Hi Hans, I attach a patch for fixing the issue with hash wrong validation in signed documents (and another minor typo). Sorry for the long explanation, but I think this is required, since these is a sensible topic. A sample source: \setupinteraction[state=start] \definefield[signature][signed] \defineoverlay[signature][my signature] \starttext \startTEXpage[offset=1ts,frame=on,framecolor=darkblue] sign: \inframed[background=signature,framecolor=darkred] {\fieldbody[signature][width=3cm,option=hidden]} \stopTEXpage \stoptext After compiling it with ConTeXt, I run: mtxrun --script pdf --sign --certificate=c.pfx --password=ABCabc a.pdf (Certificate attached, passphrase is ABCabc.) I get a signed PDF document, but both pdfsig and mutool sign complain about disgest mismatch (as already mentioned on the other list). After investigating the issue, I realized that the /ByteRange was wrong calculated. Using a binary editor ("neovim -b", for that matter), I jumped to the final range of the first byte (value of n1 from getbyteranges()). I saw that the first byte range ended in the s of /Contents, but there was a blank space after it (before the hex string value). This causes the digest mismatch, because the tmpfile contained an extra space excluded in the first byte range. I modified the sigfile manually adding one more byte to the byte length and both pdfsig and mutool sign detected a valid signature. The patch was simple and now I realize the wrong byterange may have been well a typo in n1. (Excuse my verbose explanation in that case 😅.) Outputs from both pdfsig and mutool sign are fine after the patch: $ pdfsig a.pdf Digital Signature Info of: a.pdf Signature #1: - Signature Field Name: signature - Signer Certificate Common Name: John Doe - Signer full Distinguished Name: CN=John Doe,O=No Brainer [...] - Signing Time: Jun 09 2024 11:50:53 - Signing Hash Algorithm: SHA-256 - Signature Type: adbe.pkcs7.detached - Signed Ranges: [0 - 6426], [10524 - 10909] - Total document signed - Signature Validation: Signature is Valid. - Certificate Validation: Certificate issuer isn't Trusted. $ mutool sign -v a.pdf Verifying signature 3: Distinguished name: cn=John Doe, o=No Brainer, ou=, email=, c=XX Certificate error: Self-signed certificate. The document is unchanged since signing. I think the patch may be considered to be included in next latest. Many thanks for your help, Pablo