For a one-liner, if you use any tool to generate a realistic version of your signature, or do what I do and actually scan a version of your signature once, and then have that as a PNG that you can drop on any PDF of your liking, here's a line to make it look nice and "scanned":
convert "$1" -alpha Off -density 150 -colorspace gray -blur 0.5x0.5 -rotate 0.4 -level 40%,60% "scanned-$1"
convert "$1" -colorspace gray \( +clone -blur 0x1 \) +swap -compose divide -composite -linear-stretch 5%x0% -rotate 1.5 scanned-$1.pdf
The OP also uses a few other flags like `+noise Gaussian` and `-attenuate 0.25` which you could toss in. Same concept, just wanted to share a one-liner you can use if you already have a PDF with a signature on it, and you need that nice "scanned" look.
Checking if a PDF file has been digitally signed, how many signatures are there and if the signatures are all valid is not an easy task! Actually, I only know how to do it in java using bounty castle. To help non-java apps with this I've implemented a small java application that provides a REST (and form) api for uploading a signed PDF file and returning information about the signatures.
It works in my organization for more than 3 years and it's has saved us from hundreds of erroneously signed PDF files! I've open sourced it for anybody having similar requirements: https://github.com/spapas/pdf-sign-check.
Parsing a PDF file is in that list that nobody wants to write themselves. Next to writing a YAML parser.
"For bureaucratic reasons, a colleague of mine had to print, sign, scan and send by email a high number of pages. To save trees, ink, time, and to stick it to the bureaucrats, I wrote this script."
So yes, it does seem like there are situations where a "digital" signature is insufficient.
You also get a confirmation from the recipient when using fax.
...what's the alternative to that "often"? What is a fax machine, if not a scanner attached to a modem?
There are/were "line printers" doing "latch a character from the input line, print the character, unlatch" serial output (which were so common that Unix pipes are designed around the foibles of outputting to such devices.) Most POS thermal receipt printers are still line printers!
I don't know as much about scanners, but I can't imagine that the original (digital, attached to a computer) scanners weren't also "serial scanners"—i.e., rather than a 1D scan head with a long CCD strip that could latch an entire line at a time into a shift register, they would have had 2D scan-heads that would scan one pixel at a time, in a "read brightness, signal ready, wait for return line to unlatch" serial loop. No memory required, just terribly slow.
> fax machines were purely analog devices, not a scanner attached to a modem
Why would an analog scanner not still be a scanner? I'd call whatever component that's in even the oldest fax machines "a scanner." Even if it is "enitrely analog" (continuous brightness intensity read, like a tape head or record-player stylus) you'd still call the process of converting light from a sensor passing over a document, into electricity, scanning, and you'd still call the component that does that "a scanner." Just like speakers and microphones are still "speakers" and "microphones" whether they're just transducers attached to wires, or have a whole ADC+USB/Bluetooth signal path leading out of them. Am I wrong?
I'm talking about the technical sense. Where there is no encryption at all, anyone with a phone line splitter can listen in, and the machines are usually not in a secured area so anyone could just pick up the fax and walk away. Not secure at all.
dd36 and swixmix seem to be taking the other side of that argument.
For the threat model of a physically local attacker with either the right timing (for grabbing an incoming fax) or the right knowledge (for the phone system equivalent of tcpdump), you're quite right that fax is insecure. Likewise for state sponsored adversaries or certain organized crime groups.
But if you just want to make it hard for people scanning the internet to see what juicy corporate espionage they can find and resell, without specifically targeting you, fax is probably less vulnerable to that threat model than, for example, an undermaintained email server. Likewise if you piss off script kiddies somewhere on the internet with botnets and exploit kits, your website is probably a bigger risk than your fax machine.
As I had opened account with them years back, I couldn’t recollect what I had signed then. The clerk at the desk helpfully turned her display for me to take a quick glance at the signature in the file which I copied in the form. Thanked her well.
Dropbox's "Scan Document" feature is great for getting around that. It turns a photo into what looks exactly like a scan. I just sign the document in Preview, and then use the Scan Document feature to just "scan" the document as its displayed on my screen. The result seems indistinguishable from a printed wet ink copy also scanned with Dropbox.
