How Does an Electronic Signature Work?

The General Principle

An electronic signature is not an image. It is a cryptographic process that links four inseparable elements: the document, the identity of the signatory, the moment of signature and technical proof that nothing has been modified afterwards.

This process is built on two pillars: authentication of the signatory and integrity of the document.

Step 1: Authenticating the Signatory

Authentication consists of establishing a link between the person who applies their signature and a verifiable identity. Several techniques exist, and can be combined:

• Trusted email address: a unique link is sent. Only the email holder can click and sign.

• OTP Code (One-Time Password): a single-use code is sent by SMS. The signatory enters it to prove they own the associated phone number.

• Personal certificate: for qualified signature, a certificate issued by a qualified provider proves the identity of the signatory.

The level of requirement varies depending on the signature level aimed for — see the differences between levels.

Step 2: Calculate the Cryptographic Fingerprint

Before signing, the platform calculates a fingerprint (hash) of the document. It is a unique sequence of characters that represents the contents of the file. Any modification, even of a single character, produces a completely different fingerprint.

The fingerprint is like a digital signature of the file: it is small (a few dozen bytes) but guarantees integrity. If someone modifies the document after signing, the fingerprint no longer matches — the signature is invalidated.

Step 3: Link Identity and Fingerprint

The platform encrypts the fingerprint with a cryptographic key linked to the identity of the signatory (via PKI for QES, or via the platform for SES/AES). The result is the signature token: a digital object that contains:

• the document fingerprint

• the signatory identifier

• the precise time-stamp

• the cryptographic signature itself

This token is embedded in the final PDF according to the PAdES (PDF Advanced Electronic Signatures) format, a European standard. Concretely, when you open a signed PDF in Adobe Acrobat Reader, the reader automatically verifies the token and displays "Valid signature" if everything matches.

Step 4: Time-stamp

Time-stamping links the signature to a precise and verifiable moment. A qualified time-stamp issued by a trusted provider provides legal proof that the document existed on that date — a decisive argument in case of dispute over the date of commitment.

See electronic time-stamping to understand the role and levels of time-stamping.

Step 5: Record in the Audit Trail

At each stage of the signature cycle, the platform records a time-stamped event:

• envelope sending

• opening by the signatory (with IP and user-agent)

• OTP entry

• actual signature

• possible refusal

• expiration

All together form the audit trail. It is operational proof of the process. It is integrated into the final PDF and retained for 10 years. See proof of electronic signature.

What Actually Happens from the Signatory's Perspective

From the signatory's point of view, the experience is minimal:

• They receive an email with a link.

• They click and open the document in their browser.

• They read, then click "Sign".

• For AES: they enter an SMS code received on their phone.

• That is all. They receive a copy of the signed PDF.

No account to create, no application to install, no certificate to generate (except for QES). Everything is done in 1 to 3 minutes.

What Happens from the Sender's Perspective

The sender controls the process from their dashboard:

• document deposit (PDF, automatic conversion if Word)

• adding recipients and placing signature fields

• choosing the signature level and order (parallel or sequential)

• configuring automatic reminders and expiration date

• sending

In real time, they see each envelope move from "sent" status to "opened" to "signed". Webhooks or push notifications can feed these events into a CRM or HRIS.

Why Electronic Signature is Difficult to Forge

• Cryptographic fingerprint: any modification invalidates the signature

• Strong authentication: without access to both the email AND the phone (for AES), it is impossible to impersonate the signatory

• Time-stamped audit trail: each step is traced with IP and user-agent

• Cryptographic keys: the signatory's private key (QES) never leaves their hardware device

• 10-year archiving: the proof remains usable long after signature

How Certyneo Helps You

At Certyneo, the entire cryptographic pipeline runs in the backend on European servers (Germany, IONOS): PDF deposit, SHA-256 hash calculation, PAdES token integration, time-stamping, audit trail backup in an encrypted PostgreSQL database. You benefit from a process compliant with eIDAS without having to understand the technical details.

Discover the Certyneo electronic signature solution

FAQ

Can I verify a signature without the platform that issued it?

Yes. A PDF signed in PAdES format is verifiable by any compatible PDF reader (Adobe Reader, pdfsig, etc.). Even if the issuing platform disappears, the signature remains verifiable.

What happens if I modify the PDF after signature?

The signature becomes invalid. The PDF reader displays a warning "The document has been modified since signature" and the fingerprint no longer matches.

What is the lifespan of an electronic signature?

The signature remains valid as long as the cryptographic algorithms used are valid. To guarantee long-term validity, PAdES-LTA (Long Term Archive) formats are used which incorporate qualified time-stamps regenerated periodically.

Can I sign multiple documents at once?

Yes. A Certyneo envelope can contain multiple documents that are all signed in a single click. Each document keeps its own fingerprint but the audit trail is shared.

Does the fingerprint reveal the content of the document?

No. The fingerprint is one-way: you can calculate the fingerprint from the document, but you cannot retrieve the document from the fingerprint. This is one of the fundamental properties of cryptographic hash functions.

Conclusion

An electronic signature is a cryptographic process that verifiably links a signatory, a document, a date and consent. The signatory does not need to understand any of this — for them, it is a click and an SMS code. For you, it is solid proof, archived and usable.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.