How Does Electronic Signature Work?

The general principle

An electronic signature is not an image. It is a cryptographic process that links four inseparable elements: the document, the identity of the signatory, the moment of signature and technical proof that nothing has been modified afterward.

This process is based on two pillars: authentication of the signatory and integrity of the document.

Step 1: authenticate the signatory

Authentication consists of establishing a link between the person who affixes their signature and a verifiable identity. Several techniques exist, which can be combined:

• Trusted email address: a unique link is sent. Only the email holder can click and sign.

• OTP code (One-Time Password): a single-use code is sent by SMS. The signatory enters it to prove they own the associated phone number.

• Personal certificate: for qualified signature, a certificate issued by a qualified provider proves the signatory's identity.

The level of requirement varies depending on the signature level targeted — see the differences between levels.

Step 2: calculate the cryptographic fingerprint

Before signing, the platform calculates a fingerprint (hash) of the document. It is a unique string of characters that represents the file content. Any modification, even of a single character, produces a completely different fingerprint.

The fingerprint is like a digital signature of the file: it is small (a few dozen bytes) but it guarantees integrity. If someone modifies the document after signing, the fingerprint no longer matches — the signature is invalidated.

Step 3: associate identity and fingerprint

The platform encrypts the fingerprint with a cryptographic key linked to the signatory's identity (via PKI for QES, or via the platform for SES/AES). The result is the signature token: a digital object that contains both:

• the document fingerprint

• the signatory's identifier

• the precise timestamp

• the cryptographic signature itself

This token is embedded in the final PDF according to the PAdES (PDF Advanced Electronic Signatures) format, a European standard. Concretely, when you open a signed PDF in Adobe Acrobat Reader, the reader automatically verifies the token and displays "Valid signature" if everything matches.

Step 4: timestamp

Timestamping ties the signature to a precise and verifiable moment in time. A qualified timestamp issued by a trusted provider provides legal proof that the document existed on that date — a decisive argument in case of dispute about the engagement date.

See electronic timestamping to understand the role and levels of timestamping.

Step 5: record in the audit trail

At each step of the signature cycle, the platform records a timestamped event:

• envelope sending

• opening by the signatory (with IP and user-agent)

• OTP entry

• actual signature

• possible refusal

• expiration

All of this constitutes the audit trail. It is the operational proof of the process. It is integrated into the final PDF and retained for 10 years. See proof of electronic signature.

What actually happens from the signatory's perspective

From the signatory's point of view, the experience is minimal:

• They receive an email with a link.

• They click and open the document in their browser.

• They read, then click on "Sign".

• For AES: they enter an SMS code received on their phone.

• That's it. They receive a copy of the signed PDF.

No account to create, no application to install, no certificate to generate (except for QES). Everything is done in 1 to 3 minutes.

What happens on the sender's side

The sender controls the process from their dashboard:

• document deposit (PDF, automatic conversion if Word)

• adding recipients and placing signature fields

• choice of signature level and order (parallel or sequential)

• setting up automatic reminders and expiration date

• sending

In real time, they see each envelope move from "sent" to "opened" to "signed" status. Webhooks or push notifications can feed these events back into a CRM or HRIS.

Why electronic signature is difficult to forge

• Cryptographic fingerprint: any modification invalidates the signature

• Strong authentication: without access to both the email AND the phone (for AES), it is impossible to impersonate the signatory

• Timestamped audit trail: each step is traced with IP and user-agent

• Cryptographic keys: the signatory's private key (QES) never leaves their hardware device

• 10-year archiving: proof remains actionable long after signing

How Certyneo helps you

At Certyneo, the entire cryptographic pipeline runs in the backend on European servers (Germany, IONOS): PDF deposit, SHA-256 hash calculation, PAdES token integration, timestamping, audit trail backup in an encrypted PostgreSQL database. You benefit from an eIDAS-compliant process without having to understand the technical details.

Discover the Certyneo electronic signature solution

FAQ

Can I verify a signature without the platform that issued it?

Yes. A PDF signed in PAdES format can be verified by any compatible PDF reader (Adobe Reader, pdfsig, etc.). Even if the issuing platform disappears, the signature remains verifiable.

What happens if I modify the PDF after signing?

The signature becomes invalid. The PDF reader displays a warning "The document has been modified since signing" and the fingerprint no longer matches.

What is the lifetime of an electronic signature?

The signature remains valid as long as the cryptographic algorithms used remain valid. To guarantee long-term validity, PAdES-LTA (Long Term Archive) formats are used which incorporate qualified timestamps that are periodically regenerated.

Can you sign multiple documents at once?

Yes. A Certyneo envelope can include multiple documents that are all signed with a single click. Each document retains its own fingerprint but the audit trail is shared.

Does the fingerprint reveal the content of the document?

No. The fingerprint is one-way: you can calculate the fingerprint from the document, but you cannot retrieve the document from the fingerprint. This is one of the fundamental properties of cryptographic hash functions.

Conclusion

An electronic signature is a cryptographic process that verifiably links a signatory, a document, a date and consent. The signatory doesn't need to understand any of this — for them, it's a click and an SMS code. For you, it's solid, archived, actionable proof.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.