Authentication

GPO's core mission hasn't changed since opening in 1861, but the agency has evolved to meet the information needs of Congress, agencies, and the public in a predominantly digital world. The widespread use of digital technology has changed the ways GPO's products are created, managed, and delivered to users. Because many of the official publications GPO provides online are in PDF format, GPO uses digital signature technology to provide evidence of authenticity and integrity and safeguard against unauthorized changes to these files.

GPO has a broader responsibility, not just to keep "America Informed", but also to take measures to provide evidence to information consumers that they can trust the information in our publications. Trust that no unauthorized changes have been made but also trust that what they are seeing is in fact the official document, has not been fabricated, and has in fact been disseminated by GPO in that very form.

With the application of digital signatures to PDF documents, GPO seeks to provide evidence of PDF integrity and authenticity:

Providing evidence of document integrity means that measures have been taken to prevent unauthorized or accidental changes to the data. The goal is to provide visible evidence to the receiver to verify the data has not been altered.
By authenticity, we mean that a user is able to see evidence that verifies a digital publication's identity, source, and ownership.

To address the need to provide evidence of authenticity and integrity of PDF documents, GPO uses a digital certificate to apply digital signatures to PDF documents and a visible seal of authenticity to convey that information to users.

Certification is proof of verification or authority. It's the process associated with ensuring that a digital object is authentically the content issued by the author or issuer.

Authenticity and integrity information is conveyed to a user by opening a PDF in Adobe Acrobat or Reader software and clicking the visible seal of authenticity, an eagle logo that says “Authenticated U.S. Government Information.” Upon clicking the logo, users can verify the document certification is valid, it has not been modified since it was certified, and that the signer's identity was valid at the time the digital signature was applied to the file. The user also has the option to look at the signature properties.

How do I verify GPO's digitally signed PDFs?

The recommended way to verify GPO's digitally signed PDFs is to open the file using Adobe Acrobat or Reader software.

Many browsers today open PDFs automatically within the browser without using your computer's Adobe software. If you are not using Adobe Acrobat or Reader, the digital signature validation process may not occur.

*Note: You can adjust the default PDF open behavior on your computer to open in the Adobe software instead of the browser. Each browser has its own settings to control how PDFs open from a web page. Follow these instructions for your specific browser to change the display settings.

When GPO signs and certifies a document, a blue ribbon icon appears right beneath the top navigation menu and also in the Signature Panel within Adobe Acrobat or Reader. When users print a document that has been signed and certified by GPO, the Seal of Authenticity will automatically print on the document, but the ribbon will not print.

Blue Ribbon Icon

GPO's Seal of Authenticity

How do I highlight or add comments to PDF documents that have been digitally signed?

There is a workaround that will allow you to annotate digitally signed PDFs by printing as an Adobe PDF to create a new PDF file that can be annotated.

Instructions:

Open the PDF file in either Adobe Acrobat or Reader *Note: Make sure to open the file using the Adobe software and not in your web browser (Internet Explorer, Chrome, etc.)
Once the file is open in the Adobe software, go to the top menu, click "File" then click "Print." A screen will pop up with print options. In this screen, click the dropdown box next to Printer and select "Adobe PDF." Click the dropdown box next to Comments & Forms and select “Document” (instead of “Document and Markups.”)
Click "Print." You will then be able to Save the file with a different file name than the original or to a different location on your computer. You will be able to highlight and add comments to this new file.

Note: The new files created using this method will still display the GPO Seal of Authenticity, but will no longer be digitally signed. Other PDF printers and distillers can be used, but may have different final outputs in format, including the loss of selectable text

I want to quote a digitally signed and certified PDF document I downloaded from GovInfo. Do I have to retype the text?

Users can select text from a digitally signed and certified PDF file, then copy and paste it into a new document. The digital signature will not be transferred with the text.

What are validation icons?

Validation icons appear in Adobe Acrobat or Reader to notify users of the content's validity status. These are several icons that are used by Adobe to convey information about digital signatures:

Validation icon for certified PDFs

Validation icon that indicates

What certificate information should I expect to see in a file digitally signed and certified by GPO?

A PDF file that has been digitally signed and certified by GPO should include the following information:

Document certification is valid, signed by Superintendent of Documents [email protected].
Reason for Signing: GPO attests that this document has not been altered since it was disseminated by GPO.

