Preserve existing digital signatures when signing already-signed PDFs (Incremental Save support)

[luigismith]

Feature Title

Preserve existing digital signatures when adding new signatures (Incremental PDF Save)

Feature Description

When signing a PDF that was already digitally signed with another tool (e.g., Adobe Acrobat, Adobe Sign, DocuSign), the previous signature is invalidated or lost after OpenSign applies its signature.

Current behavior:

• Upload a PDF that was previously signed with Adobe Acrobat or other e-signature tools
• • Sign it with OpenSign
• • • The resulting PDF shows the OpenSign signature, but the previous signature is either missing or marked as invalid
      Expected behavior:
• OpenSign should preserve all existing valid signatures
• • The new signature should be added incrementally without modifying the byte ranges covered by previous signatures
• • • All signatures (both old and new) should remain valid and verifiable
      Technical Context:
      This issue is likely caused by the PDF library not supporting proper incremental saves. When a PDF is modified and saved, it rewrites the entire document instead of appending changes, which invalidates the cryptographic hash that previous signatures were computed against.

The solution would require:

1. Implementing incremental PDF saving (appending new data without modifying existing content)
2. 2. Ensuring new signature placeholders don't alter byte ranges of existing signatures
3. 3. Supporting the PDF specification for multiple signature revisions
      Reference: Similar issue documented in pdf-lib #1271

What type of feature are you requesting?

Security / Compliance

Importance

Critical

Additional Context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct
• I have searched the existing issues & discussions to make sure that this is not a duplicate.

[tiru-venkatesh]

Thanks for raising this — I agree this is a critical security & compliance feature, especially for workflows involving multiple signers and external tools.

I’d like to actively work on this issue if the maintainers are open to it.

From initial analysis, this appears to be an incremental PDF save issue where the current signing flow rewrites the document, invalidating existing /ByteRange values. As per the PDF specification, new signatures must be added as a new revision, appending data without touching previously signed byte ranges.

Proposed approach:

Trace the current PDF save/sign pipeline to identify where a full rewrite occurs

Check whether the underlying PDF library supports:

Incremental updates

Multiple signature revisions

Implement or extend incremental save logic to:

Preserve existing /AcroForm and signature dictionaries

Append new signature objects, appearance streams, xref tables

Ensure the new /ByteRange only covers appended content

Test against PDFs signed using Adobe Acrobat / DocuSign to confirm all signatures remain valid

If the existing library cannot reliably support incremental saves, I can also evaluate alternative PDF libraries that fully support multi-signature workflows.

If this direction sounds good, I’m happy to:

Share findings from the codebase analysis

Propose a concrete implementation plan

Open a draft PR for early feedback

Please let me know if I should proceed 👍