I can set up Apple Pay and use it across devices to make payments worth tens of thousands, but I can’t use the same technology to authenticate a document.
It really boils the blood.
I have a previously-scanned signature that I'd like to re-use. I'd love to simply import the file. Instead I have to print it out and then hold it in front of the camera, trying to get it aligned. It's madness. Is it supposed to be more secure for some reason?
For example, even just assigning everybody unique identifiers (social security number, drivers' license number) has allowed businesses to demand these identifiers to track customers in privately-held surveillance databases. This system has already grown out of control with little sign of stopping.
A "secure" e-signature token would lead to even more businesses demanding your "identity". Imagine having to pay twice as much for groceries for wanting to keep your purchases personal!
I'd much rather suffer the small work of (print, sign, scan, cache, burn) until I see some reigning in of private surveillance databases.
The federal government refuses to issue actual public IDs, which would solve the problem nicely, for political reasons. They can't retract Social Security.
Also, I like rasterized contracts / text, instead of a small pdf + an image, as it's easier to tamper with
I used Preview for the longest time before they questioned 1 of the documents.
This project basically allows you to forge your own signature. Is it still legally binding? Do these rules even remember the original intent?
I've always thought that as long as you can recognize your own signature and declare in a court of law, under oath, that the signature is or is not yours then it's fine.
It's still not foolproof though. An ex of my GF forged her signature and took out a loan in her name. They're still on her ass about that one, despite her claims that the signature isn't hers. They're not taking it to court though, they probably don't have a case. Doesn't stop them from harassing though.
You seem to be of the opinion that since it is possible to forge a signature, it cannot be legally binding.
You are describing bureaucracy.
There are plenty of people who work (and live) by rules that no longer make sense, but hey, they're the rules!
But there's still a delta of time during which old rules continue to be applied in a manner that can feel senseless, while new processes are figured out. :-)
A signature is somewhat harder to take them and checking a checkbox and can be somewhat more easily traced back to the signatory, so it’s probably somewhat better than a checkbox.
You're free to counter and say it's a forgery just as you would be to counter and say someone stole your private key. But the point of a signature in particular is that it's supposed to signal considered intent rather than mindlessly checking a box or being rushed and saying "sure sure whatever."
We pop up dialogs to ask users for confirmation before doing dangerous actions. What's wrong with the paper equivalent?
* TOS - a simple checkbox - or even just a "continue button"
* Moderately large purchase - type your name
* Larger purchase - draw your name
* Major contract - use this widely recognized signature flow
You'd need to perform the DSA algorithm in your head on the content of the contract, using your memorized private key, and write out the resulting signature block.
On the other hand, you would be right in thinking that there is a somewhat anachronistic element of theater in having signatures on electronic documents.
Someone might blithely—-or accidentally—-click continue, but you can’t really sleepwalk your way through signing a document or lining up witnesses to the signing.
Yes, but it used to be difficult. If you can lift an image off one piece of paper and print it on another it becomes easy.
It’s no different than paper currency. If it’s easy to forge, then the real money becomes worthless.
Not in the EU country I live in.
1. We have digital signatures we can use to sign documents and they are legally binding for gov. organizations and optionally every organization that accepts em.
2. For internal documents, metadata is sufficient after organization issues an order.
3. Between orgs, metadata is sufficient if you address that within contract.
At least I remember it being that way few years ago.
This pdf viewable signature stuff is void. Only to make feel some people better.
Though I am not a lawyer.
It's also worth noting that digital signatures throughout the european union have legal status.
Until society catches up and uses cryptographic primitives provided by a national ID smart card (such that Estonia has) for authorizing intents, this is a satisfactory method to make document execution less painful.
This project is already doing the easy part (“place pretty signature picture here”). Depending on your jurisdiction and their tolerance, you could also render a true crypto signature in ascii-armored format to assist in proving legitimacy (perhaps generated as a small print signature line under the signature).
