rust·pdf Get a license

Digital signatures · Go

Digitally sign a PDF in Go

Add a cryptographic PKCS#7 or PAdES signature to a PDF from Go. rust-pdf signs through a non-destructive incremental update, so the original bytes are preserved and the signature stays verifiable in Adobe Reader, pdfsig and any PAdES validator.

See the Go code PAdES signatures, explained

Why Go needs this

Go's PDF story is fragmented: gofpdf is archived and unipdf is commercial, so production-grade output usually means a paid dependency or a brittle wrapper.

A real digital signature gives a document legal weight: it proves who signed it and that nothing changed afterwards. rust-pdf builds the detached CMS by hand to control the ByteRange, supports PAdES B-B, B-LT and B-LTA for long-term validation, and lets you supply your own key and certificate as DER.

  • PKCS#7 detached and PAdES B-B, with B-LT and B-LTA for long-term validation.
  • Incremental update: the original file is preserved byte for byte, so earlier signatures stay valid.
  • Bring your own key and X.509 certificate (PKCS#8 DER), or chain to a TSA for timestamps.

Sign a PDF in Go with rust-pdf

Install the package, then call the same idiomatic API every rust-pdf binding shares. The snippet below is real Go code from the reference docs.

Go
pdf, _ := os.ReadFile("contract.pdf")
keyDER, _ := os.ReadFile("signing-key.pkcs8.der")   // PKCS#8 private key (DER)
certDER, _ := os.ReadFile("signing-cert.der")       // X.509 certificate (DER)

signed, err := rustpdf.Sign(pdf, keyDER, certDER, rustpdf.SignOptions{
	Reason: "Approved", Location: "New York",
	Name: "Jane Doe", PAdES: true,
})
if err != nil {
	log.Fatal(err)
}
_ = os.WriteFile("contract.signed.pdf", signed, 0o644)
// Verify in a shell: pdfsig contract.signed.pdf  →  "Signature is Valid."
Validated by: pdfsigopensslqpdf

Go basic generation is free. Signing is a corporate feature, unlocked by one offline license token. See pricing & licensing.

Full Go reference in the documentation.

Signing in Go: FAQ

Is the signature legally valid?

rust-pdf produces standards-compliant PKCS#7 and PAdES signatures. Legal validity depends on the certificate you sign with (for example an eIDAS qualified certificate or an ICP-Brasil certificate). The library handles the cryptography and the PDF structure correctly, which is what validators such as pdfsig and Adobe Reader check.

Does it support long-term validation (LTV)?

Yes. After signing you can append a Document Security Store with certificates and CRLs (PAdES B-LT) and an RFC 3161 document timestamp (PAdES B-LTA), all offline. A trusted external TSA and live OCSP fetching are the only parts that need network infrastructure.

Do I need a license to sign in Go?

Signing is a corporate feature, so it requires an active license token. Basic PDF generation in Go is free. The same offline Ed25519 token unlocks signing across every language.

Digitally Sign a PDF in Go (PAdES)

One Rust core, the same output across every language. Prototype for free, license the corporate features when you ship.

Read the Go docs View pricing & licensing
PAdES signatures rust-pdf for Go Signing in PHP Signing in Ruby Signing in Node.js Signing in Python Signing in C# PDF/A in Go Encryption in Go Merging in Go Text extraction in Go Compression in Go Go docs