How does an electronic signature work?

The general principle

The general principleAn electronic signature is not an image. It is acryptographic process

which links four inseparable elements: the document, the identity of the signatory, the moment of signing and technical proof that nothing was subsequently modified.This process is based on two pillars: theauthenticationof the signatory and theintegrity

of the document.

Step 1: authenticate the signer

• Authentication consists of establishing a link between the person signing and a verifiable identity. Several techniques exist, which can be combined:Trusted email address ⬥⬥⬥: a unique link is sent. Only the email owner can click and sign.
• Trusted email address ⬥⬥⬥: a unique link is sent. Only the email owner can click and sign.OTP (One-Time Password) code ⬥⬥⬥: a one-time use code is sent by SMS. The signatory enters it to prove that they have the associated telephone number.
• Personal certificate ⬥⬥⬥: for the qualified signature, a certificate issued by a qualified service provider proves the identity of the signatory.The level of requirements varies depending on the signature level targeted — see

the differences between levels ⬥⬥⬥.Step 2: calculate the cryptographic fingerprintBefore signing, the platform calculates a

fingerprint

(hash) of the document. It is a unique sequence of characters that represents the contents of the file. Any change, even of a single character, produces a completely different imprint.The fingerprint is like a digital signature of the file: it is small (a few dozen bytes) but it guarantees integrity. If someone modifies the document after signing, the imprint no longer matches — the signature is invalidated.Step 3: associate identity and fingerprint

The platform encrypts the fingerprint with a

The platform encrypts the fingerprint with a

cryptographic keylinked to the identity of the signatory (via the PKI for the QES, or via the platform for the SES/AES). The result is thesignature token ⬥⬥⬥: a digital object which contains both:the fingerprint of the documentthe identifier of the signer

• the precise timestamp
• the cryptographic signature itself
• This token is embedded in the final PDF according to the
• PAdES

(PDF Advanced Electronic Signatures) format, a European standard. Concretely, when you open a signed PDF in Adobe Acrobat Reader, the reader automatically checks the token and displays "Valid Signature" if everything matches.Step 4: timestampStep 4: timestamp

The

timestamplinks the signature to a precise and verifiable time. A qualified timestamp issued by a trusted service provider provides legal proof that the document existed on that date — a decisive argument in the event of a dispute over the commitment date.See

electronic timestampto understand the role and levels of timestamps.Step 5: record in the audit trail

At each step of the signature cycle, the platform records a time-stamped event:

sending of the envelope

• opening by the signatory (with IP and user-agent)
• entry of the OTP
• entry of the OTP
• effective signature
• possible refusal
• expiration

The whole constitutes theaudit trail(audit trail). This is the operational proof of the process. It is included in the final PDF and kept for 10 years. Seeelectronic signature proof ⬥⬥⬥.What actually happens on the signatory side

From the signatory's point of view, the experience is minimalist:

He receives an email with a link.

1. He clicks and opens the document in his browser.
2. He clicks and opens the document in his browser.
3. He reads, then clicks “Sign”.
4. For AES: he enters an SMS code received on his phone.
5. It's over. He receives a copy of the signed PDF.

No account to create, no application to install, no certificate to generate (except for QES). Everything is done in 1 to 3 minutes.

What happens on the sender side

The sender controls the process from its dashboard:

• submission of the document (PDF, automatic conversion if Word)
• addition of recipients and placement of signature fields
• choice of signature level and order (parallel or sequential)
• setting automatic reminders and expiration date
• sending

In real time, he sees each envelope go from "sent" to "open" to "signed." Webhooks or push notifications can report these events to a CRM or HRIS.

In real time, he sees each envelope go from "sent" to "open" to "signed." Webhooks or push notifications can report these events to a CRM or HRIS.

• Why the electronic signature is difficult to forgeCryptographic fingerprint ⬥⬥⬥: any modification invalidates the signature
• Strong authentication ⬥⬥⬥: without access to email AND telephone (for AES), impossible to pose as the signatoryTrack time-stamped audit ⬥⬥⬥: each step is traced with IP and user-agent
• Track time-stamped audit ⬥⬥⬥: each step is traced with IP and user-agentCryptographic keys ⬥⬥⬥: the signatory's private key (QES) never leaves their hardware device
• Archiving for 10 years ⬥⬥⬥: the proof remains available long after signingHow Certyneo helps you
• At Certyneo, the entire cryptographic pipeline runs in the backend on European servers (Germany, IONOS): PDF submission, SHA-256 hash calculation, integration of the PAdES token, timestamping, saving the audit trail in an encrypted PostgreSQL database. You benefit from an eIDAS-compliant process without having to understand the technical details.Discover the Certyneo electronic signature solution

Discover the Certyneo electronic signature solution

FAQ

Can I verify a signature without the platform that issued it?

Yes. A signed PDF in PAdES format can be checked by any compatible PDF reader (Adobe Reader, pdfsig, etc.). Even if the issuing platform disappears, the signature remains verifiable.

What happens if I modify the PDF after signing?

The signature becomes invalid. The PDF reader displays a warning "The document has been modified since signing" and the fingerprint no longer matches.

The signature becomes invalid. The PDF reader displays a warning "The document has been modified since signing" and the fingerprint no longer matches.

How long does an electronic signature last?

The signature remains valid as long as the cryptographic algorithms used are valid. To guarantee long-term validity, PAdES-LTA (Long Term Archive) formats are used which include qualified timestamps regenerated periodically.

Can we sign several documents at once?

Yes. A Certyneo envelope can contain several documents which are all signed with a single click. Each document keeps its own imprint but the audit trail is common.

Does the fingerprint reveal the contents of the document?

Does the fingerprint reveal the contents of the document?

No. The fingerprint is a one-way street: you can calculate the fingerprint from the document, but not find the document from the fingerprint. This is one of the fundamental properties of cryptographic hash functions.

Conclusion

An electronic signature is a cryptographic process which verifiably links a signatory, a document, a date and a consent. The signer doesn't have to understand any of this — for them, it's a click and an SMS code. For you, it is solid, archived, usable proof.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.