Sidenote: Some transactions require a "wet" signature (as in, actual ink on actual paper from an actual pen). This doesn't get around those transactions unfortunately.
>These ID cards are, however, preparing the way. The more people get used to some new government regulation, restriction, or provision, the more they tolerate it and eventually just learn to live with it. What may at first seem unthinkable and raise howls of protest, later becomes accepted by a few, then many, then most. And that’s how the Antichrist and his agents will capitalize on these compulsory ID cards to prepare the world for what’s next.
Google the term "Dominionism."
Yet, take even the most expansive and uncharitable definition, and still "dominionism" =/= "the end times are at hand and there are signs everywhere of the coming anti-christ, such as national ID cards".
So, yeah, thanks for that.
That's because there's a 95% chance they'll sell it to the likes of Equifax and Experian - what minister could resist the temptation to 'make the system pay for itself' while 'reducing fraud' and 'working with the private sector' - and a 100% chance one of them will then lose it in a breach.
National ID systems are an incredibly bad idea. You can already get the entire authentication benefit from using decentralized ID systems (your bank authenticates you with your bank card, your employer authenticates you with your employee ID), so all a national ID adds is the ability for corporations to correlate all your different identities without your knowledge or consent, which is nothing but a privacy-invasive misfeature. Note that without a centralized ID they could still do it with your knowledge and consent by having you authenticate using multiple decentralized IDs.
Centralized identity is also a huge single point of failure and compromise. It would attract far higher resources from attackers than non-monoculture ID systems do, have far reaching consequences when vulnerabilities are discovered, and take far longer to respond when changes are necessary because of the scope of use.
Your bank knows that you are the same John Smith as your employer has on record, because you needed to use the same SSN for both. The status quo is that any service which requires identity validation is requiring you to provide your SSN, which in internet terms is like authenticating with only a username (no password) on all websites, AND you have to use the SAME username for every different site.
Now compare that to public-key encryption. Not only is it better assuming you only have access to a single private key (because you are still authenticating with the output of the key, not the key itself as with SSN), but also because a cryptographic card could store MULTIPLE private keys, allowing you to authenticate with a different "identity" to different providers, making it impossible for them to cross-reference you in that way.
It's orders of magnitude worse at authentication because that's not what it's for and everyone should immediately stop trying to use it for that. For that matter it would be better if they would stop using it for anything other than its original purpose as a tax ID.
> Now compare that to public-key encryption. Not only is it better assuming you only have access to a single private key (because you are still authenticating with the output of the key, not the key itself as with SSN), but also because a cryptographic card could store MULTIPLE private keys, allowing you to authenticate with a different "identity" to different providers, making it impossible for them to cross-reference you in that way.
But that's exactly the point. That isn't a national ID, it's ordinary public key cryptography which anyone can use right now already. You don't need a national ID for this, just create a new public-private key pair whenever you first interact with a new entity and use it to authenticate yourself to that entity going forward.
> Your bank knows that you are the same John Smith as your employer has on record, because you needed to use the same SSN for both.
But there is no good reason they need to know this, because having a bank account has really nothing to do with having an employer. All your employer should need is your bank account number so they can deposit your paycheck -- or not even that, just to give you a signature authorizing their bank to transfer money to you, where "you" means the person who can prove they hold the private key corresponding to a public key you gave your employer.
Banks shouldn't even need to know your name if things were being done securely, much less your SSN. Having them is nothing but a liability because someone who doesn't know what they're doing could mistake them for an authentication method.
You can't rotate a social security number with reasonable effort, and we can longer treat it as a secret, because it isn't one. It's time to move past it as an identifier.
Or just imagine https://login.gov/ passively collecting information about all the services you're logging into.
I wouldn't be opposed to common login protocol—preferably a distributed or federated one—where the government and other parties can add their own signatures to attest that a particular identity belongs to a certain real-world person, and you can choose which of those signatures you present to any given service. However, having the login itself go through a government server would be an incredibly bad idea.
Proper functioning of democracy and government requires eternal vigilance (apologies to Jefferson).