Note: Beginning in August 2021, a new signature profile will be is being used in order to meet updated requirements from the Certificate Authority Browser Forum, a consortium of certification authorities and major browser vendors. The new information should appear as:

Adobe PDF Certification statement from Government Publishing Office <pkisupport@gpo.gov>, Superintendent of Documents, certificate issued by Symanted Class 3 Organizational Signing RSA CA

Document certification is valid, signed by Government Publishing Office [email protected].

The Document has not been modified since it was certified
The signers' identify is valid.

Both signatures remain valid. In the future, it is likely that existing PDFs will be reprocessed and signed with the newer signature.

How can I tell if a signed and certified PDF file has been changed?

If the content of a PDF file certified by GPO is altered, the certification will be invalidated. Users will know this by the appearance of the yellow warning icon in the Adobe software.

Yellow Warning Icon

If I save a digitally signed and certified PDF from GovInfo on my own computer, is the signature still valid?

As long as the file is not changed, the electronic signature will remain valid. Users can save PDF files that have been digitally signed and certified by GPO for later use or email them to other users without affecting the digital signature.

PDF files on GovInfo are signed using Long-Term Validation (LTV), which means that even when the certificate used to perform the signing expires (generally every three years), the PDF remains validly signed. If you find a PDF file downloaded directly from GovInfo is not validating, please contact us via AskGPO and we will investigate and resolve the issue.

I opened a digitally signed and certified document that I saved on my computer several weeks ago. How can I be sure it has not been corrupted?

You can check the validity of a signature at any time. To do so, open the document in Adobe Acrobat or Adobe Reader. Click the Signature Panel icon then click “Validate All” then “OK”. The software will run a validation check to see if the digital certificate used to sign the document is valid.

Signature Panel Icon

I have a PDF document that has been changed. Is there any way to see the signed version?

If changes are made to the signed version of a document, Adobe Acrobat and Reader provide the capability to view the signed version. To access this feature, Click the Signature Panel icon then select and expand the signature, and choose “Click to view this version.” If multiple versions are available, users will have the ability to select this option.

Signature Panel Icon

However, the certified PDFs available on GovInfo cannot be changed themselves - only the steps above to allow annotation would allow changes, and then the digital signature ribbon would not appear. Searching for the equivalent document within GovInfo and downloading a new authenticated version would be one option.

Can I see some examples of changed PDF files?

This file was signed, but not certified, and has been changed (PDF). You will notice the ribbon validation icon has been replaced with a yellow warning icon and you can see the signed version of the file.

Yellow Warning Icon

I found a document published a long time ago with a more recent digital signature. Why would that happen?

This is a common occurrence, and there are a few reasons why this could occur. For some content from the 1990s and 2000s originally on GPO Access (GPO's original electronic dissemination portal), signatures would have been originally applied when they were migrated to FDsys/GovInfo. GPO is also continually adding content to the GovInfo, including digitized historical content like the Digitized Statutes at Large, Bound Congressional Record, and the Congressional Serial Set.

Additionally, as part of GovInfo development, we make improvements to parsing or metadata for a given collection, like the Federal Register. These improvements get rolled out to new content automatically, but existing content packages sometimes need to be reprocessed, either in a targeted manner, in the case where only specific documents were affected or across the entire collection.

When a package is reprocessed, it goes through the entire processing and publishing cycle again, including recreating the public access copies of the content from the original submitted content in the preservation repository. For PDFs in the Federal Register and other collections, this includes saving copies with the correct access id, and applying the digital signature and GPO's Seal of Authenticity.

This also updates the package in our sitemaps and the GovInfo API, which alerts external users of there being an update to the package. In the case of automated systems, this will let them know that they should recrawl and download content and metadata that is of interest to them.

What should I do if I have an official document with an expired or invalid signature?

If you received the document from someone other than an official government source and it is also available from GovInfo, please try downloading it directly from GovInfo. If the validity issue is on a document you have downloaded from GovInfo directly, please contact us via AskGPO and we will investigate and resolve the issue.

Where can I get more help using digitally signed and certified PDF files?

Additional help information is available on Adobe's website.

How can I validate the digital signature on a PDF using a non-Adobe tool?

