A few weeks ago I got a signed contract PDF from someone.

It had a little stamp in the corner: "Digitally Signed by Rahul Sharma, Date: 2026-06-01."

I had absolutely no idea if that signature was real.

Not because I'm not technical — I am. But because there was genuinely no easy way to check. Adobe Reader gave me a partial result. Online tools asked me to upload my document to some random server. Government portals were confusing. And most people I spoke to didn't even know the difference between a scanned signature and a legally valid digital signature.

So I built SigVerify — a tool that actually tells you whether an Aadhaar eSign or DSC-signed PDF is cryptographically valid.

Check your documents instantly

Try the verification engine for free. No credit card required.

Try SigVerify Free →

The Problem Nobody Talks About

India has massively adopted digital signatures in the last few years. Aadhaar eSign, C-DAC, eMudhra, NSDL — millions of documents are signed every day.

But here's the thing nobody tells you:

A scanned signature image pasted into a PDF is not a digital signature.

Drawing your name on a touchscreen is not a digital signature.

Clicking "I agree" via OTP is not a cryptographic digital signature.

A real digital signature — the kind that's legally valid under IT Act Section 3 and 3A — is a cryptographic object. It's a PKCS#7/PAdES blob embedded in the PDF binary. It contains an X.509 certificate chain. It cryptographically proves three things:

  1. Who signed — their identity is bound to a government-issued certificate
  2. When they signed — a trusted timestamp is embedded
  3. That nothing changed — the document hash is locked at signing time

If any one of these is tampered with, the signature fails. The math doesn't lie.

The problem is — almost nobody verifies this. They just look at the signature stamp and assume it's real.

What SigVerify Actually Does

You upload a PDF. Within a couple of seconds you get:

  • Signer Name — from the actual X.509 certificate, not the PDF stamp
  • Certifying Authority — C-DAC, eMudhra, NSDL, SafeScrypt, etc.
  • Signing Timestamp — both from CMS attributes and the PDF /M field
  • Document Modified? — cryptographic tamper check using ByteRange
  • Certificate Chain — full chain from signer → Intermediate CA → Root CA (CCA India 2022)
  • SHA-256 Fingerprint — of each certificate in the chain
  • CRL & OCSP URLs — for revocation checking
  • Valid at Signing Time? — especially important for Aadhaar's 30-minute session certs

The backend runs Python's cryptography library + OpenSSL. No Adobe API. No third-party black box.

The Aadhaar eSign Rabbit Hole

Aadhaar eSign was the trickiest part to handle.

When you sign a document using Aadhaar OTP, you're not getting a permanent certificate. C-DAC (the technical partner) issues you a session certificate that expires in about 30 minutes. The certificate is real, it's cryptographically signed, it chains up to CCA India 2022 — but by the time anyone tries to verify the document, the cert has already "expired."

This confuses most tools into flagging the document as invalid.

SigVerify handles this correctly — it checks whether the certificate was valid at the time of signing, not whether it's currently valid. An Aadhaar eSign document signed 6 months ago is still perfectly valid if the ByteRange tamper check passes and the signing timestamp falls within the certificate's original 30-minute window.

The Tech Stack (briefly)

  • Backend: Node.js + Express on Render, calling a Python script (cryptography + pypdf + OpenSSL subprocess)
  • Frontend: Plain HTML/CSS/JS on Cloudflare Pages
  • Auth: Firebase Google Sign-In
  • Payments: Razorpay (₹30/verification, pay-as-you-go)
  • Database: Firestore for credit tracking

The Python engine is the core — it extracts the PKCS#7 DER blob from the PDF's /Contents field, walks the certificate chain, extracts CRL/OCSP URLs, checks timestamps, and returns a structured JSON report.

Supported Signature Types

CATypeNotes
C-DACAadhaar eSignOTP + biometric, 30-min cert
eMudhraDSC + Aadhaar ASPClass 3, hardware token
NSDLDSCPAN-linked
SafeScryptDSCClass 3
CapricornDSCDGFT, export docs
NIC CAGovt. DSCGovt employees only
Adobe SignPAdESWorks
DocuSignPAdESWorks

Who It's For

  • Legal professionals who receive signed contracts and need to verify them before relying on them in court.
  • CA firms and auditors who get Aadhaar eSign filings and need to confirm authenticity.
  • HR teams receiving digitally signed offer letter acceptances.
  • Developers who want to validate eSign in their own apps and need a reference to test against.
  • Citizens who signed something with Aadhaar eSign and want to make sure it worked correctly.

Pricing & Free Tier

First verification is free — just sign in with Google and you get 1 credit automatically.

After that it's ₹30 per verification. No subscription. Credits never expire. Buy 5 at once if you need them. This isn't enterprise pricing — it's designed for individuals and small teams.

What's Next

  • OCSP live revocation check
  • Batch verification (multiple PDFs)
  • API access for developers
  • Support for international certificates (GlobalSign, DigiCert)

If you work with signed PDFs in India — contracts, bank documents, government filings, Aadhaar eSign — this tool is for you.

If you find a bug or want to suggest a feature, drop me a message.

— Gaurav Kalal (@gorupa)

Built with Python, Node.js, and a lot of ASN.1 frustration.