We\u2019ll look at how digital signatures are verified in general, and then move into how to verify these signatures on specific platforms:<\/p>\n\n\n\n
- \n
- Adobe Acrobat for PDFs,<\/li>\n\n\n\n
- Microsoft Office for files,<\/li>\n\n\n\n
- Email clients (Apple Mail, Outlook, and Gmail),<\/li>\n\n\n\n
- Software applications (on Windows devices).<\/li>\n<\/ul>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n
Verify a Digital Signature the Easy Way: Using Built-In Verification<\/h2>\n\n\n\n
This is the most obvious method, and it\u2019s the best place to start in 99% of cases. If a signature is invalidated, many software applications and systems will tell you as much up front. There will be warning signs attesting to the fact that there\u2019s something wrong.<\/p>\n\n\n\n
For example, here\u2019s what it looks like in Adobe Acrobat when a signature isn\u2019t valid for one reason or another:<\/p>\n\n\n\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/adobe-invalid-signature-example2-1024x584.png\")
Image caption: An example of a PDF file\u2019s invalid signature displaying in Adobe Acrobat.<\/em><\/figcaption><\/figure>\n\n\n\n It\u2019s the digital file equivalent of an illuminated neon sign or a flashing red light. It\u2019s telling you not to proceed because of an inherent danger.<\/p>\n\n\n\n
Let\u2019s take a look at how to verify digital signatures for PDFs, Microsoft Office files, software apps for Windows systems, and several popular email clients.<\/p>\n\n\n\n
How to Verify a Digital Signature in a PDF: Look for the Signature in Adobe Acrobat<\/h3>\n\n\n\n
Digital signatures provide an invaluable service to companies and customers who need to remotely sign important documents in a way that can be authenticated. Rather than asking your employees to scrawl their John Hancock using a computer mouse or digital stylus pen, which can be faked, you can instead use public key cryptography to add a layer of authenticity to every digital transaction.<\/p>\n\n\n\n
So, how can you or a customer verify that a digital signature is valid?<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2023\/09\/digital-signature-example.png\")
Image caption: An example of how a cryptographic digital signature displays in an Adobe PDF.<\/em><\/figcaption><\/figure>\n\n\n\n - \n
- Open the PDF file in Adobe Acrobat<\/strong>. If the file has been signed, you\u2019ll see a stamp that looks like the example above.<\/li>\n\n\n\n
- Right-click on the digital signature to bring up a drop-down menu.<\/strong> Here, you\u2019ll find Validate Signature <\/strong>listed as the top option. This Signature Validation Status allows you to verify whether the signature is valid, if the document has been tampered with, and whether the signer\u2019s ID is valid.<\/li>\n<\/ul>\n\n\n\n
Click Signature Properties to view additional information about the document and signature itself.<\/strong> This includes immutable timestamp data and informs users whether the certifier allows changes to be made to the document.<\/p>\n\n\n\n
How to Verify an Email Digital Signature: Look for a Ribbon or \u201cSigned\u201d Message<\/h3>\n\n\n\n
Apple Mail<\/h4>\n\n\n\n
To verify a digital signature online in Apple\u2019s email client application, you\u2019ll want to click on the Security (checkmark) Signed (email address), as shown below: <\/p>\n\n\n\n
![\"Signature](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/apple-mail-digital-signature2-1024x154.png\")
Image caption: Here\u2019s a look at how a digital signature looks in Apple Mail.<\/em><\/figcaption><\/figure>\n\n\n\n This approach allows you to pull up the certificate trust chain details and the specific user\u2019s S\/MIME certificate information as well. The handy little green checkmark tells you that the certificate is valid (as shown in the screenshot below). It provides contextual info about the certificate provider that issued the certificate, how long it\u2019s valid, and other useful details.<\/p>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/apple-mail-email-signature-example2-1024x717.png\")
Image caption: Here\u2019s a look at the additional information that displays in Apple Mail when you engage with the \u201cSigned\u201d icon.<\/em><\/figcaption><\/figure>\n\n\n<\/span><\/span>\n\n\n Microsoft Outlook<\/h4>\n\n\n\n
It\u2019s easy to verify the digital signature of emails in Outlook:<\/p>\n\n\n\n
- \n