> Proper functioning of democracy and government requires eternal vigilance
Indeed, and part of that vigilance is pushing back against government involvement in areas they have no business in, such as authentication for non-government services.
We are talking about having better authentication (both more privacy-aware and more flexible) for situations where it's needed. You don't need to validate your identity for email, facebook, or groceries, so obviously this wouldn't apply there. This would apply to things where some ID auth is already taking place (e.g. anything that asks for your SSN, KYC processes in general, etc).
In European continental civil law (as opposing to common law e.g. USA and UK, as far as I understand UK law) there's no such legal concept as "different identities" or legal aliases - you have one identity, and that's it. You must have an official identity (it's a crime for adults to not have that official ID registered/issued) and you can't have more than one. There's no right to assume or use a different identity, doing so for any benefit is fraud or forgery. If you change your name, then that must be published so that it's trivial for anyone to link these "identities", or, more accurately, know that the same identity used a different name until a particular day.
That has some disadvantages (e.g. lack of pseudonymity - either you're not identified at all, or you're fully identified) and some advantages e.g. in commerce it's generally useful to have a strong identification of your counterpart rather than a weak one; and it eliminates a whole class of "identity confusion" for people with matching names and other features - there's a single "source of truth" for identity, and it can reliably distinguish all the different John Smiths.
If we're looking at the risk of compromise, it's worth noting that the whole concept of 'identity theft' is widespread in countries with weak ID systems like USA and not widespread in places with strong centralized IDs like continental Europe. A chain is as strong as its weakest point; if it's plausible that you might be using some weak form of ID (or even just 'something you know' like social security number/mother's maiden name/etc), then someone else can pretend to be you using that weak form of ID.
Suppose you want to take out a mortgage on a house. If you take it out in someone else's name, this is a problem. But suppose that didn't even enter into it. Instead you prove title to the house, i.e. you authenticate to the city title office as owner of that property using the authentication method you established when you bought it, and that proves to the bank that you own the property. You, having authenticated to the city, approve the bank to take a lien out on the house. They accept the lien as collateral for the mortgage loan, and you get a mortgage loan. Your name doesn't enter into it at all, so nobody could use your name to take out a loan. If you don't pay the loan, they don't care one bit what your name is, they just foreclose on your house.
Also, as a counterpoint, most countries have much stronger centralized identities than the USA, and much less trouble with identity theft.
Even in countries with unique, centralized identities, you don't go around handing your government ID to everyone you meet. You use it for official legal business only. In other contexts you still have less formal identities which remain separate from your official identity.
This article is about digital signatures as in digital pictures of a signature. There's some support of them in, for example, some PDF tools. These do not have a legal status in EU.
And there are "digital signatures" as in cryptographic digital verification of documents using private/public key cryptography. This is the type of digital signatures for which EU has a legal status, and in many countries a support for verifying identity - for example, I can cryptographically sign documents using the chip on my gov't ID card, and if I receive such a document, then I can securely verify the identity of the signer without needing any preexisting relationship with them. But this has nothing to do with the pictures of signatures that this article is talking about, that seems to be more like a USA thing.
> A signature may be made (i) manually or by means of a device or machine, and (ii) by the use of any name, including a trade or assumed name, or by a word, mark, or symbol executed or adopted by a person with present intention to authenticate a writing.
IANAL but I would think that this program would fall under "by means of a device" and thus be considered valid.
Crytographic protocols can be added to verify signing, but until every civilian practices perfect opsec (never gonna happen), in-person signatures in front of a notary will always be the way business is done.
Better technology (this program, Photoshop, deepfakes, quantum prime factorization) may actually increase the need for in-person wet signatures.
