How our digital signature works

When Michele Solutions PSS Lab issues a compliance test report, we cryptographically bind the document to our identity so that anyone, anywhere, can later confirm two things:

• Authenticity — the document really comes from us;
• Integrity — not a single byte has been altered after we signed it.

The pipeline, step by step

1. Hashing. We compute the SHA-256 hash of the entire PDF. Any modification — a comma, a pixel — produces a different hash.
2. Signing. We sign that hash with our private key (RSA-2048 with SHA-256 (PKCS#1 v1.5)). The corresponding public key is embedded in our X.509 certificate and freely available for verification.
3. Timestamping. The signature is sent to a trusted third-party Time-Stamping Authority (RFC 3161). The TSA returns a countersignature that proves the signature existed at a specific moment in time. We cannot back-date documents.
4. Embedding. The signature, the certificate, and the timestamp are written inside the PDF byte stream following the PAdES baseline-B standard. There is no sidecar file. The signed PDF is the only artifact you need.

How verification works

1. You (or anyone) upload the PDF on our /pss/verify page.
2. Our server reads the embedded signature and checks three things:
   1. the PDF byte range covered by the signature is still intact (integrity);
   2. the signature was made by our certificate (authenticity);
   3. the timestamp is valid and the certificate was active when signing (validity).
3. The page reports ✅ Authentic / ❌ Altered / ⚠️ Not from us.

Verifying without us (offline)

Because the signature is in the PDF, you do not need to trust this server. Any PAdES-aware viewer (Adobe Acrobat, Foxit, the pyHanko CLI) reads the signature and tells you the same answer. To remove "self-signed" warnings, add our X.509 certificate as a trusted root in your reader once.

Trust anchor

Our certificate is self-signed (we are not under a commercial CA). To make sure the certificate you see really is ours, compare its fingerprint against the one we publish on independent channels (our website footer, LinkedIn, business card, contracts):

Algorithm

RSA-2048 with SHA-256 (PKCS#1 v1.5)

Fingerprint (SHA-256/16)

10a62472a9f15d9a

Signer

Michele Solutions PSS Lab

Certificate

Download (PEM)

Public key

Download (PEM)

What this is — and what it isn't

This system is designed to give recipients of our reports a fast, reliable way to confirm that the document is genuine and unaltered, with the same look-and-feel as enterprise digital signatures. It is not a qualified electronic signature under eIDAS / EU regulations: we do not provide legal non-repudiation guarantees, only cryptographic ones.

Verify a document