How free PDF signing works
freesign lets you sign PDF documents free in your browser, backed by a server-side cryptographic countersignature and a tamper-evident audit trail. Here's exactly what happens when you sign a document.
The signing process
-
1
Upload your PDF
You upload the original PDF to freesign. We store it securely and record a SHA-256 hash of the original bytes so any future comparison can confirm the file has not been altered before signing.
-
2
Place your signature and text
The document is rendered in your browser using PDF.js. You choose a handwriting-style font, type your name, and drag the signature to the correct position on the page. You can also add dated text fields or initials anywhere on the document.
-
3
Consent to electronic signing
Before signing, you are presented with an electronic disclosure notice — required under the U.S. ESIGN Act. You must check the box and click Accept & Continue to proceed. The moment of consent is recorded with your IP address and a precise timestamp.
-
4
PDF signing runs in your browser
When you click Sign & Download, pdf-lib — a pure-JavaScript library — embeds your signature image and any text directly into the PDF bytes on your device. The original document bytes never leave your browser during this step.
-
5
Server countersignature
The browser-signed PDF is sent to our server, which applies a second, cryptographic signature — a PAdES B-B digital signature — using our dedicated signing certificate and private key. This countersignature covers the entire document (including your visible signature) and permanently seals its contents. Your name, email address, and the timestamp are embedded inside the cryptographic signature structure itself.
-
6
Download and store
The countersigned PDF is stored on our server (for 30 days) and immediately downloaded to your device. A SHA-256 hash of the final signed file is recorded in the audit log, giving you a fingerprint you can use at any time to confirm the file has not been modified since it left our server.
The cryptographic countersignature
The server countersignature uses the PAdES B-B (PDF Advanced Electronic Signature — Baseline B) profile, defined in ETSI EN 319 102-1. This is a CAdES (CMS Advanced Electronic Signature) embedded inside the PDF's signature dictionary.
What it protects
A PDF digital signature works by hashing every byte in the document that falls within the ByteRange — which covers the entire file except for the signature container itself. That hash is signed with our private key and stored inside the signature. Any modification to any byte outside the signature container — including your visible signature image, any text you added, or document metadata — would change the hash and invalidate the signature immediately.
What is embedded in the signature
Inside the CMS SignedData structure, freesign embeds your name, email address, and the signing timestamp in two places: the PDF signature dictionary's /Name, /Reason, and /ContactInfo fields (which are themselves within the ByteRange), and as a JSON object in the contact info field. Because these fields are covered by the ByteRange hash, their integrity is cryptographically guaranteed.
Verifying a signature
Adobe Acrobat Reader and other PDF validators can verify the countersignature natively. freesign also provides a public verification page powered by pyHanko, an open-source Python library for PDF signature validation. Upload any freesign-signed PDF to check:
- Whether the countersignature is present
- Whether the document has been modified after signing
- Whether the signing certificate is trusted
- The signer's name, email, and signing time embedded in the signature
The audit trail
Every freesign document has a complete, append-only event log. No records are ever modified or deleted. The following events are recorded for each document:
| Event | What is recorded |
|---|---|
doc.uploaded |
Filename, file size, SHA-256 hash, IP address, timestamp |
sign.started |
Session created, IP address, timestamp |
sign.consent |
IP address, user agent, precise consent timestamp |
doc.signed |
SHA-256 of the signed PDF, IP address, timestamp |
doc.countersigned |
Confirmation that the PAdES digital signature was applied |
doc.downloaded |
IP address and timestamp of download |
The IP address and user agent are recorded at every step, not just at consent. This provides a complete chain of custody from upload through download.
ESIGN Act compliance
The U.S. ESIGN Act requires that signers (1) affirmatively consent to electronic signing, (2) receive a disclosure of their rights, and (3) that the signature be attributable to them. freesign satisfies all three:
- Affirmative consent — the signer must check a box and click Accept & Continue before any signing tools become available
- Disclosure — the consent modal displays a full electronic signature disclosure notice
- Attribution — the signer's name and email are embedded in the cryptographic signature; the IP address and timestamp are logged in the audit trail
Frequently asked questions
Can I verify a freesign document without a freesign account?
Yes. The Verify page is fully public. Upload any PDF and freesign will check the cryptographic countersignature and display the signer identity embedded in it — no account required.
What happens if I modify the PDF after downloading it?
Any modification to the file — even changing a single byte — will invalidate the digital countersignature. When you upload the modified file to the Verify page, the check will show that the document's integrity has been broken. The original signed version stored on our server will still be verifiable.
Where is my signing certificate from?
freesign uses a dedicated signing certificate issued for the freesign service. The certificate's common name and thumbprint are displayed on the verification page when you verify a signed document.
How long are documents stored?
Signed documents are stored for 30 days from the date of signing, giving you time to re-download if needed. After that, files are deleted. The audit log entries (without the file contents) are retained indefinitely.
Are freesign signatures legally binding?
Electronic signatures created with freesign meet the technical and procedural requirements of the U.S. ESIGN Act and UETA for most common document types. However, certain documents — such as wills, court orders, and some real estate transactions — may require wet (handwritten) signatures under applicable law. Consult a lawyer if you are unsure whether an electronic signature is appropriate for your situation.
What is PAdES B-B?
PAdES (PDF Advanced Electronic Signatures) is a set of standards for digital signatures in PDF files defined by ETSI. The B-B (Baseline B) profile is the foundational level, providing a cryptographically secure signature with signer identity and signing time. PAdES signatures are recognised under the EU's eIDAS regulation and are accepted by Adobe Acrobat's signature validation engine.
Sign your first PDF free
Create a free account — no credit card required. Start signing in minutes.