Spaces:
Running
Running
| .\" Copyright 2011 The Poppler Developers - http://poppler.freedesktop.org | |
| .TH pdfsig 1 "28 October 2015" | |
| .SH NAME | |
| pdfsig \- Portable Document Format (PDF) digital signatures tool | |
| .SH SYNOPSIS | |
| .B pdfsig | |
| [options] | |
| .RI [ PDF-file ] | |
| .RI [ Output-file ] | |
| .SH DESCRIPTION | |
| .B pdfsig | |
| verifies the digital signatures in a PDF document. | |
| It also displays the identity of each signer | |
| (commonName field and full distinguished name of the signer certificate), | |
| the time and date of the signature, the hash algorithm used for signing, | |
| the type of the signature as stated in the PDF and | |
| the signed ranges with a statement wether the total document is signed. | |
| It can also sign PDF documents (options -add-signature or -sign). | |
| .PP | |
| pdfsig uses the trusted certificates stored in the Network Security Services (NSS) Database. | |
| .PP | |
| pdfsig also uses the Online Certificate Status Protocol (OCSP) (refer to http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) to look up the certificate online and check if it has been revoked (unless -no-ocsp has been specified). | |
| .PP | |
| The NSS Database is searched for in the following locations: | |
| .IP \(bu | |
| If the \-nssdir option is specified, the directory specified by this option. | |
| .IP \(bu | |
| The NSS Certificate database in the default Firefox profile. i.e. $HOME/.mozilla/firefox/*.default. | |
| .IP \(bu | |
| The NSS Certificate database in /etc/pki/nssdb. | |
| .SH OPTIONS | |
| .TP | |
| .B \-nssdir "[prefix]directory" | |
| Specify the database directory containing the certificate and key | |
| database files. See certutil(1) -d option for details of the | |
| prefix. If not specified the other search locations described in | |
| .B DESCRIPTION | |
| are used. | |
| .TP | |
| .B \-nss-pwd "password" | |
| Specify the password needed to access the NSS database (if any). | |
| .TP | |
| .B \-nocert | |
| Do not validate the certificate. | |
| .TP | |
| .B \-no-ocsp | |
| Do not perform online OCSP certificate revocation check (local Certificate Revocation Lists (CRL) are still used). | |
| .TP | |
| .B \-no-appearance | |
| Do not add appearance information when signing existing fields (signer name and date). | |
| .TP | |
| .B \-aia | |
| Enable the use of Authority Information Access (AIA) extension to fetch missing certificates to build the certificate chain. | |
| .TP | |
| .B \-dump | |
| Dump all signatures into current directory in their native format. Most likely it is either a unpadded or zero-padded CMS/PKCS7 bundle. | |
| .TP | |
| .B \-add-signature | |
| Add a new signature to the document. | |
| .TP | |
| .B \-new-signature-field-name " name" | |
| Specifies the field name to be used when adding a new signature. A random ID will be used by default. | |
| .TP | |
| .B \-sign " field" | |
| Sign the document in the specified signature field present in the document (must be unsigned). Field can be specified by field name (string) or the n-th signature field in the document (integer). | |
| .TP | |
| .B \-nick " nickname" | |
| Use the certificate with the given nickname for signing (NSS backend). If nickname starts with pkcs11:, it's treated as PKCS#11 URI (NSS backend). If the nickname is given as a fingerprint, it will be the certificate used (GPG backend) | |
| .TP | |
| .B \-backend " backend" | |
| Use the specified backeng for cryptographic signatures | |
| .TP | |
| .B \-kpw " password" | |
| Use the given password for the signing key | |
| (this might be missing if the key isn't password protected). | |
| .TP | |
| .B \-digest " algorithm" | |
| Use the given digest algorithm for signing (default: SHA256). | |
| .TP | |
| .B \-reason " reason" | |
| Set the given reason string for the signature (default: no reason set). | |
| .TP | |
| .B \-etsi | |
| Create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached. | |
| .TP | |
| .B \-list-nicks | |
| List available nicknames in the NSS database. | |
| .TP | |
| .B \-list-backends | |
| List available backends for cryptographic signatures | |
| .TP | |
| .B \-v | |
| Print copyright and version information. | |
| .TP | |
| .B \-h | |
| Print usage information. | |
| .RB ( \-help | |
| and | |
| .B \-\-help | |
| are equivalent.) | |
| .SH EXAMPLES | |
| .TP | |
| pdfsig signed_file.pdf | |
| Displays signature info for signed_file.pdf. | |
| .TP | |
| pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick my-cert -reason 'for fun!' | |
| Creates a new pdf named output.pdf with the contents of input.pdf signed by the 'my-cert' certificate. | |
| .TP | |
| pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick 'pkcs11:token=smartcard0;object=Second%20certificate;type=cert' | |
| Same, but uses a PKCS#11 URI as defined in IETF RFC 7512 to select the certificate to be used for signing. | |
| .TP | |
| pdfsig input.pdf output.pdf -sign 0 -nss-pwd password -nick my-cert -reason 'for fun!' | |
| Creates a new pdf named output.pdf with the contents of input.pdf signed by the 'my-cert' certificate. input.pdf must have an already existing un-signed signature field. | |
| .SH AUTHOR | |
| The pdfsig software and documentation are copyright 1996-2004 Glyph & Cog, LLC | |
| and copyright 2005-2015 The Poppler Developers - http://poppler.freedesktop.org | |
| .SH "SEE ALSO" | |
| .BR pdfdetach (1), | |
| .BR pdffonts (1), | |
| .BR pdfimages (1), | |
| .BR pdfinfo (1), | |
| .BR pdftocairo (1), | |
| .BR pdftohtml (1), | |
| .BR pdftoppm (1), | |
| .BR pdftops (1), | |
| .BR pdftotext (1) | |
| .BR pdfseparate (1), | |
| .BR pdfunite (1) | |
| .BR certutil (1) | |