Validate an electronic signature – simple and legally compliant

‍

A contract has been finalized, the deadline is approaching, and it’s time to sign. In many cases, however, a simple electronic signature is not sufficient. For certain types of contracts, a qualified electronic signature is required to comply with legal requirements. If it is missing, the contract may be invalid. This is precisely why it is important to understand when which type of signature is sufficient, what legal requirements apply, and how contracts can be concluded securely and bindingly in digital form.

‍

Why validating an electronic signature is important

The validation of electronic signatures is more than just a technical verification step. It determines whether a signature matches the document, whether the document has been altered since it was signed, and whether the certificate used is trustworthy. This is precisely what matters in everyday business operations: anyone who processes contracts, approvals, or supporting documents digitally needs not only a signature but also a reliable confirmation of its validity. The BSI (Federal Officefor Information Security) therefore explicitly describes the verification process not only as a mathematical verification but also as a check of the certificate’s validity and other supporting documents.

‍

Especially for legally compliant processes, verification creates transparency and can validate the signature. Companies can determine who signed, when the signature was applied, and whether the underlying chain of trust is intact. A typical challenge, however, lies in the technical complexity: timestamps, certificate chains, and revocation status must be correctly evaluated. Without this evaluation, a signature may exist but cannot be reliably assessed. Qualified validation services help here because they provide the verification result automatically and with minimal technical effort. These will be discussed later in this blog post.

‍

Online tools for verifying signatures

Anyone wishing to validate a signature can use various public online tools. For the EU and EEA, the European Commission offers the DSS web application, which allows users to verify signatures online for testing purposes. Signed documents can be uploaded there and checked for signature status, certificates, timestamps, and other validation data. However, it is important to note that the European Commission expressly points out that this is a demonstration application intended solely for testing purposes. Sensitive documents should therefore not be uploaded without due consideration.

Swisscom also refers users to public validators within the EU for online signature verification, such as the signature verification service provided by the Austrian regulatory authority RTR or the European Commission’s validator. At the same time, Swisscom draws attention to an important limitation: the validators in EU member states have not yet been fully harmonized. As a result, a qualified electronic signature may be evaluated differently. Furthermore, these public tools generally only allow for the verification of QES, but not advanced electronic signatures.

The qualified electronic signature (QES) is the highest level of electronic signature and is largely equivalent to a handwritten signature in legal terms. The advanced electronic signature (AES)also offers a high degree of security and traceability, but is less strictly regulated and is particularly suitable for documents for which no specific legal form is required.

For businesses, therefore, online validators are useful for an initial assessment, but they cannot replace a thorough internal review and documentation when it comes to sensitive processes.

‍

The Validity of Electronic Signatures in Germany and the EU

In Germany and the EU, electronic signatures operate within a uniform legal framework: eIDAS (electronic IDentification, Authenticationand Trust Service). This framework is designed to enable secure electronic transactions that can be used across borders. The European Commission clarifies that qualified electronic signatures have the same legal effect as handwritten signatures in all EU member states. This means that the validity of digital signatures is not only relevant at the national level but is also practically applicable, particularly for international business processes.

However, it is important to note that not every electronic signature automatically has the same evidentiary value.

Evidential value describes the extent to which an electronic signature helps establish the authenticity, integrity, and attribution of a document in the event of a dispute. Put simply, it refers to how well it can be proven who signed the document, that it has not been altered since then, and when the signature was applied.

‍Note: The higher the evidentiary value, the more legally binding the signature is. A qualified electronic signature has the highest evidentiary value because, according to eIDAS and is, in principle, legally equivalent to a handwritten signature.

The eIDAS Regulation distinguishes between different levels of electronic signatures, including simple, advanced, and qualified electronic signatures. Only the qualified electronic signature is explicitly equivalent to a handwritten signature throughout the EU. A qualified electronic signature differs from other types of signatures due to its higher evidentiary value. It is based on a verified identity, a qualified certificate, and clear technical requirements, and is therefore particularly robust from a legal standpoint. For businesses, this means that the question of an electronic signature’s validity is always also a matter of the specific type of signature and its intended use. Those with high requirements for verifiability and legal certainty should therefore not only sign but also verifiably check and document the validity.

‍

Validating a qualified electronic signature – what should you keep in mind?

Anyone who wants to validate a qualified electronic signature should check more than just the visible signature field in the document. The key factors are whether the signature is mathematically correct, whether the document has remained unchanged since it was signed, and whether the underlying certificate was valid at the time of signing. The Federal Network Agency specifically mentions the verification of data integrity, certificate validity, the qualified status of the certificate, and creation using a qualified electronic signature creation device.

When validating electronic signatures, it is also important to ensure that the correct signature type is used. Public validators typically refer to the qualified electronic signature (QES)

In practice, companies should also verify that the timestamp, certificate chain, and status information are complete. If this information is missing or does not come from a trusted source, even a validly applied signature can cause problems during verification. Qualified validation services are helpful in this regard because they provide results automatically, reliably, and with minimal technical effort.

‍

Cryptographic methods

Cryptographic methods form the technical foundation of every digital signature. The cryptographic hash function plays a central role in this process. It generates a unique hash value—essentially a digital fingerprint—from a document. Even the slightest change to the content results in a different value. This is precisely what allows the signature verification process to determine whether a document has been altered after the fact.