IIRC, the basic construction is you generate a lattice trapdoor matrix R, such that A*(Rt + e) ~= t. Finding an input p with small coefficients, for some t such that Ap = t reduces to one of lattice reduction problems, since it requires a finding "good" basis for the lattice (if you invert A you'll have huge coefficients, so you can't forge it. Having the trapdoor R to make p = Rt + e lets you use the trapdoor to find the preimage, and the gaussian vector e smudges it so that an attacker can't collect signatures to decipher R (this is learning with errors, another problem that reduces to lattice basis.) So the signature is easy to verify, and the trapdoor matrix is relatively small and efficient to compute (iirc a couple megs and <1s)
Disclaimer: not a cryptographer, just a hobbyist.
as a side note: every time i get a new passport or id card i get told that my signature is not ok as it is (apparently not enough recognizable characters) but when confronted with the question how they would like me to change my signature as seen on all previous documents signed by me they shut up. I think its funny because it probably makes it even more unique.
Unless it's a master forger. I could look at the document and figure out that the signature wasn't mine.
This is legally binding the same way clicking the "Buy" button on Amazon is.
I've encountered this before myself, and so have many other people, and we're all already aware of what you're saying.
This is kind of useful though, I was in shock and horror when I realized one PDF my Adobe Fill & Sign app couldnt... fill and sign, an actual IRS tax form. I don't know why they let you fill most of it out but force you to sign the damn thing. What's even more confusing is other forms don't restrict this, it's just one of the ones I tried (can't remember which one but it was a while ago).
Then I take pride in outputting the cleaniest PDF possible. Never received any complaint. Most people on the receiving end probably print them out, and they appreciate the clean result, compared to what you get when you re-scan it (or intentionally blur it).
That said, for 27 pages (!!) that tool would prove a lifesaver.
One thing I did think about, though, is the legal aspect. Fraud is a serious crime and I wonder if such a thing, however silly, might just be considered fraud. In that case it might not be worth fighting the bureaucracy.
I feel that pain. When your only tool is bureaucracy everything looks like a nail. Or something like that.
I once had what I think was a document for a mortgage application refused because I'd printed it, signed it and took a photo on my phone to email back. Apparently it had to be done with a scanner and a camera was unacceptable.
I didn't have a scanner, so I chanced my arm, desaturated and thresholded the image then resubmitted it. I was thanked and it was accepted.
I actually wrote about the laborious effort to create a pseudo 'false document' by manually using Gimp on my blog; I wrote a very naive back-of-a-napkin pseudo algorithm... I was actually thinking about learning Gimp's Script-Fu to generate the signature with the Ink Tool.
In my country, to leave your home to do shopping in this period, you are required by military ordnance to fill a form stating the reason of leaving your home. You can show it on your mobile phone, but you have to print it, sign by hand and take a picture of it.
Does it support multipage pdf documents and doing multiple signatures per document?
Related to this, perhaps a UI for marking all the spots where signatures are required would make this tool extremely powerful!
The ui is going to be a lot more complicated to code. Maybe I'll give it a try someday.
Will try on other less official stuff though ha
I've been doing this manually by adding my signature in GIMP and taking a photo of my laptop screen.
Their security implementation or the authenticity mechanism they have for recording is not even really up for scrutiny, so long as they can provide some kind of proof that the signing occurred and that the counterparty signed with an understanding that the electronic signature was the same as a real signature.
I strongly suspect there are many thousands of cases in which a contract that was signed via them was simply treated as legitimate by both parties, though.
Adding some known pattern to the signature that can be recognized later in the print would be nice if you need to prove that it was not actually signed by you. But if you get to this point it is already a big mess...
More of these in "Signature_example.pdf".
In my opinion, this is a bit childish. But on the other hand, the whole scan-and-sign procedure is also a bit childish if you ask me.
But that's a narrow circumstance.
Assuming the "standard path" in the US the pieces of your ID are your birth record, any court ordered name changes (like if you got married), your social security card, and a previous cert that ties the name to a photo.
I know it's pedantic but god damn it's annoying as hell that a passport doesn't actually prove anything or else you could always do $old_valid_passport + $valid_photo = $new_passport but nope. Sometimes you hit special cases that drop you into having to prove your identity from your ID documents all over again.
Illegals often cross borders without papers, so they don't have any passports to sign anything.
Sorry I'm brief, but I'm super busy today :P
> That means 42 percent of Americans hold a passport, a growth of 15 percent since 2007. In 1990, only four percent of Americans had one.