Skip to content

pdfsigner (Python)

Digitally sign PDF documents with a PKCS#12 keystore and verify their signatures โ€” the PAdES baseline profiles (ETSI EN 319 142) from B-B to B-LTA.

The engine is the pure-Rust pdf_signer crate, wrapped with PyO3: no Java, no OpenSSL, no external tools. It is the Python sibling of the pdfsigner R package.

Install

pip install pdfsignerpy

Pre-built wheels are published for Linux (x86_64 ยท aarch64), macOS (Intel ยท Apple Silicon) and Windows, so installation needs no compiler and no Rust.

Note

The PyPI distribution is pdfsignerpy, but you import pdfsigner (pdfsigner is blocked on PyPI as too similar to pdf-signer).

Why pdfsigner?

Most Python PDF-signing libraries lean on heavy native stacks โ€” OpenSSL via cryptography, a Java runtime, or external tools like Poppler. pdfsigner bundles the entire crypto + PDF pipeline as one self-contained Rust extension, so there is nothing else to install.

  • ๐Ÿฆ€ Zero system dependencies โ€” no OpenSSL, no Java, no Poppler.
  • ๐Ÿ“ฆ Pre-built wheels for Linux/macOS/Windows โ€” pip install and go.
  • ๐Ÿ” Real PAdES B-B โ†’ B-LTA โ€” RFC 3161 timestamps and LTV (/DSS with the chain, CRLs and OCSP).
  • โœ… NIST PKITS-validated RFC 5280 path validation (name constraints + certificate-policy engine).
  • ๐Ÿ”‘ RSA, ECDSA (P-256/P-384) and Ed25519; CRL + OCSP revocation.
  • ๐Ÿ–‹ Visible signatures with an embedded font and a PNG/JPEG logo.
  • ๐Ÿ” The same engine powers the pdfsigner R package.

Quick start

import pdfsigner

pdfsigner.sign_pdf("input.pdf", "signed.pdf", "keystore.p12", "password",
                   signtext="Digitally signed")

for s in pdfsigner.verify_pdf("signed.pdf"):
    print(s["valid"], s["signer"])

See the API reference for every option.

Architecture

pdfsigner (Python) architecture: the Python API calls a PyO3 extension module that links the pure-Rust pdf_signer crate.

import pdfsigner calls a thin PyO3 extension module that links the pure-Rust pdf_signer crate (pinned to v0.1.7). The same engine powers the pdfsigner R package.

Features

  • PAdES B-B โ†’ B-LTA: CAdES signing-certificate-v2, RFC 3161 signature and document timestamps, a /DSS with the chain, CRLs and OCSP.
  • Visible or invisible signatures, embedded TrueType/OpenType font and a PNG/JPEG logo.
  • Incremental updates โ€” multiple signatures compose; earlier ones stay valid.
  • Verification with optional RFC 5280 chain validation (RSA / ECDSA / Ed25519, CRL + OCSP, name constraints, a NIST PKITS-validated policy engine).