Skip to content

Verifying Signatures

GxPSign-signed PDFs contain embedded digital signatures that can be verified offline using any standard PDF reader. This guide explains how to verify a signature and how to install the GxPSign certificate so signatures show as trusted.

Are GxPSign Signatures Legally and Regulatorily Valid?

Yes. GxPSign signatures are fully compliant with 21 CFR Part 11 and EU GMP Annex 11 when using the GxPSign root certificate.

The certificate's role is to prove the document has not been tampered with since it was signed. When GxPSign signs a PDF it calculates a SHA-256 hash of the document and cryptographically seals it using the GxPSign root certificate. If even one character is changed after signing, the hash no longer matches and the signature is immediately reported as invalid.

The GxPSign root certificate is embedded inside every signed PDF. This means the reference certificate travels with the document — it does not depend on GxPSign's servers being available and can be verified independently years after signing.

For GxP users

21 CFR Part 11 and EU Annex 11 require that electronic signatures be uniquely linked to the signer and linked to the record. Both requirements are met through the PAdES cryptographic binding and the GxPSign audit trail. A commercially issued CA certificate is not required for regulatory compliance. See the Certificate Management admin guide for the full regulatory alignment table.

Why Signatures May Appear Untrusted

When you open a signed PDF, your PDF reader checks whether the signing certificate belongs to a trusted Certificate Authority (CA). If GxPSign is using a self-signed certificate (the default), readers like Adobe Acrobat or macOS Preview will display a warning such as:

"The document has been signed but the certificate is not trusted."

This does not mean the signature is invalid — it simply means your machine hasn't been told to trust the GxPSign certificate yet. Once you install it, the warning disappears and signatures show as fully trusted.

Verifying Inside GxPSign

You can verify the cryptographic integrity of a signed document directly in GxPSign without leaving the app:

  1. Open the signature request from the Requests dashboard.
  2. Click Verify PDF Signatures.
  3. GxPSign checks each embedded signature and shows the result — signer name, signing time, and overall validity status.

This verification is independent of your OS trust store.

Installing the GxPSign Certificate

Installing the certificate once is all it takes for PDF readers on that machine to show GxPSign signatures as trusted.

Download the certificate: https://gxpsign.app/certificates/download/

Then follow the steps for your platform:

  1. Double-click the downloaded gxpsign-signing-cert.crt file.
  2. Click Install Certificate… → select Local MachineNext.
  3. Choose Place all certificates in the following store, click Browse, and select Trusted Root Certification Authorities.
  4. Click NextFinish. Accept the security prompt if it appears.
  1. Double-click the .crt file — Keychain Access opens automatically.
  2. Select the System keychain (you'll need an admin password) and click Add.
  3. In Keychain Access, find the GxPSign certificate under Certificates.
  4. Double-click it, expand the Trust section, and set When using this certificate to Always Trust.
  5. Close the window and enter your password to save the change.

Install system-wide so all apps (including PDF viewers) trust the certificate:

sudo cp gxpsign-signing-cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

For Chrome/Chromium:

  1. Go to Settings → Privacy and security → Security → Manage certificates.
  2. Click Authorities → Import, select the .crt file.
  3. Check Trust this certificate for identifying websites and click OK.
  1. Open Acrobat and go to Edit → Preferences → Signatures → Identities & Trusted Certificates → More…
  2. In the panel that opens, select Trusted Certificates on the left.
  3. Click Import, browse to the .crt file, and click Open.
  4. Select the certificate in the list, click Trust, check Use this certificate as a trusted root, and click OK.

Verify the fingerprint

After installing, compare the certificate fingerprint shown in your OS or Acrobat against the SHA-256 fingerprint published on the GxPSign certificate policy page to confirm authenticity.

What to Do If Verification Still Fails

Symptom Likely cause Action
"Certificate is expired" The active certificate has been rotated Re-download from /certificates/download/ and reinstall
"Document has been altered" The PDF was modified after signing Contact the document sender
"Signature is invalid" Corrupted download or PDF Re-download the signed PDF from GxPSign
Warning persists after install Certificate installed in wrong store Ensure it's in Trusted Root (Windows) or System keychain (macOS)

Contact support@gxpsign.app if you continue to have trouble.