- Look for the digital signature ribbon icon.<\/strong> Compare it to the sender\u2019s email address in the sender field. Double-click on the name to display the email address rather than the display name.<\/li>\n\n\n\n
- Check the email address listed in the \u201csigned by\u201d or \u201cSecurity\u201d info.<\/strong> Compare this to the email address information listed in the email\u2019s sender field to see whether they match.<\/li>\n\n\n\n
- Check the signature and signing certificate details.<\/strong> Verify the information contained within the certificate, along with the digital signature details (e.g., the email address associated with the certificate, which hashing algorithm(s) were used, and any timestamp details).<\/li>\n<\/ul>\n\n\n\n
Here\u2019s a quick look at how some of this information displays when using Microsoft Office 365.<\/p>\n\n\n\n
![\"Am](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/signature-verification-smime-signed-email2-1024x626.png\")
Image caption: A redacted illustration showing the digital signature-related information that displays when you receive a message signed using an S\/MIME certificate in Microsoft 365 Outlook.<\/em><\/figcaption><\/figure>\n\n\n\n Gmail<\/h4>\n\n\n\n
Gmail is another email client that supports the use of PKI digital certificates to authenticate senders to recipients. To verify whether a digital signature is valid in Gmail, simply look for the blue ribbon icon and then click the little dropdown arrow next to it. This will display the sender\u2019s email address, along with the signature\u2019s date and time: <\/p>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/gmail-signed-email-example2-1024x641.png\")
Image caption: A redacted illustration showing how a digitally signed email displays in Gmail when a PKI digital signature is attached.<\/em><\/figcaption><\/figure>\n\n\n\n You can click Sender Info<\/strong> to view<\/p>\n\n\n\n
- \n
- additional information about the certificate issuer,<\/li>\n\n\n\n
- confirm the sender\u2019s email address, and<\/li>\n\n\n\n
- view their digital certificate and the PKI hierarchy it ties back to.<\/li>\n<\/ul>\n\n\n\n\n
Running Into Issues and Seeing an Error?<\/h4>\n\n\n\n
We\u2019ve got the fix for the error \u201cThe signature uses an unsupported algorithm. The digital signature is not valid.\u201d<\/a><\/p>\n<\/div><\/div>\n\n\n\n
How to Verify a Digital Signature for Windows Apps: Look for a Verified Publisher\u2019s Signature<\/h3>\n\n\n\n
So, how can you check a software app\u2019s digital signature? In Windows, you can do this using Windows Command Prompt:<\/p>\n\n\n\n
- \n
- Locate the file you wish to check on your device.<\/li>\n\n\n\n
- Right-click on the file and select Properties<\/strong> from the drop-down menu.<\/li>\n\n\n\n
- In the file\u2019s Properties window, select the Digital Signatures<\/strong> tab at the top.<\/li>\n\n\n\n
- Where it says Signature List, select the entity listed in the Name of Signer<\/strong> column and click Details<\/strong> to view the signer\u2019s information.<\/li>\n<\/ul>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/digital-signature-example-software-app-combo.png\")
Image caption: A combined set of screenshots illustrating where to find the digital signature information in Windows.<\/em><\/figcaption><\/figure>\n\n\n\n How to Verify a Digital Signature in Word: Inspect the Signatures Pane<\/h3>\n\n\n\n
To verify a digital signature in a Microsoft Word document, you\u2019ll want to open the signed doc file and look for the signature pane on the right side of the screen (as shown below).<\/p>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/digital-signature-verification-microsoft-word2-1024x591.png\")
Image caption: An example of a digitally signed Word document from our step-by-step article Word document signing. <\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n If you don\u2019t see this pane, then navigate to File<\/strong> menu and select Info<\/strong> > Signed Document<\/strong>. This will display the signature panel on the right side, as shown above. Here, you can engage with and inspect the signature for additional information about the signer and when the signature was added.<\/p>\n\n\n\n
If you don\u2019t see the Signed Document option on the Info screen, then it likely means:<\/p>\n\n\n\n
- \n
- your file isn\u2019t digitally signed,<\/li>\n\n\n\n
- a non-timestamped signature has expired, or<\/li>\n\n\n\n
- the file has been altered since it was signed.<\/li>\n<\/ul>\n\n\n\n
Taking It a Step Further: Manually Verifying Digital Signatures<\/h2>\n\n\n\n
