Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| Signature validity is UNKNOWN | Adobe Reader signature panel | — |
| The signature includes an embedded timestamp but it could not be verified | Signature Properties dialog | — |
| Document has been altered or corrupted since it was signed | Signature Properties — distinct from trust failure | — |
Three independent failure modes
An invalid PDF signature collapses three different problems into one banner: trust-chain failure (Reader doesn't know the CA), revocation/timestamp failure (Reader cannot reach OCSP/CRL or the timestamp authority), and byte-integrity failure (document was modified after signing).
Each requires a distinct fix and each is diagnosable from the Signature Properties dialog in under 60 seconds.
Windows vs macOS — what differs
Windows 10 / 11
- Acrobat optionally trusts the Windows store via 'Windows Integration' preference — off by default in enterprise installs.
- Timestamp/OCSP traffic uses HTTP/HTTPS; egress proxies often block the timestamp authority URL — whitelist needed.
macOS Sonoma / Sequoia
- Acrobat does not read the macOS Keychain. Trust must be configured inside Acrobat or via AATL refresh.
- Some PDF viewers (Preview.app) display a 'signature valid' indication that does not match Acrobat's verdict — always trust Acrobat for the authoritative result.
Browser-specific behaviour
Chrome
Built-in viewer renders signed PDFs but does not validate. Always re-open in Acrobat to verify.
Edge
Renders a 'signed' chip with no chain validation. Diagnostic value: low.
Firefox
pdf.js does not validate; treat output as informational only.
Safari
Quick Look shows the signature glyph; Preview.app may show 'verified' based only on byte integrity, not trust.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Open Signature Panel → expand entry
Expected: Read the verdict: 'valid', 'unknown' (trust problem), or 'altered' (integrity problem).
2. If 'unknown' — Signature Properties → Show Signer's Certificate → Trust
Expected: Either trusted via AATL/Windows/manual, or 'not trusted'. If recognised CA, run Trust Manager → Update Now to refresh AATL.
3. If 'unknown' with timestamp warning — Preferences → Signatures → Verification → More → enable 'Use expired timestamps'
Expected: Long-term archival signatures (PAdES-LTV) re-validate against signing-time state.
4. If 'altered' — re-download from the original source (not a synced cloud folder)
Expected: Re-validates as 'valid' or 'unknown'. If still 'altered', the document was genuinely modified post-signing and must be re-issued.
5. Confirm OCSP/CRL egress
Test connectivity to the CA's OCSP URL listed in the signer's certificate (AIA extension)
Expected: HTTP 200 with binary OCSP response body. Proxy blocks here cause silent validation failure.
Frequently asked questions
Why is the validity 'unknown' instead of 'invalid'?
'Unknown' is the correct verdict when Reader can verify integrity but cannot establish trust. It is conservative: Reader is telling you the signature wasn't tampered with but it can't vouch for who signed it.
Will turning off revocation checking 'fix' the signature?
It will silence the warning but compromises validation. Better fix: identify why OCSP/CRL is unreachable (firewall, expired CRL, CA-side outage) and remediate at that layer.
Why does the same PDF show valid in Acrobat and invalid in Reader?
Reader and Acrobat ship the same AATL but different default preferences. Reader's Windows Integration may be off while Acrobat's is on, giving Acrobat extra trusted roots.
Does flattening a signed PDF preserve validity?
No. Flattening rewrites the byte range and breaks the integrity hash. The signature will show 'altered'. Re-issue from the signer without flattening.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.