Signing methods

ATick signs with three kinds of key holders. All three take the same options.

1. PFX / P12 / PEM file

atick.sign_pfx(pdf, pfx=pfx_bytes, password="••••", style=style, placements=placements)

sign_pfx accepts both PKCS#12 (.pfx/.p12) and PEM — an unencrypted PKCS#8/PKCS#1 private key plus one or moreCERTIFICATE blocks. The format is auto-detected, so a PEM works in the same call (pass its bytes as pfx= and password=""):

pem = open("signer.pem", "rb").read()
atick.sign_pfx(pdf, pfx=pem, password="", style=style, placements=placements)

2. USB token / smart-card / HSM (PKCS#11)

for serial, name in atick.pkcs11_list(dll="C:/Windows/System32/eps2003csp11.dll", pin="••••"):
    print(serial, name)

atick.sign_pkcs11(pdf, dll=".../lib.dll", pin="••••", serial="<hex serial>",
                  style=style, placements=placements)

The vendor PKCS#11 library (.dll/.so/.dylib) is loaded at run time — no C toolchain needed.

3. Windows certificate store

atick.sign_winstore(pdf, style=style, placements=placements)                 # opens the certificate picker
atick.sign_winstore(pdf, style=style, placements=placements, thumbprint="<hex>")   # pick by thumbprint

Common options

sign_pfx additionally accepts open_password= (decrypt an encrypted input), encrypt_password= and owner_password= (password-protect the output).

Multi-signatory (sign an already-signed PDF)

ATick signs as an incremental update: existing signatures keep their byte ranges and stay valid. Just sign the already-signed PDF again; the field name is auto-uniquified so it never collides.

signed_v1 = atick.sign_pfx(pdf,       pfx=pfx, password="••••", style=style, placements=placements)   # Atick_1
signed_v2 = atick.sign_pfx(signed_v1, pfx=pfx, password="••••", style=style, placements=placements)   # Atick_2

Next page →