VerifyKitv0.5.6
All comparisons
|6 min read|TrexoLab
pdf-libcomparisonsignature verificationjavascriptnode.js

VerifyKit vs pdf-lib: Creating PDFs vs Verifying Signatures

pdf-lib is one of the most popular PDF libraries in the JavaScript ecosystem, so it is natural to reach for it for anything PDF-related — including "can it check whether this signed document is valid?" The short answer is no, and that is not a criticism. pdf-lib and VerifyKit solve two different problems: pdf-lib creates and edits PDFs; VerifyKit verifies digital signatures. This page explains the difference and when you would use each — or both together.

What pdf-lib is built for

pdf-lib's own description is precise: "Create and modify PDF documents in any JavaScript environment." That is exactly what it is excellent at:

  • create documents from scratch, and — unusually — modify existing ones;
  • draw text, vector graphics, and images; embed fonts;
  • fill and flatten AcroForm fields;
  • set metadata, attachments, and viewer preferences;
  • run everywhere — Node, browser, Deno, React Native — with no native dependencies.

If your job is to assemble, fill, or edit PDFs, pdf-lib is a great choice.

What pdf-lib does not do

pdf-lib has no signature functionality of any kind — it neither applies digital signatures nor verifies them. The terms PKCS#7, CMS, X.509, certificate, PAdES, OCSP, and CRL do not appear in its documentation at all. (It also does not support encrypted documents.) There is no verify() in pdf-lib, and loading a PDF to inspect its structure is not the same as validating a signature over it.

That matters because signature verification is a cryptographic pipeline, none of which pdf-lib performs:

  1. Integrity — hash the signed ByteRange and confirm nothing changed after signing.
  2. Signature — validate the CMS/PKCS#7 SignedData against the signer's public key.
  3. Certificate chain — build a path from the signer certificate to a root.
  4. Trust — decide whether that root is trusted for document signing (AATL / EUTL / your own CA set).
  5. Expiry — confirm the certificate was valid at signing time.
  6. Timestamp — validate any RFC 3161 timestamp.
  7. Revocation — consult CRL / OCSP data.
  8. Algorithm & key usage — enforce a policy on weak algorithms and check Extended Key Usage.

pdf-lib can open the file and read its objects, but it never computes any of this. Parsing a PDF's structure is not verifying the signature inside it.

They are complementary, not competitors

Because the two libraries do different jobs, the common real-world setup uses both:

  • pdf-lib to generate, fill, or edit documents on the way out.
  • VerifyKit to verify signed documents on the way in — proving a received contract is untampered and identifying who signed it.

You do not choose pdf-lib instead of VerifyKit any more than you would choose a word processor instead of a signature validator. If you are already using pdf-lib and now need to answer "is this signature valid, and do we trust the signer?", that is the gap VerifyKit fills.

Where VerifyKit fits

VerifyKit is a commercial, licensed SDK built specifically for verification. Its Rust/WASM engine runs the full 8-point pipeline above — including a built-in AATL trust store, CRL/OCSP revocation, and PAdES B-B / B-T / B-LT / B-LTA detection — entirely client-side (the PDF is never uploaded), and the same engine runs headless in Node.js. It mirrors Adobe Reader's valid / unknown / invalid verdict, so an intact document from an untrusted signer reads as "unknown," not "invalid."

At a glance

Capabilitypdf-libVerifyKit
Create / modify PDFsYesNo (not its job)
Fill / flatten form fieldsYesNo
Apply a digital signatureNoNo (verification-focused)
Verify a signature (integrity)NoYes
CMS / PKCS#7 validationNoYes
Certificate chain + AATL trustNoYes
CRL / OCSP revocationNoYes
PAdES B-B / B-T / B-LT / B-LTANoYes
Runs in browser + NodeYesYes (Rust/WASM)
LicenseOpen source (MIT)Commercial SDK

How to choose

  • Building, filling, or editing PDFs? pdf-lib.
  • Verifying signed PDFs — trust, revocation, PAdES levels? VerifyKit.
  • Doing both (assemble documents and verify incoming signed ones)? Use them side by side — pdf-lib for authoring, VerifyKit for verification.

For a wider view of the ecosystem — @signpdf, PDF.js, the verify-pdf family, PKI.js, EU DSS — see Verifying PDF Signatures in JavaScript: A Library Comparison. For the verification model itself, see Core Concepts. Or try it on your own signed PDF in the live demo — everything runs in your browser.

References

Need PDF signature verification in production?

VerifyKit is a commercial SDK — try the live demo, then get in touch for a license.