The open-pdf-sign
CLI application allows to easily sign PDF files from the command line.
Signatures can be invisible (default) or visible (can be customized).
- Visible PDF signature in PDF (multi language support)
- Invoke via CLI or via starting a server
- Supported signature type: PAdES
- Supported signature profiles:
Download the latest JAR from the GitHub releases page or in your terminal:
curl --location --output open-pdf-sign.jar \
Alternatively, open-pdf-sign is also available on nix, a wrapper is available on npm, and alongside a installer for nginx.
Make sure that Java is installed in at least version 8.
java -jar open-pdf-sign.jar \
--input input.pdf --output output.pdf \
--certificate certificate.crt --key keyfile.pem --passphrase key_passphrase \
--page -1 --locale de-AT
add a blank page to the end of the document before signing
use PAdES profile with long-term validation material
use PAdES profile with long term availability and integrity of validation material
-b, --binary
binary output of PDF
Default: false
-c, --certificate
certificate (chain) to be used
Quality of signature certification (DocMDP) and allowed changes after
Default: certified-minimal-changes-permitted
Possible Values: [not-certified, certified-no-change-permitted, certified-minimal-changes-permitted, certified-changes-permitted]
use a configuration file
-h, --help
prints this page
text to be displayed in signature field
run as server with the given hostname
Image to be placed in signature block
-i, --input
input pdf file
-k, --key
signature key file or keystore
label for the 'hint' row
label for the 'signee' row
label for the 'timestamp' row
X coordinate of the signature block in cm
Default: 1.0
-l, --locale
Locale, e.g. de-AT
don't display a hint row
-o, --output
output pdf file
Page where the signature block should be placed. [-1] for last page
-p, --passphrase
passphrase for the signature key or keystore
run as server with the given port
Contact information of the signer
The signer's location
The signature creation reason
include signed timestamp
Default: false
use specific timezone for time info, e.g. Europe/Vienna
Y coordinate of the signature block in cm
Default: 1.0
use specific time stamping authority as source (if multiple given, will
be used in given order as fallback)
Default: []
prints version of this program
width of the signature block in cm
Default: 10.0
PDFs can also be signed using your existing Let's Encrypt certificate.
java -jar open-pdf-sign.jar --input input.pdf --output output.pdf \
--certificate /etc/letsencrypt/live/ \
--key /etc/letsencrypt/live/
Sign documents with signatures that provides the long-term availability
of the validation material by incorporating all the material
or references to material required for validating the signature.
For this, using a timestamp is needed.
java -jar open-pdf-sign.jar --input input.pdf --output output.pdf \
--certificate /etc/letsencrypt/live/ \
--key /etc/letsencrypt/live/ \
--timestamp --tsa
If the page
parameter is specified, a visible signature will be placed on the specified page.
For example, running
java -jar open-pdf-sign.jar --input input.pdf --output output.pdf \
--certificate certificate.crt \
--key key.pem \
--page -1 --image mylogo.png \
--hint "You can check the validity at"
will place a visible signature looking similar to the image below on the last page (-1
) of the PDF document.
You can also run open-pdf-sign as a server application in order to only load certificates once and easily integrate it in applications where CLI invocations are not possible.
Simply add the port
or host
parameters, e.g.
java -jar open-pdf-sign.jar --input input.pdf --output output.pdf \
--certificate /etc/letsencrypt/live/ \
--key /etc/letsencrypt/live/
--port 8090 --host
Then, PDFs can be signed via the specified POST request:
curl --location 'http://localhost:8090/' \
--header 'Content-Type: application/json' \
--data-raw '{"input":"/path/to/pdf.pdf"}'
Instead of specifying everything via CLI parameters, you can also use a configuration file (e.g. this one):
java -jar open-pdf-sign.jar --config /path/to/config.yaml
This way, you could also configure multiple (virtual) hosts.
- Maven
- JDK 8
mvn package
This project is licensed under the Apache 2.0-License.
The code contained in the org/openpdfsign/dss subfolder
extends and modifies code from the dss project which is licensed under the LGPL-2.1 license.
This project received financial support from netidee.