FreeSign

Privacy-First PDF Sealing Architecture

The PDF never leaves your browser. The server witnesses the ceremony — it never sees the document.

Privacy
first
Zero-document
worker
Court-ready
evidence
Browser Private zone — the PDF bytes never leave this device.
1

Drop the PDF

The browser computes document_sha256 locally. The file is never uploaded.

2

Prove identity

Enter the emailed one-time code — or, for a returning signer, tap a saved passkey.

3

Sign the payload

WebCrypto ECDSA P-256 signs the canonical consent payload in memory.

4

Stamp the PDF

A signature revision is appended (revision 2); the browser computes byterange_sha256.

5

Embed the seal

The CMS is embedded into the signature; a /DSS revision is appended when configured. Sealed PDF downloaded.

crosses the
boundary ↓
document_sha256
OTP code · passkey assertion
payload + signature
byterange_sha256
CMS bytes + DSS material
Worker Cloudflare Worker — a witness. It never receives PDF bytes.
1

Create the envelope

Stores the document hash and binds the browser's session public key — write-once.

2

Verify identity

Checks the OTP + Turnstile, or the WebAuthn assertion against the registered passkey.

3

Record the receipt

Stores the signature receipt and extends the per-envelope audit hash chain.

4

Run the seal pipeline

Mints an ephemeral leaf cert under the FreeSign CA, builds the CMS (PAdES-B-T), adds an RFC 3161 timestamp, submits OpenTimestamps.

5

Persist the evidence

Writes the seal, certificates and anchor row to D1. No PDF bytes are ever stored.

trust roots
evidence store
identity gate
signing CA · trusted time
public anchor
External trust Dependencies & independent trust roots the worker calls out to.

Cloudflare D1

Evidence store — envelopes, receipts, the audit chain and anchor rows.

every worker step

Mailgun + Turnstile

Identity gate — one-time-code email delivery and a bot challenge.

step 2

Google Cloud HSM

Holds the Signing-CA private key; signs each leaf TBSCertificate. The key never leaves the HSM.

step 4 — seal

DigiCert TSA

RFC 3161 trusted timestamp — upgrades the seal to PAdES-B-T.

step 4 — seal

OpenTimestamps

Independent timestamp proof, later upgraded to a Bitcoin block anchor.

step 4 → 5
What crosses the trust boundary

Between the browser and the worker: only hashes, payloads, signatures, OTP codes / passkey assertions and the finished CMS. The PDF's bytes never cross — the document is read, hashed, stamped and sealed entirely in the browser.

Why it holds

The PDF stays in your browser the whole time.

The worker witnesses the ceremony but never sees document content.

Sealed and timestamped under multiple independent trust roots.

An ESIGN / UETA / eIDAS Art. 26 advanced-signature evidence package.

What you receive

Sealed PDF + evidence

A standard PAdES-B-T PDF. Inside it: the CMS signature, the RFC 3161 timestamp, the per-user certificate chain, the embedded evidence JSON, the OpenTimestamps proof, and — when the CA CRL is configured — a /DSS dictionary for long-term validation. The OpenTimestamps proof is embedded in the seal by default (OTS_EMBED_IN_CMS) and is also downloadable on its own.

End-to-end privacy · Cryptographic integrity · Multi-rooted trust · Court-ready evidence

Reflects the FreeSign sealing architecture as of 2026-05-20. Browser lane → public/main.js, public/pdf-seal.js  ·  Worker lane → src/index.js, src/seal-pipeline.js, src/signing-ca.js  ·  External trust → wrangler.jsonc, src/ots.js. Full diagram set: docs/ARCHITECTURE-DIAGRAMS.md.