A work colleague worked on a document signing solution for a client once. Legally, at the time (and I hope this has improved), when a person added their digital signature to a document, that meant that they signed that exact version (read: hash of all the bytes) of the document.
That meant that PDF was sort-of problematic for the use case that the customer required: Giving the customer an A4 version to keep for their documentation was important - but having an A4 version on screen made for terrible scaling UX on mobile and tablet devices.
The fact that PDF is more than just text+formatting in that manner was a real hindrance at that point in time (2017).
(I'd be happy to know if I got any of this wrong after only hearing about it second-hand. This was in Switzerland, if this affects which laws were relevant at the time.).
I think it's been around since the early 2000s, but a few months ago I got very tripped up by this for the first time. I got a PDF I needed to sign and send back (I usually drop and image of my signature and fax or reply). I actually needed to submit a bunch of these forms with varying dates. I couldn't open the PDF with macOS' Preview or any web reader (which happens time to time). I reluctantly downloaded Acrobat Reader. Filled it out, "signed it" and tried to change the date and Save As. It wouldn't let me and it wasn't clear why. I thought I just didn't know how to undo or select and delete the signature because I'm used to PDFs being text + images.
It turns out to be a feature where adding a "signature" locks the document. They suggest if you need to modify it you request a new document.
I'm probably reading the spec wrong, but it might have been added in PDF 1.5 (Aug 2003?)
The signature is cryptographically based on the exact document (and that person's certificate) so you can prove precisely what they signed. That is very much the whole point of the signature feature. It wouldn't be much use if, when you tried to challenge someone later, they could said "oh no, that's not the version I saw, you must have changed it after I signed".
Sure, my frustration is that it a) required Adobe's notoriously terrible software and b) wasn't obvious the implications of what I was doing and c) wasn't reversable/undoable.
I think the concept is great and was just passing along that it existed in PDFs to the parent. Personally, having signed probably 100s of PDFs over the years I had never encountered it. I've only seen the web-based DocuSign. In every case (including this one) faxing the document back was acceptable, which breaks this. I am all for improving chain of trust, but it's not very helpful if the user doesn't understand what they're doing and as someone who likes tech I tend to want a bit more control than most people.
The behaviour you're describing is literally the reason why PDF is still widely used - once you cryptographically SIGN the document you can verify that its content wasn't changed anymore after signing it and both parties can check that.
Incredibly important in many business processes not to mention signing contracts.
In my experience digital signatures are not widely used in “business processes” facilitated by people sending around PDFs. Most are signed with a pen and scanned, or signed by embedding an image. Such signatures have value as a signal of the intent to form a contract, even though it is well known that they do not guarantee authenticity or non-repudiation. Digital signatures don’t add much unless the signer publishes their public key and can prove that a new key with their name on it is inauthentic, and the authenticity of the message cannot be inferred from the surrounding circumstances.
I can attest to the same. I've signed security contracts with government agencies by taking their PDF, opening in in Apple Preview and attaching image of my signature, and sending back. Same with Xournal in Linux. This is how real world, big money contracts get signed. The email history probably attests more to the bonofides of the document than the document itself. It's up to the signers to spot differences visually.
Another tactic is contracts signed by another authorizing action like "your check is as good as your signature language" or "Under the U.S. Uniform Electronic Transactions Act (UETA), this Agreement is executed electronically when both parties agree via e-mail, an Internet web page, or other electronic means and the Client pays the deposit as set forth in..."
A simple email saying I agree is acceptable under US law. No cryptographic PDF features necessary.
I'm not sure what jurisdiction you are from but this is certainly not how it works in any legal system I've heard of. In this article published by an Australian law firm [1], the "electronic signatures" routinely used in commerce are clearly distinguished from true "digital signatures" in footnote 1. Digital signatures are only convincing if you understand how they work, and most people executing transactions don't.
A work colleague worked on a document signing solution for a client once. Legally, at the time (and I hope this has improved), when a person added their digital signature to a document, that meant that they signed that exact version (read: hash of all the bytes) of the document.
That meant that PDF was sort-of problematic for the use case that the customer required: Giving the customer an A4 version to keep for their documentation was important - but having an A4 version on screen made for terrible scaling UX on mobile and tablet devices.
The fact that PDF is more than just text+formatting in that manner was a real hindrance at that point in time (2017).
(I'd be happy to know if I got any of this wrong after only hearing about it second-hand. This was in Switzerland, if this affects which laws were relevant at the time.).