A Java CLI application and library for signing and validating PDF files using PAdES (PDF Advanced Electronic Signatures). Built on the EU Digital Signature Service (DSS) library and Apache PDFBox.
PAdES signature levels: Baseline-B, Baseline-T, Baseline-LT, Baseline-LTA
Keystore support: PKCS#12, JKS, PKCS#11 (smart cards/HSM)
Visible signatures with text, images, placeholders, and positioning
Image-only signature mode
Blank page insertion for signature placement
PDF encryption (encrypt-before-sign) with permission controls
Password-protected PDF signing
DocMDP certification levels (4 levels)
Multiple/counter-signatures (append mode)
Timestamp Authority (TSA) with Basic Auth, Mutual TLS, policy OID, and hash algorithm options
Trust configuration: EU LOTL, custom certificates, truststores
OCSP and CRL revocation checking with AIA chain building
Hash algorithms: SHA-1, SHA-256, SHA-384, SHA-512, RIPEMD-160
Signature validation with ETSI reports (TEXT, XML, ETSI TS 119 102-2, JSON)
Module
Artifact
Description
jsignpdf-padesjsignpdf-padesPDF signing CLI and library
validatorjsignpdf-pades-validatorPDF signature validation CLI and library
distributionjsignpdf-pades-distributionDistribution assembly (ZIP)
Java 17 or later
Maven 3.6+ (for building)
The fat JARs (with all dependencies) are created in each module's target/ directory.
# Basic signing# Sign with timestamp# Visible signature with text" Approved" " Prague" # Image-only visible signature# Add blank page for signature# Encrypt and sign# Validate with text output# JSON output for scripting# ETSI TS 119 102-2 XML report# Quiet mode (exit code only, for CI/CD)&& echo " VALID" || echo " INVALID" # With EU trusted list# Skip online revocation checks# List available keystore types# List keys in a keystore# Print help
Option
Description
-kst, --keystore-typeKeystore type (JKS, PKCS12, etc.)
-ksf, --keystore-filePath to keystore file
-ksp, --keystore-passwordKeystore password
-kp, --key-passwordKey password (if different from keystore password)
-ka, --key-aliasKey alias to use for signing
Option
Description
-pl, --pades-levelPAdES level: BASELINE_B, BASELINE_T, BASELINE_LT, BASELINE_LTA
-da, --digest-algorithmDigest algorithm: SHA1, SHA256, SHA384, SHA512, RIPEMD160
-cl, --certification-levelCertification level: NOT_CERTIFIED, CERTIFIED_NO_CHANGES_ALLOWED, CERTIFIED_FORM_FILLING, CERTIFIED_FORM_FILLING_AND_ANNOTATIONS
-r, --reasonReason for signature
-l, --locationLocation of signature
-c, --contactContact info
-sn, --signer-nameSigner name override
PAdES levels (ETSI EN 319 142-1) build on each other — each level adds protection on top of the previous one:
Level
Name
Description
BASELINE_BBasic
Minimum signature: signer's certificate, signing time, and cryptographic binding to the document. Proves who signed what , but the signing time is not trusted and long-term validity is not ensured.
BASELINE_TTimestamp
Adds a trusted timestamp (from a TSA) over the signature. Proves the signature existed at a specific point in time, even if the signer's certificate later expires or is revoked.
BASELINE_LTLong-Term
Embeds all validation material (certificate chain, CRLs, OCSP responses) into the document. The signature can be validated offline, long after the original revocation data sources become unavailable.
BASELINE_LTALong-Term with Archive timestamp
Adds an archive timestamp over the LT data. Protects against crypto algorithm obsolescence and can be renewed periodically to extend validity for decades.
Option
Description
-V, --visible-signatureEnable visible signature
-pg, --pagePage number (default: 1)
-llx, -lly, -urx, -urySignature rectangle coordinates
-t, --textCustom text with placeholders: ${signer}, ${reason}, ${location}, ${contact}, ${timestamp}, ${certificate}
-ff, --font-fileTTF font file for visible signature text
-fs, --font-sizeFont size (default: 10)
--bg-pathBackground/logo image path
--image-onlyImage-only mode (no text)
--add-blank-pageAdd blank page for signature
TSA (Timestamp Authority)
Option
Description
-ts, --tsa-server-urlTSA server URL
-ta, --tsa-authenticationTSA auth: NONE, PASSWORD, CERTIFICATE
-tsu, --tsa-userTSA username
-tsp, --tsa-passwordTSA password
-tsh, --tsa-hash-algorithmTSA hash algorithm
--tsa-policy-oidTSA policy OID
-tskt, --tsa-key-file-typeTSA client cert keystore type
-tskf, --tsa-key-fileTSA client cert keystore file
-tskp, --tsa-key-passwordTSA client cert keystore password
Option
Description
--trust-use-default-lotlUse EU List of Trusted Lists
--trust-lotl-urlCustom LOTL URL (repeatable)
--trust-certificate-fileTrusted certificate file (repeatable)
--trust-certificate-urlTrusted certificate URL (repeatable)
--trust-keystore-fileTruststore file
--trust-keystore-passwordTruststore password
--trust-keystore-typeTruststore type
Option
Description
--encrypt-before-signEncrypt PDF with password before signing
-opwd, --owner-passwordOwner password
-upwd, --user-passwordUser password
-pr, --print-rightPrint right: DISALLOW_PRINTING, ALLOW_DEGRADED_PRINTING, ALLOW_PRINTING
--disable-copyDeny content copying
--disable-assemblyDeny document assembly
--disable-fillDeny form filling
--disable-screen-readersDeny screen reader access
--disable-modify-annotationsDeny annotation modification
--disable-modify-contentDeny content modification
Option
Description
-os, --out-suffixOutput file suffix (default: _signed)
-d, --out-directoryOutput directory
-q, --quietQuiet mode
Option
Description
-f, --formatOutput format: TEXT, XML, ETSI, JSON
--verboseInclude detailed report
-q, --quietOnly exit code (0=valid, 1=invalid, 2=error)
--skip-revocationSkip online OCSP/CRL checks
Trust options
Same as signing (see above)
jsignpdf - GUI+CLI PDF signing with OpenPDFjsign-pkcs11 - SunPKCS11 fork with context-specific login support