For security purposes, it is crucial that the cryptographic hash function be collision-resistant and designed as a one-way function. This means that different documents should not produce the same hash value, and the original content must not be recoverable from the hash value. Together with asymmetric cryptography, the hash function thus forms the basis for the integrity, authenticity, and reliability of electronic signatures. Without these cryptographic methods, robust signature verification would not be possible.

‍

Certificates and hash values

Whether a document has remained unchanged after being signed can be verified technically using its hash value. As explained above, this is a central component of digital signature procedures.

Note: Even the smallest change—such as an extra space or a modified number—results in a completely different hash value!

That is precisely why the hash value for the qualified electronic signature (QES) is so important: It reveals whether a document has been altered after it was signed.

Anyone who wants to enter into legally binding digital contracts should understand how an electronic signature works from a technical standpoint. A cryptographic hash function ensures that any changes to the document are immediately detectable. Digital signature certificates also confirm the origin of the signature and establish trust in the authenticity of the signature. These components are particularly crucial for qualified electronic signatures to ensure the integrity, identity, and verifiability of a digitally signed document.

In our blog post on validation of electronic signatures.

‍

Sources of error during testing

In many cases, problems with signature verification do not arise from the signature itself, but rather from missing or incomplete verification information. Typical sources of error include incomplete certificate chains, expired or revoked certificates, and missing status information from validation services. The BSI points out that the verification process considers not only the mathematical correctness of the signature but also the validity of the certificate and other supporting documentation.

‍

Timestamps can also become a problem if the underlying service is not classified as trustworthy or if relevant verification information is missing. Furthermore, the trustworthiness of qualified services must be verified through official trust lists. If this information is not properly integrated or is misinterpreted, a signature that is actually valid may be incorrectly identified as invalid. For businesses, this means that reliable signature verification requires not only the document itself, but also a sound technical and regulatory context.

‍

How signature verification works technically

‍

‍

The process of qualified electronic signature (QES) follows a clear procedure designed to ensure that a document can be uniquely attributed to a person and remains unchanged after signing. The process begins with identity verification. The signatory verifies their identity with a qualified trust service provider, for example, by presenting an identification document. Only then is a qualified certificate issued, which contains the person’s public key.

The next step is to generate a key pair. This consists of a private key and a public key. The private key is stored securely in a secure signature creation device and remains under the sole control of the signatory.

When signing a document, a hash value is first generated. This hash value is signed with the private key and transmitted along with the document.

To verify the document, a new hash value is calculated from the received document and compared with the signed value. If the two match, it is clear that the document has not been altered and the signature verification was successful.

‍

The Role of Validation Documentation

Validation records play a crucial role when electronic signatures need to be not only verified but also documented in a traceable manner. They record the outcome of a signature’s validation and the basis on which that assessment was made. This is particularly important when companies need to demonstrate the validity of a signature to internal auditors, business partners, or government agencies at a later date.

Validation records provide additional security, particularly for qualified electronic signatures. They not only demonstrate that a signature was valid at the time of verification but also document relevant information such as certificates, timestamps, and the status of the verification. This transforms a technical check into reliable evidence.

For businesses, this is particularly important for processes that are contract-related, audit-related, or subject to regulatory scrutiny. Validation records enhance traceability, reduce uncertainty, and help ensure that digital signature processes are documented accurately and in compliance with legal requirements.

‍

Trusted service providers and their role in validation

Trust service providers play a central role when it comes to the legally secure use of electronic signatures. A qualified trust service provider operates in accordance with the strict requirements of the eIDAS Regulation and provides trusted services such as the qualified electronic signature (QES) . This primarily includes verifying the identity of the signatory and issuing qualified certificates. In this way, the trust service provider lays the foundation for ensuring that electronic signatures can be uniquely attributed and protected against tampering.

The trust service provider also plays a crucial role in validation. This is because a signature can only be reliably verified if certificates, timestamps, and other confidential information come from a qualified provider. Qualified validation services help to confirm the validity of electronic signatures in a traceable manner. For businesses, this means that only a trusted trust service provider can lay the foundation for digital processes that are not only efficient but also binding and legally secure.

‍

Best Practices for Businesses in Signature Verification

It is equally important to work exclusively with qualified and officially listed trust service providers. The Federal Network Agency provides the German Trust List for this purpose; qualified trust services from other EU countries may also be relevant.

For documents that are important in the long term, companies should also ensure that they remain verifiable over time. To this end, the Federal Network Agency recommends, among other things, qualified trust services and BSI-compliant solutions for the long-term preservation of signed documents.

In this way, signature verification becomes not just a single step, but a reliable component of digital compliance and contract processes.

‍

Conclusion

Digital signatures have long since become more than just a technical add-on. They are a crucial foundation for fast, binding, and legally compliant processes in an increasingly digital workplace. What matters is not only the signature itself, but also its traceability, validation, and secure integration into the entire contract process. This is precisely where the importance of a solution that combines efficiency and legal certainty becomes apparent.

With ContractHero, contracts can not only be managed centrally but also signed digitally right away. Both advanced electronic signatures (AES) and qualified electronic signatures (QES) are available to meet different requirements. This allows companies to choose the appropriate signature standard depending on the document type. At the same time, creation, distribution, signing, and management remain consolidated in one central location. As an ISO 27001- and eIDAS-compliant company, ContractHero places particular emphasis on security, reliability, and ease of use. This ensures that digital signing is not an isolated, one-off step, but rather an integral part of modern and efficient contract management.