In most cases, you\u2019ll want to verify the digital signature using the built-in functionality in the software you\u2019re using. But for extra security, there are some manual checks that you can do\u2026<\/p>\n\n\n\n
Verify the Signing Certificate\u2019s Validity Period<\/h3>\n\n\n\n
Every PKI certificate comes with issuance and expiration dates (known as the validity period). These dates indicate how long a certificate is intended to be valid for (barring any unforeseen revocations). Anything signed prior to the issuance date can\u2019t be trusted, nor can anything that was signed after the expiration date (if the signature isn\u2019t timestamped).<\/p>\n\n\n\n
See Whether the Signer\u2019s Name or Company Matches the Certificate Info<\/h3>\n\n\n
\n![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/bit-defender-signature-info2.png\")
Image caption: A screenshot of my BitDefender customer support<\/a> chat window.<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n If someone manages to get their hands on a valid certificate and its signing key, then they can use it to their advantage. So, something to always check is whether the certificate subject\u2019s name matches the organization that publishes the software.<\/p>\n\n\n\n
Let\u2019s imagine that you\u2019re attempting to install a popular software app (say, BitDefender). According to BitDefender\u2019s Support page<\/a> Helper AI bot, the company\u2019s software should be signed by \u201cBitDefender SRL.\u201d (This is also supported by the company\u2019s Data Processing Agreement<\/a>, which lists it as \u201cBitDefender SRL\u201d as well.)<\/p>\n\n\n\n
When you download it from a third-party site and check the software\u2019s digital signatures, if it says that the file was signed by someone else (in this case, an entity other than BitDefender SRL), then it\u2019s a big red flag telling you not to install the software!<\/p>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/bitdefender-example-signature-verificationv3.png\")
Image caption: A set of screenshots showing the digital signature-related information regarding BitDefender\u2019s executable file.<\/em><\/figcaption><\/figure>\n\n\n\n Check the Certificate Policy\u2019s Object ID<\/h3>\n\n\n\n
This method is geared more for our technical readers: check the certificate\u2019s object identifier (OID) code. This string of more than a dozen numbers separated by periods represents specific objects and policies within PKI. This identifies what type of certificate created the signature, which helps to determine its validity.<\/p>\n\n\n\n
For example, DigiCert publishes a list of OIDs<\/a> on GitHub that can be used to verify the certificate usage or extended key usages of digital certificates. There are also third-party public databases, such as the OID Repository<\/a>.<\/p>\n\n\n\n
For example, the OID for a certificate we use as one of our examples in this article is 2.16.840.1.114412.3.21. This specific OID number represents an Adobe Signing Certificate<\/a> from DigiCert.<\/p>\n\n\n\n
- \n
- 2<\/strong> = Joint-ISO-CCITT (reference to a standards body)<\/li>\n\n\n\n
- 16<\/strong> = country<\/li>\n\n\n\n
- 840<\/strong> = USA<\/li>\n\n\n\n
- 1<\/strong> = U.S. company<\/li>\n\n\n\n
- 114412<\/strong> = DigiCert<\/li>\n<\/ul>\n\n\n\n
Okay, so what does the use of OIDs look like from a practical perspective? No one wants to sit here, shuffling through certificate OID numbers to figure out whether a document or piece of software can be trusted, or that the certificate used to sign it was valid at the time.<\/p>\n\n\n\n
Bonus: Compare the Cryptographic Hash Values to Ensure Software Integrity<\/h3>\n\n\n\n
While this isn\u2019t directly a \u201cdigital signature validation\u201d method, another great way to know whether a software application has been tampered with is to inspect the hash value\/digest of the app or code in question.<\/p>\n\n\n\n
The hash digest is what\u2019s created when you apply a cryptographic hash function to your data input. You sign this hash value to generate the digital signature for your software applications, software bills of materials (SBOMs), and other types of code.<\/p>\n\n\n\n
NOTE:<\/em><\/strong> You can\u2019t create a digital signature without a hash. However, it\u2019s important to also note that while all digital signatures are built upon a hash value, not all hash values are tied to digital signatures.<\/em><\/p>\n\n\n\n
