verification proves integrity, not honesty.
Should I trust unsigned PDFs?
Treat them as draft material. If a counterparty sends an unsigned contract claiming to be executed, ask for the signed version with audit trail.
Is a printed-then-scanned signed PDF the same as the original?
No. Print-and-scan destroys cryptographic integrity. The visual signature remains; the audit trail evidence weakens significantly.
Visual signature alone isn't enough. Sign and verify via Flint — the audit trail does the work.