What "verifying a signed PDF" actually means
Before the methods, a quick reframe. When you verify a signed PDF, you are really answering three questions at once:
How to Verify a Signed PDF in Under 60 Seconds
3 Methods That Actually Work
Someone just sent you a signed PDF. Maybe it's a contract, an offer letter, an invoice, a notarized form. The email says "please find attached." The signature at the bottom looks fine. The name matches. The date matches. What you don't know yet is whether any of that is real.
Most people, at this point, click the file, glance at it, and move on. In 2026, that's a liability. AI-generated fakes now pass casual inspection easily, and even documents that were originally signed correctly can be altered after the fact in ways that are invisible to the eye.
The good news: verifying a signed PDF takes less than a minute if you know the three methods. This guide walks through each one, when to use it, and what to do when verification fails.
- Authenticity — did the document actually come from who it claims to come from?
- Integrity — has anything in the file been changed since it was signed?
Validity — is the signature itself still legally current, with valid certificates and no revocations?
A good verification method answers all three. A bad one (like eyeballing the signature block) answers none. The three methods below — built-in PDF verification, QR code scan, and hash comparison — cover the full spectrum, from the easiest to the most rigorous. Pick the right tool for the moment.
Method 1: Built-in PDF verification (Adobe Acrobat, Apple Preview, modern browsers)
Use this when: the PDF has an embedded digital signature and you have a standard PDF reader.
Time: 20–40 seconds.
Most modern PDFs that have been properly e-signed contain a cryptographic signature block inside the file. Any reasonably recent PDF reader can verify that block automatically — you just have to know where to look.
In Adobe Acrobat Reader
Open the PDF.
Look for a blue or yellow banner at the top of the document that says "Signed and all signatures are valid" or "At least one signature has problems." That banner is the verification result.
Click the Signature Panel button in the banner (or open View → Show/Hide → Navigation Panes → Signatures).
Expand the signature entry. You'll see: the signer's name, the signing time, the certificate issuer, and a "Signature Details" section.
Click Signature Properties for the full audit record — certificate chain, timestamp authority, revocation status, and whether the document has been modified since signing.
A valid signature in Acrobat produces a green checkmark. A problem signature — expired certificate, modified document, unknown signer — produces a warning or red X. Either way, you have a verdict in seconds.
In Apple Preview (macOS)
Preview's signature support is lighter than Acrobat's, but it still shows signature blocks and flags obvious issues. For anything important, download the PDF and open it in Adobe Acrobat Reader (free) instead — Preview sometimes silently renders signed PDFs without showing signature warnings, which is worse than useless.
In modern browsers
Chrome, Edge, Firefox, and Safari will display signed PDFs but their native verification is hit-or-miss. As a rule: never trust browser-based PDF verification for anything important. Download the file. Open it in a real PDF reader.
What to check in the signature panel
Even when the big banner says "valid," take fifteen more seconds to look at four things:
- Signer name and email. Do they match the sender you expected?
Signing time. Is it consistent with when the document was supposedly signed?
Certificate issuer. A trusted CA (DigiCert, GlobalSign, Sectigo, Entrust, etc.) is expected. An unknown or self-signed issuer is a warning sign.
"Document has not been modified since it was signed." This line, or its equivalent, is the single most important piece of the panel. If the document has been modified after signing, even the "valid" status changes meaning.
Method 2: QR code verification
Use this when: the PDF displays a QR code on one or more pages — common for documents issued by modern verification-first platforms.
Time: 10–20 seconds.
This is the method the next generation of verification-native platforms is converging on, because it requires zero software, works for both paper and digital versions of a document, and can be executed by anyone with a phone.
The steps
Open your phone camera (iPhone, Android, or any modern phone camera natively reads QR codes — no app required).
Point it at the QR code on the document.
A URL preview will appear. Before you tap, read the URL. It should be on the issuer's real domain (e.g., verifydoc.ai/verify/...). Lookalike domains or URL shorteners are red flags.
Tap to open the verification page.
Read the verdict. A legitimate verification page shows: issuer identity, recipient identity, issue date, document type, specific document ID, the cryptographic hash comparison, and authenticity status (verified, tampered, revoked, or expired).
Cross-check the details on the verification page against the document itself. The document ID on the page should match the document ID printed on the document. The recipient name should match. The issue date should match. If any of those disagree, the document is either counterfeit or linked to the wrong record.
Why this method is so powerful
Three reasons. First, it works the same way whether the document is a digital PDF or a printed paper — the QR code travels. Second, it exposes the underlying cryptographic hash comparison through a simple web page, so non-technical people can use sophisticated verification without understanding the math. Third, it's decentralized: the verifier doesn't need to trust you, they just need to trust the issuer's domain, which anyone can audit independently.
The catch: the document has to have been issued with a QR code in the first place. For inbound documents without one, fall back to Method 1 or Method 3. For documents your own business issues, this is the method you want to make available to every recipient — it's the foundation of document authenticity in 2026.
Method 3: Hash comparison (for the paranoid or regulated)
Use this when: you need cryptographic certainty, you're in a regulated industry, or you're verifying a document whose original hash you already have from a trusted source.
Time: 30–60 seconds.
This is the most rigorous option. It answers the integrity question directly: is the file I have right now byte-for-byte identical to the file the issuer originally created?
- The steps (macOS/Linux terminal)
bashshasum -a 256 your-file.pdf
This returns a 64-character hash like a3c1...9f2b.
- The steps (Windows PowerShell)
powershellGet-FileHash .\your-file.pdf -Algorithm SHA256
Same result, same length.
