Digitally signing a PDF with the GlobalSign Qualified Signing Service

Digitally signing a PDF with the GlobalSign Qualified Signing Service

Three years ago GlobalSign introduced their Digital Signing Service which allowed the digital signature signing process to be run remotely. The service has now been updated to add Qualified Signatures, and so we've updated our API to match.

Qualified Signatures in this context is a term from eIDAS, the EU-wide digital identity initiative. From a purely practical point if view, the big change is that the signer has to be identified at the time of signing. GlobalSign do this with a mobile app linked to an identity, which may be an individual or an organisation. The App is used to approve the signature at the time of signing.

While this could potentially be very complicated, in truth we found the process quite simple to integrate, and the API is almost unchanged from the previous version. Here's a an example, based on the one from our API documentation.

import java.util.*;
import org.faceless.pdf2.*;

public class GlobalsignTest {
  public static void main(String[] args) throws Exception {
    String apikey = "...";                   // supplied by GlobalSign
    String apisecret = "...";                // supplied by GlobalSign
    String path = "keystore.pkcs12"; // path to KeyStore with client cert
    char[] password = "password".toCharArray();  // password for KeyStore
    String email = ";

    GlobalSignDSSManager gs = new GlobalSignDSSManager("QSS");
    KeyStore keystore = KeyStore.getInstance("PKCS12");
    keystore.load(new FileInputStream(path), password);
    gs.setLogin(keystore, password, apikey, apisecret);

    PDF pdf = new PDF(new PDFReader(new File(args[0])));
    FormSignature sig = new FormSignature();
    pdf.getForm().getElements().put("Sig1", sig);
    sig.sign(null, null, null, gs.createSignatureHandlerFactory(email));

    System.out.println("Signing " + new Date());
    pdf.render(new FileOutputStream("out.pdf"));  // Calls the App
    System.out.println("Signed " + new Date());

To illustrate the workflow, here is a side-by-side video of this program being run and the iPhone being used to approve the Signature

That really is all there is to it. There's some setup we didn't show of course; we had previously set up an account with GlobalSign, and had registered and confirmed the email address used to identify an identity for signing and the corresponding phone number - a step which can be done with some new methods in the GlobalSignDSSManager class if required.

The end result is a PDF with a Qualified, "Long-Term Valid" Digital Signature. If you don't want to manage your own HSM and don't have the required volume to make the Google or Amazon Cloud-based HSM economical, we think this is a pretty good option.

If you want to get more details around the Qualified Signing Service reach out to