Multiple Digital Signatures

TL;DR

Yes, a document can be digitally signed multiple times by different users. Each signature is added on top of the previous one and remains valid as long as each individual signature verifies correctly. The order of signatures doesn’t usually matter, but it’s good practice to keep a record.

How Multiple Digital Signatures Work

Digital signatures use cryptography to ensure authenticity and integrity. When someone signs a document digitally, they create a hash (a unique fingerprint) of the document content. This hash is then encrypted with their private key. Adding multiple signatures doesn’t invalidate previous ones; it adds another layer of security.

Step-by-Step Guide to Multiple Signatures

1. Choose a Signing Tool: You’ll need software that supports sequential signing. Common options include Adobe Acrobat, DocuSign, and other PDF signing tools. Make sure the tool supports adding signatures without removing existing ones.
2. First Signature: The first user signs the document as normal using their digital certificate.
   • Open the document in your chosen software.
   • Select the ‘Sign’ or similar option.
   • Choose your digital certificate.
   • Place the signature on the document and save it.
3. Second (and Subsequent) Signatures: The next user signs the already signed document.
   • Open the document in your signing software.
   • The software should recognise the existing signature(s).
   • Select ‘Sign’ again, choosing their own digital certificate.
   • Place their signature on the document and save it. Crucially, the tool must append the new signature rather than replace the old one.
4. Verification: Each user can verify all signatures independently.
   • Open the signed document in your signing software.
   • The software will display a list of all valid signatures and their details (name, date, certificate information).
   • If any signature is invalid, it will be flagged.

Important Considerations

• Software Compatibility: Not all PDF readers or signing tools handle multiple signatures identically. Test with different software to ensure compatibility.
• Signature Order: While the order usually doesn’t affect validity, it can be helpful for tracking who signed when. Some systems may display signatures in reverse chronological order.
• Hash Algorithm: Ensure all signatures use a strong and current hash algorithm (e.g., SHA-256 or higher). Older algorithms might be vulnerable to attacks.
• Timestamping: Consider using timestamping services when signing. A timestamp proves the document existed in its current form at a specific point in time, adding another layer of trust.
• Revocation Status: Always check the revocation status of each signer’s certificate before trusting the signatures. A revoked certificate means the signature is no longer valid.

Example using OpenSSL (for advanced users)

While not a typical user workflow, you can demonstrate signing with OpenSSL:

openssl dgst -sha256 -sign private_key.pem -out signature1.bin document.pdf

openssl dgst -sha256 -verify public_key.pem -signature signature1.bin document.pdf #Verify first signature

(Then repeat the signing process with a different key to add another signature.)

cyber security Best Practices

• Protect Private Keys: Keep private keys secure and never share them.
• Use Trusted Certificates: Obtain digital certificates from reputable Certificate Authorities (CAs).
• Regularly Audit Signatures: Periodically review signed documents to ensure their validity and integrity.