--- title: "Validate digital signature in PDF using JavaScript | Nutrient" canonical_url: "https://www.nutrient.io/guides/web/signatures/digital-signatures/signature-lifecycle/validation/" md_url: "https://www.nutrient.io/guides/web/signatures/digital-signatures/signature-lifecycle/validation.md" last_updated: "2026-05-21T20:35:01.097Z" description: "The following guide outlines how to validate digital signatures when deploying Nutrient Web SDK as a standalone client-side JavaScript library." --- # Validating a digital signature using JavaScript The following guide outlines how to validate digital signatures when deploying Nutrient Web SDK as a standalone client-side JavaScript library. To validate digital signatures in server-backed operational mode, see our guide for [validating digital signatures using Document Engine](https://www.nutrient.io/guides/document-engine/signatures/signature-lifecycle/validation.md). The digital signature validation process consists of two steps. - In the first step, it checks if the signature certificate embedded during signing can be trusted. To do this, the trusted certificate chain up to the root authority that issued it is necessary. Nutrient Web SDK with and without Document Engine both allow you to specify the certificates to use for validation. - In the second step, it verifies the signature. This process essentially applies the public key (from the certificate embedded in the PDF file) to the digital signature and compares the result with the message digest built from the PDF file, excluding the signature itself. If the result is the same, the signature is valid. ## Provide trusted root certificates Nutrient Web SDK will need access to the trusted root certificates that will be used for digital signature validation. Provided you have the component enabled in your license, you only need to supply the root certificates that Nutrient Web SDK should use for validation and call the corresponding API method to obtain the validation status of digital signatures embedded in a document. For this purpose, you can set [`NutrientViewer.Configuration#trustedCAsCallback`](https://www.nutrient.io/api/web/NutrientViewer.Configuration.html#trustedCAsCallback) when loading. This callback should return a `Promise` object that resolves to the `Array` of certificates to be used for validation. If the certificate is DER encoded, you need to return it as an `ArrayBuffer`. If it’s PEM encoded, you need to return it as a `string`. To retrieve the certificate list, Nutrient Web SDK calls the function assigned to `NutrientViewer.Configuration#trustedCAsCallback` when an instance is loaded. **Example using a dynamic list of certificates:** ```js NutrientViewer.load({...configuration, trustedCAsCallback: async () => { let res; let arrayBuffer; try { res = await fetch(myCertificateStore); // Use `res.text()` instead for a PEM-encoded certificate. arrayBuffer = await res.arrayBuffer(); } catch (e) { throw `Error ${e}`; } if (!res.ok) { throw `HTTP Error ${res.statusCode}`; } return [arrayBuffer]; }); ``` ## Certificate validation time By default, Nutrient Web SDK validates digital signature certificates against the signing time — the time when the document was signed. This is the recommended setting for Long-Term Validation (LTV) scenarios, especially when working with certificates that have short validity windows (such as GlobalSign certificates with 10-minute validity periods). You can control this behavior using the [`NutrientViewer.Configuration#certificateCheckTime`](https://www.nutrient.io/api/web/NutrientViewer.Configuration.html#certificateCheckTime) option: - `'signing_time'` (default) — Validates certificates against when the document was signed. - `'current_time'` — Validates certificates against the current system time. **Example using signing time (default):** ```js NutrientViewer.load({...configuration, certificateCheckTime: 'signing_time', // This is the default }); ``` **Example using current time:** ```js NutrientViewer.load({...configuration, certificateCheckTime: 'current_time', }); ``` When using `'current_time'`, a certificate that was valid at the time of signing but has since expired will show as expired during validation. With `'signing_time'`, the same certificate will validate successfully because it was valid when the document was signed. ## Obtain validation status You can obtain the overall validation status of the current document and information about each one of the digital signatures found on it with the [`NutrientViewer.Instance#getSignaturesInfo`](https://www.nutrient.io/api/web/NutrientViewer.Instance.html#getSignaturesInfo) method. It returns a `Promise` that resolves with a [`NutrientViewer.SignaturesInfo`] object. The `status` field returns a value indicating the result of the signatures’ validation of the document. Additionally, the `documentModifiedSinceSignature` property can be queried to determine if the document was altered in any way after all signatures were applied. If `true`, it means there is a