Verify PDF signatures
verify_pdfVerifies each PAdES digital signature in a PDF by recomputing SHA-256, validating CMS messageDigest and signatureValue, and reporting per-signature integrity, signer details, and chain trust.
Instructions
Read-only verification of every PAdES Baseline / adbe.pkcs7.detached signature in a PDF. For each /Sig widget, recomputes the ByteRange SHA-256, validates the CMS messageDigest (integrity), and verifies the CMS signatureValue with the embedded signer certificate. Supports RSA-SHA256 and ECDSA-SHA256 (P-256). The response shape: { allValid, signatureCount, summary, signatures: [{ valid, integrity, signerSubject, signingTime, reason, chainTrust: 'self-signed'|'unverified'|'trusted', errors: [] }] }. Read allValid for an overall yes/no; iterate signatures[] for per-signature detail. Without trustedRootsDerBase64, chainTrust is 'self-signed' (single-cert chain) or 'unverified' (signer rooted in an external CA).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| fields | No | Optional dot-path projection applied to the structured result (e.g. ['allValid'] or ['signatures.valid']). Composes after verbosity. Unknown paths are omitted. | |
| pdfBase64 | Yes | Base64-encoded PDF bytes to verify. | |
| verbosity | No | Response verbosity. 'full' (default) returns the per-signature signatures[] array; 'summary' returns a token-frugal verdict { signatureCount, allValid, invalid, summary } and drops signatures[]. | full |
| trustedRootsDerBase64 | No | Optional list of base64-encoded X.509 root certificates (DER). When supplied, each signer certificate is validated against these roots; otherwise chainTrust is reported as self-signed or unverified. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| summary | Yes | ||
| allValid | Yes | ||
| signatures | Yes | ||
| signatureCount | Yes |