Trusted Signatures CLI
A command-line tool for digitally signing PDFs using a certificate trusted by Adobe Acrobat (AATL-compliant) and eIDAS, without uploading your documents or managing cryptography.
✨ What It Does
- Prepares a placeholder for a digital signature in your PDF
- Calculates a SHA-256 hash of the document (excluding signature space)
- Authenticates via API key and securely requests a signature from the Trusted Signatures API
- Embeds the returned PKCS#7 signature (CMS) into your PDF
- Produces a legally valid, verifiable, tamper-evident signature
No document contents ever leave your machine — only the cryptographic hash is sent to the signing API.
🔧 Installation
Binary releases available for amd64 and arm64 architecures on macOS, Linux, and Windows.
| |
✅ Usage
| |
Use --help for full CLI options.
Optional flags:
--apikeyid,-d: Your API key ID from Trusted Signatures; may be set by environment variable--apikey,-k: Your API key from Trusted Signatures; may be set by environment variable--input,-i: File path to save the signed PDF; defaults to stdin--output,-o: File path to save the signed PDF; defaults to stdout--tsa,-t: Embed a TSA Timestamp (takes longer to process); not included by default--ltv,-l: Embed Long Term Validation (LTV) data (sets--tsa)--endpoint,-e: Your API endpoint; defaults to https://api.trusted-signatures.com--licenses: Print the licenses of the dependencies used by this application--version: Print the version of this application
Environment variables:
TS_API_KEY: Your API key from Trusted SignaturesTS_API_KEY_ID: Your API key ID from Trusted Signatures
API Key:
The API Key is how we authenticate that a signing request came from you. It is imperative that you store the key securely; if you even suspect that someone unauthorized might have accessed your API key, disable it immediately and generate a new one. API keys are available at trusted-signatures.com free of charge.
Networking:
The CLI sends an SHA-256 digest of the PDF along with an authentication token to our servers, which generate the CMS. The CLI must have outbound internet access to our API (https://api.trusted-signatures.com) on port 443.
Clock:
To keep your API Key secure, your computer’s clock must be set accurately. Most operating systems do this automatically, but if the clock is off by more than a minute, the CLI signing request will be rejected.
🔒 Security & Trust
- You never upload your document — only a SHA-256 hash is sent
- Signatures are backed by an AATL-compliant certificate (coming soon; currently self-signed for testing)
- Signatures are cryptographically verifiable and tamper-evident
Identity fields
The signed PDF will show:
/Name:Trusted Signatures(or the name of your business, if you use a custom certificate)/Reason:This document was digitally sealed by Trusted Signatures. We do not verify or endorse the document content; the seal was applied at the request of a Trusted Signatures customer./Location:trusted-signatures.com
Users may not override the signer identity — this protects the legal trust model of AATL certificates.
✍️ Intent to Sign
By using this CLI to apply a digital signature, you confirm:
- You have reviewed the contents of the document
- You are authorized to request a signature using your API key
- You intend for the signature to have legal effect
Trusted Signatures produces legally valid digital signatures compliant with international standards (CMS/PKCS#7, eIDAS, HIPAA, ESIGN, UETA). These signatures may or may not be legally binding in your jurisdication.
🛡️ Disclaimer in Signature
The following disclaimer will be embedded in the signature metadata:
This document was digitally sealed by Trusted Signatures. We do not verify or endorse the document content; the seal was applied at the request of a Trusted Signatures customer.
This helps maintain legal clarity and complies with certificate authority policies.
📄 Learn More
🚀 Coming Soon
- Custom OV certificates for your business
- Audit trail dashboard
Build trust into your PDFs — without building crypto infrastructure.