PDF Signature Not Valid: Understanding and Fixing Digital Signature Errors

The four most common causes of signature validation failure are: (1) the document was modified after signing — even changing metadata or adding an annotation invalidates the original signature; (2) the signing certificate is not trusted by your machine — enterprise certificates, self-signed certificates, and certificates from non-standard certificate authorities all cause this; (3) the certificate has expired — signatures made with a certificate that has since expired show as invalid in some viewers even though the signature was valid when applied; (4) the PDF viewer's trust settings are misconfigured — some viewers require explicit trust configuration for certificates outside the default trust chain. To diagnose which cause applies, click on the signature indicator in Adobe Reader. The signature panel shows detailed status including whether the certificate is trusted, whether the certificate is expired, and whether the document has been modified since signing.

1. 1Open the PDF in Adobe Reader and click the signature banner at the top
2. 2The Signature Validation Status dialog shows the specific reason for failure
3. 3Check 'Signature is not valid' details: is it certificate trust, expiration, or document modification?
4. 4Read the Certificate Viewer to see the certificate's issuer, validity period, and trust status

An untrusted certificate error means Adobe Reader does not recognize the Certificate Authority (CA) that issued the signing certificate as a trusted root. This happens with: enterprise internal PKI certificates (signed by a company's own CA, not a publicly trusted CA), certificates from non-standard CAs, and self-signed certificates. The document content may be completely unmodified — the signature simply uses a certificate that your viewer does not automatically trust. The fix is to import the signing certificate or its issuing CA certificate into your trusted certificate store. In Adobe Reader, go to Edit → Preferences → Signatures → Verification → More. Click on Trusted Certificates and import the certificate file (.cer or .p7b) provided by the signer or their IT department. Once the root CA is trusted, the signature will validate correctly. For enterprise environments, IT typically deploys trusted certificates to all machines through Group Policy.

1. 1Ask the signer to provide their signing certificate or root CA certificate file
2. 2In Adobe Reader, go to Edit → Preferences → Signatures → Verification → More
3. 3Click Trusted Certificates → Import and browse to the certificate file
4. 4After import, re-open the signed PDF — the signature should now validate successfully

If the signature panel reports that 'the document has been modified or corrupted since the signature was applied', the signature has been genuinely invalidated by post-signing changes. This is the scenario the digital signature system is designed to detect. The original signature is no longer valid for this version of the document. This does not necessarily mean malicious tampering. Adding metadata, appending a page, or even saving the document through a different PDF application can invalidate a signature. Some PDF operations — like compression, adding watermarks, or changing security settings — modify the document structure and thus invalidate existing signatures. If you applied LazyPDF's compress or protect tool to a signed PDF, the signature will be invalid on the resulting file because the document was altered during processing. The solution is to apply any processing before the document is signed, not after.

1. 1Confirm the document modification by checking the signature validation details in Adobe Reader
2. 2Ask the signer to re-sign the current version of the document if the modification was legitimate
3. 3If the modification was unintended (compression, watermark added), obtain the pre-modification signed version
4. 4For future workflows: complete all document processing before sending for signature

Once a PDF is signed, any subsequent modification invalidates the signature. This creates a tension with document workflows where you might want to compress a signed contract for archiving or add a watermark to a signed certificate. The solution is to treat signed PDFs as immutable — process them before signing, not after. If you need to protect a signed PDF with a password (to restrict opening), this can be done without invalidating the existing signature by using append-mode encryption — an advanced operation supported by Acrobat Pro and some command-line tools. Standard LazyPDF protection applies a new encryption layer that modifies the document structure, which does invalidate existing signatures. For workflows where signed documents need both password protection and signature integrity, apply the password protection first (before signing), then send for signature.