signature that doesn’t cover the entire document. See the [API documentation](https://www.nutrient.io/api/web/NutrientViewer.html#.SignaturesInfo) for more information. If you need granular information about each one of the digital signatures found on the document, the signatures property of `NutrientViewer.SignaturesInfo` returns an `Array` with [`NutrientViewer.SignatureInfo`](https://www.nutrient.io/api/web/NutrientViewer.html#.SignatureInfo) objects. The array is sorted from least recent to most recent signature. The general status of each signature is present on the `signatureValidationStatus` field, wherein the field is `NutrientViewer.SignatureValidationStatus.valid` if no issues have been found on the signature, `NutrientViewer.SignatureValidationStatus.warning` if there are certain concerns with it, and `NutrientViewer.SignatureValidationStatus.error` if the signature is invalid. Every digital signature also contains information about PAdES signature levels, which can be found on the `PAdESSignatureLevel` field. The possible values are `NutrientViewer.PAdESLevel.b_b`, `NutrientViewer.PAdESLevel.b_t`, and `NutrientViewer.PAdESLevel.b_lt`. The fields `validFrom` and `validUntil` indicate the validity period of the signature, while `timestampInfo` field contains information about the timestamp token issuer. For more details about the status of the certificate chain or the integrity of the document, you can check out the `certificateChainValidationStatus` and `documentIntegrityStatus` fields. Additionally, there are flags that indicate whether the signing certificate is trusted, self-signed, or expired. ## Validation UI With the Digital Signatures license component, the validation status UI is available, but it’s not enabled by default. You can easily turn it on by specifying the desired option on the [`NutrientViewer.ViewState.showSignatureValidationStatus`](https://www.nutrient.io/api/web/NutrientViewer.ViewState.html#showSignatureValidationStatus) property. The available options are: - `NutrientViewer.ShowSignatureValidationStatusMode.NEVER` (_default_) — Don’t show the digital signature validation UI at any time, even if there are digital signatures on the document. - `NutrientViewer.ShowSignatureValidationStatusMode.IF_SIGNED` — Show the digital signature validation UI whenever the document is digitally signed. - `NutrientViewer.ShowSignatureValidationStatusMode.HAS_WARNINGS` — Only show the digital signature validation UI if there are warnings for the document’s digital signatures. - `NutrientViewer.ShowSignatureValidationStatusMode.HAS_ERRORS` — Only show the digital signature validation UI if there are invalid signatures in the document. The signature validation UI consists of a colored bar shown under the main toolbar and, if they exist, under the annotation toolbars. The bar will have the background color corresponding to the current document’s validation status: red for “error,” yellow for “warning,” and green for “OK.” These colors are adapted for the default supported themes, light and dark. The status bar will show an informative text about the validation status of the document. The diagram below shows the decision tree that leads to each possible validation status text and color. The bar will be shown or hidden in each case depending upon the value of `NutrientViewer.ViewState.showSignatureValidationStatus`.![Decision tree for each possible digital signature validation status](@/assets/guides/web/digital-signatures/digital-signatures-on-web/decisiontree.png) The validation status bar will pop up either when the document is loaded (or reloaded), or when `NutrientViewer.ViewState.showSignatureValidationStatus` is updated, depending on its value. The bar can be closed at any time by pressing the Close button at the end of the bar. The validation status displayed is automatically updated whenever the document changes, e.g. if an annotation is added, the bar will reflect that modifications were made to the document since it was signed. --- ## Related pages - [Add signature fields to PDFs using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/add-a-signature-field.md) - [Configure digital signature appearance: Visible vs. non-visible Signatures](/guides/web/signatures/digital-signatures/signature-lifecycle/configure-digital-signature-appearance.md) - [Creating self-signed certificates for digital signatures](/guides/web/signatures/digital-signatures/signature-lifecycle/prepare-the-certificates-for-signing.md) - [Sign a PDF via Document Engine using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/sign-a-pdf-document-document-engine.md) - [Sign a PDF via DWS Processor API using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/sign-a-pdf-document-dws.md) - [Implementing a secure digital signature lifecycle](/guides/web/signatures/digital-signatures/signature-lifecycle/signature-lifecycle-overview.md) - [Sign a PDF with a certificate in a browser](/guides/web/signatures/digital-signatures/signature-lifecycle/sign-a-pdf-document.md)