A few weeks ago I got a signed contract PDF from someone.
It had a little stamp in the corner: "Digitally Signed by Rahul Sharma, Date: 2026-06-01."
I had absolutely no idea if that signature was real.
Not because I'm not technical — I am. But because there was genuinely no easy way to check. Adobe Reader gave me a partial result. Online tools asked me to upload my document to some random server. Government portals were confusing. And most people I spoke to didn't even know the difference between a scanned signature and a legally valid digital signature.
So I built SigVerify — a tool that actually tells you whether an Aadhaar eSign or DSC-signed PDF is cryptographically valid.
Check your documents instantly
Try the verification engine for free. No credit card required.
Try SigVerify Free →The Problem Nobody Talks About
India has massively adopted digital signatures in the last few years. Aadhaar eSign, C-DAC, eMudhra, NSDL — millions of documents are signed every day.
But here's the thing nobody tells you:
A scanned signature image pasted into a PDF is not a digital signature.
Drawing your name on a touchscreen is not a digital signature.
Clicking "I agree" via OTP is not a cryptographic digital signature.
A real digital signature — the kind that's legally valid under IT Act Section 3 and 3A — is a cryptographic object. It's a PKCS#7/PAdES blob embedded in the PDF binary. It contains an X.509 certificate chain. It cryptographically proves three things:
- Who signed — their identity is bound to a government-issued certificate
- When they signed — a trusted timestamp is embedded
- That nothing changed — the document hash is locked at signing time
If any one of these is tampered with, the signature fails. The math doesn't lie.
The problem is — almost nobody verifies this. They just look at the signature stamp and assume it's real.
What SigVerify Actually Does
You upload a PDF. Within a couple of seconds you get:
- ✅ Signer Name — from the actual X.509 certificate, not the PDF stamp
- ✅ Certifying Authority — C-DAC, eMudhra, NSDL, SafeScrypt, etc.
- ✅ Signing Timestamp — both from CMS attributes and the PDF /M field
- ✅ Document Modified? — cryptographic tamper check using ByteRange
- ✅ Certificate Chain — full chain from signer → Intermediate CA → Root CA (CCA India 2022)
- ✅ SHA-256 Fingerprint — of each certificate in the chain
- ✅ CRL & OCSP URLs — for revocation checking
- ✅ Valid at Signing Time? — especially important for Aadhaar's 30-minute session certs
The backend runs Python's cryptography library + OpenSSL. No Adobe API. No third-party black box.
The Aadhaar eSign Rabbit Hole
Aadhaar eSign was the trickiest part to handle.
When you sign a document using Aadhaar OTP, you're not getting a permanent certificate. C-DAC (the technical partner) issues you a session certificate that expires in about 30 minutes. The certificate is real, it's cryptographically signed, it chains up to CCA India 2022 — but by the time anyone tries to verify the document, the cert has already "expired."
This confuses most tools into flagging the document as invalid.
SigVerify handles this correctly — it checks whether the certificate was valid at the time of signing, not whether it's currently valid. An Aadhaar eSign document signed 6 months ago is still perfectly valid if the ByteRange tamper check passes and the signing timestamp falls within the certificate's original 30-minute window.
The Tech Stack (briefly)
- Backend: Node.js + Express on Render, calling a Python script (
cryptography+pypdf+ OpenSSL subprocess) - Frontend: Plain HTML/CSS/JS on Cloudflare Pages
- Auth: Firebase Google Sign-In
- Payments: Razorpay (₹30/verification, pay-as-you-go)
- Database: Firestore for credit tracking
The Python engine is the core — it extracts the PKCS#7 DER blob from the PDF's /Contents field, walks the certificate chain, extracts CRL/OCSP URLs, checks timestamps, and returns a structured JSON report.
Supported Signature Types
| CA | Type | Notes |
|---|---|---|
| C-DAC | Aadhaar eSign | OTP + biometric, 30-min cert |
| eMudhra | DSC + Aadhaar ASP | Class 3, hardware token |
| NSDL | DSC | PAN-linked |
| SafeScrypt | DSC | Class 3 |
| Capricorn | DSC | DGFT, export docs |
| NIC CA | Govt. DSC | Govt employees only |
| Adobe Sign | PAdES | Works |
| DocuSign | PAdES | Works |
Who It's For
- Legal professionals who receive signed contracts and need to verify them before relying on them in court.
- CA firms and auditors who get Aadhaar eSign filings and need to confirm authenticity.
- HR teams receiving digitally signed offer letter acceptances.
- Developers who want to validate eSign in their own apps and need a reference to test against.
- Citizens who signed something with Aadhaar eSign and want to make sure it worked correctly.
Pricing & Free Tier
First verification is free — just sign in with Google and you get 1 credit automatically.
After that it's ₹30 per verification. No subscription. Credits never expire. Buy 5 at once if you need them. This isn't enterprise pricing — it's designed for individuals and small teams.
What's Next
- OCSP live revocation check
- Batch verification (multiple PDFs)
- API access for developers
- Support for international certificates (GlobalSign, DigiCert)
If you work with signed PDFs in India — contracts, bank documents, government filings, Aadhaar eSign — this tool is for you.
If you find a bug or want to suggest a feature, drop me a message.
— Gaurav Kalal (@gorupa)
Built with Python, Node.js, and a lot of ASN.1 frustration.