Why Digital Signatures Matter
Digital signatures have become the legal backbone of electronic transactions. Whether a contract, an invoice, or a regulatory filing, the signature binds the signer to the contents and provides non‑repudiation, integrity, and timestamp evidence. Courts and compliance auditors increasingly treat a correctly signed PDF or XML document the same as a wet‑ink signature on paper. Because of that, losing a signature—or altering the signed data without proper re‑signing—can invalidate the entire document, expose organizations to legal risk, and force costly re‑work. The stakes are especially high in sectors such as finance, healthcare, and government, where trust in electronic records is mandatory.
How Conversions Can Break Signatures
Converting a file is rarely a neutral operation. When a PDF containing an embedded PKCS#7 signature is flattened into an image, the cryptographic seal disappears. Some conversion tools strip out XML‑DSig elements, remove certificate references, or rewrite the file’s byte structure, causing the hash that the signature protects to change. Even seemingly harmless actions—like recompressing images, altering line endings, or changing the PDF version—can invalidate a signature if the tool does not preserve the signed byte range. The result is a document that looks identical to the original but fails verification checks.
Types of Digital Signatures You May Encounter
Understanding the signature format guides the choice of conversion method.
- PDF Signatures – Embedded in the PDF catalog, they cover a defined byte range. PDF/A‑3 and PDF/E can retain signatures, while PDF/A‑1 strips them out.
- XML Digital Signatures (XML‑DSig) – Used in e‑invoicing (PEPPOL), e‑procurement, and many government forms. The
<Signature>element must stay intact, and any whitespace changes can invalidate the hash. - CMS/PKCS#7 Containers – Often attached to Office Open XML files (.docx, .xlsx) as separate
Signatureparts. The container can survive format changes if the part hierarchy is preserved. - Detached Signatures – A separate file (e.g., .p7s) that references the original document. Conversions that rename or move the original file break the link unless the signature file is updated.
Pre‑Conversion Checklist
Before you start any batch or single‑file conversion, run through these steps:
- Identify the Signature Type – Use a viewer that can display signature details (Adobe Acrobat, XMLSec, or OpenSSL). Note the hash algorithm, signing certificate, and scope (whole document vs. selected fields).
- Confirm Signature Validity – Verify that the signature is currently valid. A broken signature before conversion will not magically become valid afterward.
- Determine the Destination Format – Not every format can carry a signature. If the target does not support signatures, consider keeping a signed copy in its original format for archival.
- Create a Read‑Only Backup – Store a copy of the signed file in a secure location. This protects you against accidental data loss during conversion.
Choosing a Signature‑Friendly Target Format
When a conversion is unavoidable, pick a format that explicitly supports the signature type.
- PDF → PDF/A‑3 – PDF/A‑3 allows embedding of any file, including signature containers, while preserving visual fidelity.
- DOCX → DOCX – Re‑exporting a Word document to the same OOXML container will retain the CMS signature as long as the conversion engine does not rewrite the
Signaturepart. - XML → XML – Use an XSLT‑aware conversion that does not reformat whitespace. Preserve the original XML declaration and namespace prefixes.
- Image‑Based Scans → PDF (with Signature Layer) – If the original document was signed as a scanned image with a digital seal, embed the image in a PDF that includes the original signature as an annotation rather than flattening it.
A Signature‑Preserving Conversion Workflow
Below is a practical, step‑by‑step workflow that can be implemented manually or automated with scripts.
- Extract the Signature (Optional) – For formats that cannot carry the signature, extract the CMS/PKCS#7 blob using tools like
openssl cms -verify -inform DER -in sig.p7s -noout. Store it as a separate file. - Convert the Core Content – Use a conversion engine that offers a "preserve metadata" flag. Many cloud services expose this via an API parameter; for instance, when using convertise.app, you can select the "keep original signatures" option.
