DEV Community

Gaurav Kalal
Gaurav Kalal

Posted on

I Built a Free Tool to Verify Aadhaar eSign PDFs — Here's Why It Matters

A few weeks ago I got a signed contract PDF from someone.

It had a little stamp in the corner: "Digitally Signed by Rahul Sharma, Date: 2026-06-01."

I had absolutely no idea if that signature was real.

Not because I'm not technical — I am. But because there was genuinely no easy way to check. Adobe Reader gave me a partial result. Online tools asked me to upload my document to some random server. Government portals were confusing. And most people I spoke to didn't even know the difference between a scanned signature and a legally valid digital signature.

So I built SigVerify — a tool that actually tells you whether an Aadhaar eSign or DSC-signed PDF is cryptographically valid.

Try it free → sigverify.pages.dev


The Problem Nobody Talks About

India has massively adopted digital signatures in the last few years. Aadhaar eSign, C-DAC, eMudhra, NSDL — millions of documents are signed every day.

But here's the thing nobody tells you:

A scanned signature image pasted into a PDF is not a digital signature.

Drawing your name on a touchscreen is not a digital signature.

Clicking "I agree" via OTP is not a cryptographic digital signature.

A real digital signature — the kind that's legally valid under IT Act Section 3 and 3A — is a cryptographic object. It's a PKCS#7/PAdES blob embedded in the PDF binary. It contains an X.509 certificate chain. It cryptographically proves three things:

  1. Who signed — their identity is bound to a government-issued certificate
  2. When they signed — a trusted timestamp is embedded
  3. That nothing changed — the document hash is locked at signing time

If any one of these is tampered with, the signature fails. The math doesn't lie.

The problem is — almost nobody verifies this. They just look at the signature stamp and assume it's real.


What SigVerify Actually Does

You upload a PDF. Within a couple of seconds you get:

  • Signer Name — from the actual X.509 certificate, not the PDF stamp
  • Certifying Authority — C-DAC, eMudhra, NSDL, SafeScrypt, etc.
  • Signing Timestamp — both from CMS attributes and the PDF /M field
  • Document Modified? — cryptographic tamper check using ByteRange
  • Certificate Chain — full chain from signer → Intermediate CA → Root CA (CCA India 2022)
  • SHA-256 Fingerprint — of each certificate in the chain
  • CRL & OCSP URLs — for revocation checking
  • Valid at Signing Time? — especially important for Aadhaar's 30-minute session certs

The backend runs Python's cryptography library + OpenSSL. No Adobe API. No third-party black box.


The Aadhaar eSign Rabbit Hole

Aadhaar eSign was the trickiest part to handle.

When you sign a document using Aadhaar OTP, you're not getting a permanent certificate. C-DAC (the technical partner) issues you a session certificate that expires in about 30 minutes. The certificate is real, it's cryptographically signed, it chains up to CCA India 2022 — but by the time anyone tries to verify the document, the cert has already "expired."

This confuses most tools into flagging the document as invalid.

SigVerify handles this correctly — it checks whether the certificate was valid at the time of signing, not whether it's currently valid. An Aadhaar eSign document signed 6 months ago is still perfectly valid if the ByteRange tamper check passes and the signing timestamp falls within the certificate's original 30-minute window.


The Tech Stack (briefly)

  • Backend: Node.js + Express on Render, calling a Python script (cryptography + pypdf + OpenSSL subprocess)
  • Frontend: Plain HTML/CSS/JS on Cloudflare Pages
  • Auth: Firebase Google Sign-In
  • Payments: Razorpay (₹30/verification, pay-as-you-go)
  • Database: Firestore for credit tracking

The Python engine is the core — it extracts the PKCS#7 DER blob from the PDF's /Contents field, walks the certificate chain, extracts CRL/OCSP URLs, checks timestamps, and returns a structured JSON report.


Supported Signature Types

CA Type Notes
C-DAC Aadhaar eSign OTP + biometric, 30-min cert
eMudhra DSC + Aadhaar ASP Class 3, hardware token
NSDL DSC PAN-linked
SafeScrypt DSC Class 3
Capricorn DSC DGFT, export docs
NIC CA Govt. DSC Govt employees only
Adobe Sign PAdES Works
DocuSign PAdES Works

Who It's For

Legal professionals who receive signed contracts and need to verify them before relying on them in court.

CA firms and auditors who get Aadhaar eSign filings and need to confirm authenticity.

HR teams receiving digitally signed offer letter acceptances.

Developers who want to validate eSign in their own apps and need a reference to test against.

Citizens who signed something with Aadhaar eSign and want to make sure it worked correctly.


Pricing & Free Tier

First verification is free — just sign in with Google and you get 1 credit automatically.

After that it's ₹30 per verification. No subscription. Credits never expire. Buy 5 at once if you need them. This isn't enterprise pricing — it's designed for individuals and small teams.


What's Next

  • OCSP live revocation check
  • Batch verification (multiple PDFs)
  • API access for developers
  • Support for international certificates (GlobalSign, DigiCert)

Try It

🔗 sigverify.pages.dev

If you work with signed PDFs in India — contracts, bank documents, government filings, Aadhaar eSign — this tool is for you.

If you find a bug or want to suggest a feature, drop me a message.

— Gaurav Kalal (@gorupa)


Built with Python, Node.js, and a lot of ASN.1 frustration.

Top comments (0)