The open-pdf-sign
CLI application allows to
easily sign PDF files from the commandline. Signatures
can be invisible or visible, and visible signatures can be
customized.
- Visible PDF signature in PDF (multi language support)
- Invoke via CLI or via starting a server
- Supported Signature type: PAdES
- Supported Signature profiles:
- BASELINE-B
- BASELINE-T
- To be evaluated: BASELINE-LT, BASELINE-LTA
Download the latest jar archive from the GitHub releases page or in your terminal:
curl -L https://github.com/open-pdf-sign/open-pdf-sign/releases/latest/download/open-pdf-sign.jar -o open-pdf-sign.jar
Make sure that Java is installed in at least version 8.
java -jar open-pdf-sign.jar -i input.pdf -o output.pdf -c certificate.crt -k keyfile.pem -p key_passphrase --page -1 --locale de-AT
Usage:
Options:
-b, --binary
binary output of PDF
Default: false
-c, --certificate
certificate (chain) to be used
--config
use a configuration file
--hint
text to be displayed in signature field
--host
run as server with the given hostname
--image
Image to be placed in signature block
-i, --input
input pdf file
-k, --key
signature key file or keystore
--left
X coordinate of the signature block in cm
Default: 1.0
-l, --locale
Locale, e.g. de-AT
-o, --output
output pdf file
--page
Page where the signature block should be placed. [-1] for last page
-p, --passphrase
passphrase for the signature key or keystore
--port
run as server with the given port
Default: 8090
--timestamp
include signed timestamp
Default: false
--timezone
use specific timezone for time info, e.g. Europe/Vienna
--top
Y coordinate of the signature block in cm
Default: 1.0
--tsa
use specific time stamping authority as source (if multiple given, will
be used in given order as fallback)
Default: []
--width
width of the signature block in cm
Default: 10.0
PDFs can also be signed using your existing Let's Encrypt certificate.
java -jar open-pdf-sign.jar -i input.pdf -o output.pdf \
-c /etc/letsencrypt/live/openpdfsign.org/fullchain.pem \
-k /etc/letsencrypt/live/openpdfsign.org/privkey.pem
If the page
parameter is specified, a visible signature
will be placed on the specified page. For example, running
java -jar open-pdf-sign.jar -i input.pdf -o output.pdf \
-c certificate.crt \
-k key.pem \
--page -1 --logo mylogo.png \
--hint "You can check the validity at signaturpruefung.gv.at"
will place a visible signature looking similar to the image below
on the last page (-1
) of the PDF document.
You can also run open-pdf-sign as a server application in order to
only load certificates once and easily integrate it in applications where
CLI invocations are not possible. Simply add the --port
or --hostname
parameters, e.g.
java -jar open-pdf-sign.jar -i input.pdf -o output.pdf \
-c /etc/letsencrypt/live/openpdfsign.org/fullchain.pem \
-k /etc/letsencrypt/live/openpdfsign.org/privkey.pem
--port 8090 --hostname 127.0.0.1
Then, PDFs can be signed via the specified /pdf
endpoint:
curl --location --request POST 'http://localhost:8090/' \
--header 'Content-Type: application/json' \
--data-raw '{
"input": "/path/to/pdf.pdf"
}'
Instead of CLI parameters, you can also submit a configuration file with the same parameters and the possibility to lead multiple keys, as shown in this example
java -jar open-pdf-sign.jar --config /path/to/config.yaml
- Maven (https://maven.apache.org/)
- JDK 8
mvn package
This project is licensed under the Apache 2.0-License.
The code contained in the org/openpdfsign/dss subfolder
extends and modifies code from the dss project which is licensed under the LGPL-2.1 license.