- Re‑embed the Signature – If the destination format supports embedding, insert the signature blob back into the appropriate container (e.g., add the
<Signature>element to an XML document, or embed the CMS part into a DOCX zip archive). - Re‑calculate the Signed Byte Range – For PDF signatures, the byte range is defined in the
/ByteRangearray. After re‑embedding, update this array to reflect any added objects. Libraries like iText 7 or PDFBox provide APIs to rebuild the signature dictionary without invalidating the cryptographic seal. - Validate the Result – Open the converted file in a trusted viewer and run a verification check. For PDFs, Acrobat will show a green check if the signatures remain intact. For XML, run
xmllint --verifywith the appropriate schema and signature file. - Record a Hash of the Final File – Store a SHA‑256 hash of the converted document in a tamper‑evident log. This provides an audit trail showing that the signature was preserved after conversion.
Cloud Conversion and Privacy Concerns
When you offload conversion to a SaaS platform, you trade convenience for control. A privacy‑focused service that processes files entirely in memory and deletes them after the session reduces exposure, but you still need to verify that the service does not strip signatures as part of its sanitization pipeline. Review the provider’s privacy policy, request a data‑processing agreement, and, if possible, run a trial conversion on a non‑sensitive signed document to confirm that the signature survives.
Verifying Signatures After Conversion
A conversion can appear successful while silently corrupting the signature. Systematic verification mitigates this risk:
- Automated Batch Verification – Scripts using
pdfsig(Poppler) for PDFs,xmlsec1for XML, oropenssl cmsfor CMS files can iterate over a folder of converted files and generate a pass/fail report. - Visual Confirmation – Open a sample of the converted files in the original signing application. Look for the signature panel, check the signer’s name, and confirm the timestamp.
- Certificate Revocation Checks – Ensure the certificate used for signing is still valid and not revoked. Some conversion services may strip the CRL or OCSP information; you may need to re‑attach it.
Common Pitfalls and How to Avoid Them
| Pitfall | Why It Breaks the Signature | Remedy |
|---|---|---|
| Converting PDF to image (PNG/JPEG) | The signed byte range is lost because the file becomes a raster image. | Keep a PDF copy for legal purposes; embed the image in a new PDF without re‑signing. |
| Re‑encoding XML with a different character set | Changes the canonical form, breaking the hash. | Preserve the original UTF‑8 encoding and avoid pretty‑printing that alters whitespace. |
| Using a converter that “optimizes” PDF objects | Object streams may be rewritten, altering object IDs referenced by the signature. | Disable optimization flags; choose a converter that offers a "preserve structure" mode. |
| Flattening form fields before conversion | Form field values become part of the visual layer, invalidating field‑level signatures. | Keep fields editable, or create a new signature after flattening if required. |
| Removing or renaming detached signature files | The link between document and .p7s disappears. | Update the reference in the document’s metadata, or bundle the signature inside the container. |
Real‑World Scenarios
Legal Contracts
Law firms often receive contracts signed via Adobe Sign. When a contract needs to be archived in a corporate DMS that only accepts PDF/A‑1, the conversion must retain the original signature. The workflow described above—convert to PDF/A‑3, then use a PDF/A‑1 converter that preserves the signature dictionary—ensures the contract remains enforceable.
E‑Invoicing (PEPPOL)
European e‑invoicing uses XML‑DSig to certify invoices. A supplier may need to convert an invoice from a proprietary XML schema to the PEPPOL BIS format. By preserving the <Signature> element and mapping namespace prefixes correctly, the invoice passes the PEPPOL validator and can be processed by the buyer without re‑signing.
Government Forms
Many public‑sector forms are signed with a detached CMS file. When a department migrates old submissions to a new records‑management system that stores files as DOCX, the conversion script extracts the CMS signature, embeds it in the DOCX package, and updates the reference table. Auditors can later verify the signature against the original document.
Summary
Preserving digital signatures during file conversion is not an afterthought; it is a disciplined process that intertwines cryptographic awareness, format knowledge, and careful tooling. By identifying the signature type, selecting a compatible target format, employing a conversion workflow that extracts, preserves, and re‑embeds signature data, and validating the outcome with automated checks, organizations can maintain legal integrity while still enjoying the flexibility of modern file formats. When cloud conversion services such as convertise.app are part of the pipeline, confirming that the provider respects signature containers and follows a privacy‑by‑design approach adds another layer of assurance. Ultimately, a systematic, verification‑first mindset prevents costly re‑signing cycles and safeguards the trust embedded in every electronic signature.