To verify the software app\u2019s integrity, a user can use your public key to decrypt the signature and then proceed with calculating the hash value.<\/p>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/digital-signature-check-original-input-hash-value2.png\")
Image caption: An example of the hash digest for VirtualBox\u2019s executable.<\/em><\/figcaption><\/figure>\n\n\n\n They compare this to the original hash value you should provide to your software users.<\/p>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/digital-signature-compare-provided-input-hash-value2.png\")
Image caption: An example of the official hash digest list shared by VirtualBox.org for its Windows executable file (and others), which happens to be digitally signed.<\/em><\/figcaption><\/figure>\n\n\n\n - \n
- If the calculated and publisher-provided values match, you\u2019re good to go and can proceed with whatever task you set out to complete.<\/li>\n\n\n\n
- If they don\u2019t match, then it\u2019s a major red flag that warns users not to proceed further. This gives users a way to check whether the signing key matches the organization or publisher.<\/li>\n<\/ul>\n\n\n\n
What Invalidates a Digital Signature So That It\u2019s No Longer Trusted?<\/h2>\n\n\n\n
There are a few reasons why a digital signature might display as invalid:<\/p>\n\n\n\n
- \n
- The signer\u2019s digital identity is invalid.<\/strong> This could be because the signer signed with a signature that was issued by a private CA, which isn\u2019t publicly trusted.<\/li>\n<\/ul>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/signature-verification-invalid2.png\")
Image caption: An example of an invalid digital signature for a PDF in Adobe Acrobat.<\/em><\/figcaption><\/figure>\n\n\n\n - \n
- The document, file, email, or software app\u2019s data has been modified since it was digitally signed.<\/strong> We get it \u2014 not all changes to software are intentional or necessarily malicious. But if a tiny change is made to a digitally signed document or file (e.g., adding or removing a single period [\u201c.\u201d] from the input data), intentionally or otherwise, it will result in an entirely different hash value. This will invalidate the file\u2019s digital signature. \u00a0<\/li>\n<\/ul>\n\n\n\n
The signer used the wrong type of digital certificate.<\/strong> Yup, accidents happen. If you use, say, select an email signing certificate when trying to sign a PDF file, then it\u2019ll result in an error.<\/p>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/pdf-digital-signature-verification2.png\")
Image caption: An example of a valid digital signature (left) and an invalid digital signature (right)<\/em>.<\/figcaption><\/figure>\n\n\n\n - \n
- The certificate was revoked after the signature was created.<\/strong> Digital certificates are revoked due to private key compromise concerns or something else that results in the certificate (and its signing key) being invalidated.<\/li>\n<\/ul>\n\n\n\n
Digging Deeper Into Online Signature Verification Methods<\/h2>\n\n\n\n
If you\u2019re looking for additional information on what digital signatures are, how they work, and other useful information (such as how-to articles and quick fixes), be sure to check out our related resources.<\/p>\n\n\n\n
\nRelated Resources<\/h3>\n\n\n\n
- \n
- What Is a Digital Signature & How Does It Help Your Organization?<\/a><\/li>\n\n\n\n
- Digital Signature vs Digital Certificate: A Quick Guide<\/a><\/li>\n\n\n\n
- How to Digitally Sign a PDF in Adobe Acrobat (A Step-By-Step Guide)<\/a><\/li>\n\n\n\n
- How to Sign a Word Document Using a Digital Signature Certificate<\/a><\/li>\n\n\n\n
- \u2018At Least One Signature Is Invalid\u2019: How to Fix an Invalid Signature in a PDF (Adobe)<\/a><\/li>\n\n\n\n
- How to Fix \u2018The Signature Uses an Unsupported Algorithm. The Digital Signature Is Not Valid\u2019<\/a><\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n
Real World Implications for Checking Digital Signature Validity<\/h2>\n\n\n\n
There are some severe implications for compromised digital signatures. We\u2019re talking everything from data breaches and financial costs to loss of trust and reputational damages.<\/p>\n\n\n\n
As an example, let\u2019s consider Codecov\u2019s situation back in 2021<\/a>. One or more cybercriminals exploited a weakness in the organization\u2019s Docker Image creation process that gave them the credentials necessary to modify Codecov\u2019s Bash Uploader script. They used it to deliver<\/a> \u201ca malicious payload to all Codecov users utilizing the Bash uploader, The Codecov GitHub Action, The Codecov CircleCI Orb, and the Codecov Bitrise Step[.]\u201d<\/p>\n\n\n\n