GPO's GovInfo provides certified/signed documents using digital certificates that chain up to the Adobe root CA. This allows the vast majority of users to access and validate that official documents from the Federal Government have not been altered since signing. If you are using a non-Adobe tool and are having issues in validating GovInfo PDFs, please ensure that you have imported the following intermediate and root certificates into your tool's trust store. These files are zipped in the following downloads:

Certificate chain for PDFs signed prior August 2021 (MD5: 6c5b489805053d0bc2491b0901fa6464)
Certificate chain for PDFs signed beginning in August 2021 (MD5: 0f8a7d477afbe511744ef2ae8a6090de)

For a non-Adobe tool, please consult the documentation for your specific tool on the specific steps required to import the certificates and validate PDFs. If you are having trouble validating a PDF with a non-Adobe tool, please try using the free Adobe Reader tool as a secondary check.

As a demonstration, the GovInfo team performed proof of concept testing of validating GovInfo-signed PDFs using a non-Adobe tool called iText.

Reference code is available here.

These code snippets also link to additional information in a free eBook available from the development team.

See below for output showing successful validation of a Congressional bill using reference code provided by the developers of that tool.

Sample output

The below demonstrates that the certificates used to sign the pdf are in the keystore, and thus trusted.

===== USGPOSignature =====
Signature covers whole document: true
Document revision: 1 of 1
Integrity check OK? true
--------------------------
Certificates verified against the KeyStore
--------------------------

The following validates that the certificates were valid at signing

=== Certificate 0 ===
Issuer: C=US,O=Symantec Corporation,CN=Symantec Class 3 Organizational Signing RSA CA
Subject: CN=Government Publishing Office,C=US,O=Government Publishing Office,[email protected],OU=Superintendent of Documents
Valid from: 2021-07-26-00-00
Valid to: 2023-06-01-23-59
The certificate was valid at the time of signing.
The certificate is still valid.
=== Certificate 1 ===
Issuer: C=US,O=Symantec Corporation,CN=Symantec Document Signing RSA Root CA
Subject: C=US,O=Symantec Corporation,CN=Symantec Class 3 Organizational Signing RSA CA
Valid from: 2015-01-15-00-00
Valid to: 2035-01-13-23-59
The certificate was valid at the time of signing.
The certificate is still valid.
=== Certificate 2 ===
Issuer: C=US,O=Symantec Corporation,CN=Symantec Document Signing RSA Root CA
Subject: C=US,O=Symantec Corporation,CN=Symantec Document Signing RSA Root CA
Valid from: 2015-01-15-00-00
Valid to: 2035-01-14-23-59
The certificate was valid at the time of signing.
The certificate is still valid.

Finally, the following shows that the document itself was signed with a valid signature at the time of signing and today.

=== Checking validity of the document at the time of signing ===
CN=Government Publishing Office,C=US,O=Government Publishing Office,[email protected],OU=Superintendent of Documents verified with com.itextpdf.signatures.OCSPVerifier: Valid OCSPs Found: 1 (online)
=== Checking validity of the document today ===
CN=Government Publishing Office,C=US,O=Government Publishing Office,[email protected],OU=Superintendent of Documents verified with com.itextpdf.signatures.OCSPVerifier: Valid OCSPs Found: 1 (online)

Additional Resources

Authentication definitions and acronyms (PDF)
GPO Document Authentication Workshop - June, 18, 2010
- Workshop Transcript (PDF)
- Workshop Presentation (PDF)
GPO Authentication Initiative Documentation
- Overview of GPO's Authentication Program (PDF)- June 13, 2011
- Authenticity of Electronic Federal Government Publications (PDF)- June 13, 2011
- Final Authentication White Paper (PDF)- October 13, 2005
- Draft Authentication White Paper (PDF)- June 23, 2005
- Authentication Briefing Paper (PDF)- Spring 2005 DLC Meeting
For Further Reading
- Introduction to Public Key Technology and Federal PKI Infrastructure (PDF) National Institute for Standards and Technology, 2001
- Electronic Authentication Guideline Recommendations of the National Institute of Standards and Technology (PDF) National Institute for Standards and Technology, 2011
- Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies (PDF) General Accountability Office, 2003
- Public Key Infrastructures - Federal PKI