How does an electronic signature work?

The general principle

An electronic signature is not an image. It is a cryptographic process that links four inseparable elements: the document, the signer's identity, the moment of signature and technical proof that nothing has been modified afterwards.

This process rests on two pillars: authentication of the signer and integrity of the document.

Step 1: authenticate the signer

Authentication consists of establishing a link between the person who affixes their signature and a verifiable identity. Several techniques exist, which can be combined:

• Trusted email address: a unique link is sent. Only the email account holder can click and sign.

• OTP code (One-Time Password): a one-time code is sent by SMS. The signer enters it to prove they own the associated phone number.

• Personal certificate: for qualified signature, a certificate issued by a qualified provider proves the signer's identity.

The level of requirement varies depending on the signature level aimed at — see the differences between levels.

Step 2: calculate the cryptographic fingerprint

Before signing, the platform calculates a fingerprint (hash) of the document. It is a unique string of characters that represents the file's content. Any modification, even of a single character, produces a completely different fingerprint.

The fingerprint is like a digital signature of the file: it is small (a few dozen bytes) but it guarantees integrity. If someone modifies the document after signing, the fingerprint no longer matches — the signature is invalidated.

Step 3: link identity and fingerprint

The platform encrypts the fingerprint with a cryptographic key linked to the signer's identity (via PKI for QES, or via the platform for SES/AES). The result is the signature token: a digital object that contains:

• the document fingerprint

• the signer's identifier

• the precise timestamp

• the cryptographic signature itself

This token is embedded in the final PDF according to the PAdES format (PDF Advanced Electronic Signatures), a European standard. Concretely, when you open a signed PDF in Adobe Acrobat Reader, the reader automatically verifies the token and displays "Valid signature" if everything matches.

Step 4: timestamp

Timestamping links the signature to a precise and verifiable moment in time. A qualified timestamp issued by a trusted provider furnishes legal proof that the document existed at that date — a decisive argument in the event of dispute over the date of commitment.

See electronic timestamping to understand the role and levels of timestamping.

Step 5: record in the audit trail

At each step of the signature cycle, the platform records a timestamped event:

• envelope sent

• opened by the signer (with IP and user-agent)

• OTP entry

• effective signature

• possible refusal

• expiration

The whole constitutes the audit trail. It is the operational proof of the process. It is integrated into the final PDF and retained for 10 years. See proof of electronic signature.

What actually happens on the signer's side

From the signer's perspective, the experience is minimal:

• They receive an email with a link.

• They click and open the document in their browser.

• They read, then click "Sign".

• For AES: they enter an SMS code received on their phone.

• That's it. They receive a copy of the signed PDF.

No account to create, no application to install, no certificate to generate (except for QES). Everything is done in 1 to 3 minutes.

What happens on the issuer's side

The issuer pilots the process from their dashboard:

• document upload (PDF, automatic conversion if Word)

• adding recipients and placing signature fields

• choice of signature level and order (parallel or sequential)

• setting up automatic reminders and expiration date

• sending

In real time, they see each envelope move from "sent" to "opened" to "signed" status. Webhooks or push notifications can feed these events into a CRM or HRIS.

Why electronic signature is difficult to forge

• Cryptographic fingerprint: any modification invalidates the signature

• Strong authentication: without access to both email AND phone (for AES), it's impossible to impersonate the signer

• Timestamped audit trail: each step is traced with IP and user-agent

• Cryptographic keys: the signer's private key (QES) never leaves their hardware device

• 10-year archiving: the proof remains accessible long after signing

How Certyneo helps you

At Certyneo, the entire cryptographic pipeline runs on backend on European servers (Germany, IONOS): PDF upload, SHA-256 hash calculation, PAdES token integration, timestamping, audit trail storage in an encrypted PostgreSQL database. You benefit from an eIDAS-compliant process without having to understand the technical details.

Discover the Certyneo electronic signature solution

FAQ

Can I verify a signature without the platform that issued it?

Yes. A PDF signed in PAdES format is verifiable by any compatible PDF reader (Adobe Reader, pdfsig, etc.). Even if the issuing platform disappears, the signature remains verifiable.

What happens if I modify the PDF after signing?

The signature becomes invalid. The PDF reader displays a warning "The document has been modified since signing" and the fingerprint no longer matches.

What is the lifespan of an electronic signature?

The signature remains valid as long as the cryptographic algorithms used are valid. To guarantee long-term validity, PAdES-LTA (Long Term Archive) formats are used, which integrate qualified timestamps regenerated periodically.

Can you sign multiple documents at once?

Yes. A Certyneo envelope can contain multiple documents that are all signed in a single click. Each document keeps its own fingerprint but the audit trail is shared.

Does the fingerprint reveal the document's content?

No. The fingerprint is one-way: you can calculate the fingerprint from the document, but you cannot retrieve the document from the fingerprint. This is one of the fundamental properties of cryptographic hash functions.

Conclusion

An electronic signature is a cryptographic process that verifiably links a signer, a document, a date and consent. The signer doesn't need to understand any of this — for them, it's a click and an SMS code. For you, it's solid proof, archived and readily available.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.