How does an electronic signature work?

The general principle

An electronic signature is not an image. It is a cryptographic process that links four inseparable elements: the document, the identity of the signatory, the moment of signature and technical proof that nothing has been altered afterwards.

This process is based on two pillars: authentication of the signatory and integrity of the document.

Step 1: authenticating the signatory

Authentication consists of establishing a link between the person who affixes their signature and a verifiable identity. Several techniques exist and can be combined:

• Trusted email address: a unique link is sent. Only the email account holder can click and sign.

• OTP code (One-Time Password): a single-use code is sent by SMS. The signatory enters it to prove they possess the associated phone number.

• Personal certificate: for qualified signature, a certificate issued by a qualified service provider proves the signatory's identity.

The level of requirement varies depending on the signature level aimed for — see the differences between levels.

Step 2: calculating the cryptographic fingerprint

Before signing, the platform calculates a fingerprint (hash) of the document. This is a unique sequence of characters that represents the content of the file. Any modification, even of a single character, produces a completely different fingerprint.

The fingerprint is like a digital signature of the file: it is small (a few dozen bytes) but it guarantees integrity. If someone modifies the document after signing, the fingerprint no longer matches — the signature is invalidated.

Step 3: associating identity and fingerprint

The platform encrypts the fingerprint with a cryptographic key linked to the signatory's identity (via PKI for QES, or via the platform for SES/AES). The result is the signature token: a digital object that contains:

• the document's fingerprint

• the signatory's identifier

• the precise timestamp

• the cryptographic signature itself

This token is embedded in the final PDF according to the PAdES (PDF Advanced Electronic Signatures) format, a European standard. Concretely, when you open a signed PDF in Adobe Acrobat Reader, the reader automatically verifies the token and displays "Valid signature" if everything matches.

Step 4: timestamping

Timestamping links the signature to a precise and verifiable instant. A qualified timestamp issued by a trusted service provider provides legal proof that the document existed on that date — a decisive argument in case of dispute over the engagement date.

See electronic timestamping to understand the role and levels of timestamping.

Step 5: recording in the audit trail

At each step of the signature cycle, the platform records a timestamped event:

• envelope sending

• opening by the signatory (with IP and user-agent)

• OTP entry

• effective signature

• possible rejection

• expiration

The whole constitutes the audit trail. This is operational proof of the process. It is integrated into the final PDF and retained for 10 years. See proof of electronic signature.

What actually happens on the signatory's side

From the signatory's perspective, the experience is minimal:

• They receive an email with a link.

• They click and open the document in their browser.

• They read, then click "Sign".

• For AES: they enter an SMS code received on their phone.

• That's it. They receive a copy of the signed PDF.

No account to create, no application to install, no certificate to generate (except for QES). Everything is done in 1 to 3 minutes.

What happens on the sender's side

The sender pilots the process from their dashboard:

• document deposit (PDF, automatic conversion if Word)

• adding recipients and placing signature fields

• choice of signature level and order (parallel or sequential)

• setting up automatic reminders and expiration date

• sending

In real time, they see each envelope move from "sent" to "opened" to "signed" status. Webhooks or push notifications can relay these events to a CRM or HRIS.

Why electronic signature is hard to forge

• Cryptographic fingerprint: any modification invalidates the signature

• Strong authentication: without access to email AND phone (for AES), impossible to impersonate the signatory

• Timestamped audit trail: each step is traced with IP and user-agent

• Cryptographic keys: the signatory's private key (QES) never leaves their hardware device

• 10-year archiving: the proof remains usable long after signature

How Certyneo helps you

At Certyneo, the entire cryptographic pipeline runs in the backend on European servers (Germany, IONOS): PDF deposit, SHA-256 hash calculation, PAdES token integration, timestamping, audit trail backup in an encrypted PostgreSQL database. You benefit from an eIDAS-compliant process without having to understand the technical details.

Discover the Certyneo electronic signature solution

FAQ

Can I verify a signature without the platform that issued it?

Yes. A PDF signed in PAdES format can be verified by any compatible PDF reader (Adobe Reader, pdfsig, etc.). Even if the issuing platform disappears, the signature remains verifiable.

What happens if I modify the PDF after signing?

The signature becomes invalid. The PDF reader displays a warning "The document has been modified since signature" and the fingerprint no longer matches.

What is the lifetime of an electronic signature?

The signature remains valid as long as the cryptographic algorithms used are valid. To guarantee long-term validity, PAdES-LTA (Long Term Archive) formats are used that integrate qualified timestamps regenerated periodically.

Can I sign multiple documents at once?

Yes. A Certyneo envelope can contain multiple documents that are all signed with a single click. Each document retains its own fingerprint but the audit trail is shared.

Does the fingerprint reveal the document's content?

No. The fingerprint is one-way: you can calculate the fingerprint from the document, but you cannot retrieve the document from the fingerprint. This is one of the fundamental properties of cryptographic hash functions.

Conclusion

An electronic signature is a cryptographic process that verifiably links a signatory, a document, a date and consent. The signatory doesn't need to understand any of this — for them, it's a click and an SMS code. For you, it's solid proof, archived and enforceable.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.