What to do with the hash
Compare it character-by-character to the hash published by the issuer. If they match exactly, the document is intact. If even one character differs, something in the file has changed since the issuer produced it — a single-pixel edit to a scanned signature, an inserted page, an invisibly-swapped character — and the document should be treated as unverified.
The issuer typically publishes the expected hash in one of three places:
On a verification page linked from a QR code.
In a separate "verification receipt" email sent at the time of issuance.
In a registry or ledger — sometimes a blockchain anchor — controlled by the issuer.
Note: hash comparison only works on unmodified files. If you printed and re-scanned the document, the hash will not match — because the bytes of the scanned file are not the same as the bytes of the original. For printed-paper verification, use Method 2 (QR code) instead.
What the verification result actually tells you
The output you get from any of these methods falls into one of four buckets. Knowing what each one means matters.
Verified / Valid. The signature is legitimate, the certificate is current, and the document has not been modified since signing. This is the result you want. You can action the document with confidence.
Valid with warnings. The signature itself is cryptographically sound, but something secondary is off — an expired certificate, a signer whose CA you don't recognize, a signing time that precedes the certificate's issue date. Proceed only after resolving the specific warning. Ninety percent of the time, it's benign. The other ten percent is fraud.
Invalid / Tampered. The cryptographic check failed. The document has been modified after signing, or the signature block has been altered, or the underlying certificate is not trusted. Do not action the document. Contact the purported issuer through a known channel (not a channel on the document itself) to request a fresh copy and investigate.
Revoked / Expired. The signature was once valid but the underlying certificate has been revoked or has expired. For current actions, this matters — a revoked signature means the signer's authority to sign has been withdrawn. For historical records, it may not matter if the document was properly archived before revocation.
What to do if verification fails
First: do not action the document. Full stop. Do not wire the funds, sign the counter-party, onboard the employee, approve the claim. The cost of pausing for an hour while you investigate is almost always smaller than the cost of processing a forged document.
Second: contact the purported sender through a separate channel. A phone number from your own records. An email to a domain you've verified independently. A Slack DM if it's internal. Not a reply to the email the document arrived on, because if the sender's account is compromised, you'll be replying to the attacker.
Third: preserve evidence. Save the original file. Screenshot the verification error. Note the timestamp, sender email, and any URLs visible in the email. These will matter if fraud is confirmed.
Fourth: if the pattern matches AI-generated document fraud — manufactured urgency, off-channel delivery, lookalike domains — assume the attack is targeted and notify whoever owns security in your organization. Similar attempts are probably already in other inboxes.
Make this a 60-second team habit
Verification only works if it happens. The teams that get this right build verification into the normal rhythm of handling documents, not into a separate "security process" that gets skipped when things get busy.
A few moves that work:
One of the three methods on every document that touches money, hiring, or legal. Pick the fastest method available for each document type. Train the team on the decision tree: QR code first, built-in signature panel second, hash check for high-stakes items.
Put the 60-second ritual on the wall. Literally. A printed sheet near the person who opens the mail. See the 7 red flags guide for a checklist-friendly version.
Make it safe to pause. No one should fear slowing down a transaction to verify, including requests from senior leaders. Especially those.
Issue your own documents with QR codes so your recipients can run Method 2 on you. This is the single move that most reduces both your inbound fraud risk and your outbound trust friction.
- Frequently asked questions
Can I verify a signed PDF without Adobe Acrobat?
Yes. On macOS, Preview will show most signatures but is unreliable for warnings — use Adobe Acrobat Reader (free) for anything important. On Windows, PDF-XChange Editor and Foxit Reader both verify digital signatures. For QR-verified documents, your phone camera is all you need.
What if the PDF has a signature image but no digital signature?
A pasted image of a signature with no underlying cryptographic signature is essentially unverifiable and has low evidentiary weight if disputed. Treat it as an unsigned document until you get a properly signed version from the sender.
How do I know if a PDF has a digital signature at all?
Open it in Adobe Acrobat Reader. If there's a signature, you'll see a banner at the top and a Signatures panel in the navigation sidebar. If there's no banner and no panel entries, there is no digital signature — only a visual representation of one.
Is the signature still valid if the certificate has expired?
For most purposes, yes — a signature applied while the certificate was valid remains valid after expiry, provided the signature was timestamped by a trusted time authority. What you should not do is rely on an expired certificate for new signatures.
Can I verify a signed PDF on my phone?
QR-verified documents: yes, easily. Documents with only an embedded digital signature: it's possible with Adobe Acrobat's mobile app, but the desktop experience is significantly better. For anything important, verify on desktop.
What does "signature invalid" really mean?
It means the cryptographic check failed. Either the document has been modified since signing, the certificate chain doesn't verify, or the signature block itself is corrupted. Any of these should be treated as a stop-the-line event.
Where to go from here
Three methods. Under a minute each. Together they cover every common verification scenario — embedded PDF signatures, QR-code-issued documents, and cryptographic hash checks. The only habit that matters is running one of them every time a document of consequence hits your inbox.
If you want the full picture of how signed documents fit into modern verification — electronic signatures, digital signatures, QR codes, certificates of authenticity, and the legal frameworks behind them — start with our pillar guide: How to Verify Document Authenticity in 2026. To dig deeper on the signature layer specifically, see Electronic Signature vs. Digital Signature.
Want your own documents to be verifiable in ten seconds by anyone with a phone? Try VerifyDoc.ai free and issue your first document with an attached QR-linked certificate of authenticity.