This means that an unknown number of users downloaded and installed compromised software for several months, blissfully unaware that their systems were at risk.<\/p>\n\n\n\n
The altered script went unnoticed for quite some time until one astute customer manually checked its hash value. He or she noticed a discrepancy when comparing the file\u2019s shasum value that was in the downloaded Bash Uploader to the hash value listed on GitHub.<\/p>\n\n\n\n
Whoops.<\/p>\n\n\n\n
Thankfully for CodeCov, the individual who discovered the incongruency quickly alerted Codecov, which investigated the incident. But imagine how much worse the situation could have been had the company not published its SHASUM value\u2026 <\/p>\n\n\n\n
This is why we always encourage our software publisher customers and readers to publish their hash digests. \u00a0Digital signatures add another much-needed layer of security to your organization and its digital assets and communications. This addition of authenticity and data integrity is crucial to the health and security of organizations and consumers globally.<\/p>\n","protected":false},"excerpt":{"rendered":"
Digital signatures add another layer of security to your online transactions and communications. But how can you know they\u2019re real? We\u2019ll walk you through how to verify a digital signature…<\/p>\n","protected":false},"author":17,"featured_media":18682,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,16,10200],"tags":[13145,13144],"class_list":["post-18678","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-hashing-out-cyber-security","category-monthly-digest","tag-digital-signature","tag-pki-signature","post-with-tags"],"views":5604,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/10\/digital-signature-verification-v2.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/18678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=18678"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/18678\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/18682"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=18678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=18678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=18678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Digital Signature vs Digital Certificate: A Quick Guide<\/a><\/li>\n\n\n\n
- What Is a Digital Signature & How Does It Help Your Organization?<\/a><\/li>\n\n\n\n
- The certificate was revoked after the signature was created.<\/strong> Digital certificates are revoked due to private key compromise concerns or something else that results in the certificate (and its signing key) being invalidated.<\/li>\n<\/ul>\n\n\n\n
- The document, file, email, or software app\u2019s data has been modified since it was digitally signed.<\/strong> We get it \u2014 not all changes to software are intentional or necessarily malicious. But if a tiny change is made to a digitally signed document or file (e.g., adding or removing a single period [\u201c.\u201d] from the input data), intentionally or otherwise, it will result in an entirely different hash value. This will invalidate the file\u2019s digital signature. \u00a0<\/li>\n<\/ul>\n\n\n\n
- The signer\u2019s digital identity is invalid.<\/strong> This could be because the signer signed with a signature that was issued by a private CA, which isn\u2019t publicly trusted.<\/li>\n<\/ul>\n\n\n\n
- 16<\/strong> = country<\/li>\n\n\n\n
- 2<\/strong> = Joint-ISO-CCITT (reference to a standards body)<\/li>\n\n\n\n
- In the file\u2019s Properties window, select the Digital Signatures<\/strong> tab at the top.<\/li>\n\n\n\n
- Check the email address listed in the \u201csigned by\u201d or \u201cSecurity\u201d info.<\/strong> Compare this to the email address information listed in the email\u2019s sender field to see whether they match.<\/li>\n\n\n\n
- Right-click on the digital signature to bring up a drop-down menu.<\/strong> Here, you\u2019ll find Validate Signature <\/strong>listed as the top option. This Signature Validation Status allows you to verify whether the signature is valid, if the document has been tampered with, and whether the signer\u2019s ID is valid.<\/li>\n<\/ul>\n\n\n\n
- Open the PDF file in Adobe Acrobat<\/strong>. If the file has been signed, you\u2019ll see a stamp that looks like the example above.<\/li>\n\n\n\n