Signature PDF

A self-hosted PDF signing tool, honestly reviewed. No marketing fluff.

TL;DR

• What it is: Free, open-source (AGPL-3.0) web application for signing, organizing, and compressing PDFs — no user accounts required, no per-signature pricing, no vendor lock-in [README].
• Who it’s for: Solo founders, freelancers, and small teams who sign documents occasionally and refuse to pay $15–25/month per seat to DocuSign or Adobe Sign for a task that is, mechanically, not that complicated.
• Cost savings: DocuSign Standard runs $25/user/month. Signature PDF self-hosted costs nothing beyond a VPS ($5–6/month). Free public instances exist for zero infrastructure cost [README].
• Key strength: Exceptionally minimal friction. No account, no onboarding funnel, no credit card. Upload a PDF, draw a signature, download. Two minutes, done.
• Key weakness: No audit trail, no legally binding compliance infrastructure, no API. If you’re signing contracts where the signing process itself could be disputed — think employment agreements, real estate, or anything where identity verification matters — this is not the right tool [1].

---

What is Signature PDF

Signature PDF is a free web application built by 24ème, a French software cooperative, for signing and manipulating PDFs in a browser. The GitHub description is plainspoken: “Free open-source web software for signing PDF (alone or with others) and also organize pages, edit metadata and compress PDF” [README]. That is the entire pitch.

What it deliberately isn’t: a document management platform, a contract lifecycle system, or a compliance tool. There is no account creation, no document storage by default, no audit logs, no per-signature pricing. You open the URL, upload a PDF, add your signature, and download the result.

The project sits at 753 GitHub stars — modest by open-source standards — but has accumulated a network of 16 self-hosted public instances across France and Belgium, including framapdf.org, operated by Framasoft, the well-known French nonprofit behind Framapad and other open alternatives [README]. That roster of trusted community operators is a more meaningful signal than star count: people who run public services for others don’t stake their reputation on unstable software.

The license is AGPL-3.0 [README]. For personal self-hosting or internal business use, this means nothing practically — you run it freely. If you wanted to wrap it into a commercial SaaS product you sell to others, you’d need to publish your modifications under the same license.

---

Why people choose it

The comparison isn’t against other self-hosted PDF tools. It’s against DocuSign, Adobe Sign, Dropbox Sign (HelloSign), and Signaturely — the category of SaaS services that charge monthly per-user fees to do what is, at its core, a fairly simple task.

Electronic signature platforms exist along a spectrum [1]. At one end: a drawn signature dropped onto a PDF, which is legally valid in most commercial contexts. At the other end: a cryptographically sealed document with timestamped audit trails, verified signer identity, and compliance documentation that would survive court scrutiny. SaaS platforms like DocuSign charge as if every signing event needs to be at the high end of that spectrum. For most routine business documents — freelance contracts, NDAs with known counterparties, internal approvals — that’s overcorrecting, and paying for infrastructure you won’t use [1][2].

That disconnect drives people to Signature PDF. The second driver is privacy: when you sign through a cloud-based signature platform, your document content passes through that vendor’s servers. For commercially sensitive agreements, that’s a genuine concern. With Signature PDF, documents are processed in-memory only by default and never stored on the server [README]. No document retention policy to read, no vendor to breach.

The third driver is zero friction for recipients. Most SaaS signature tools require the signer to create an account or navigate a platform designed to convert them into a customer. Signature PDF’s multi-party signing mode works via shared links — the recipient gets a URL, opens it in their browser, signs, and is done. No registration [README][website].

---

Features

The feature list is narrow but well-executed. From the README and website:

Signing:

• Draw, upload, or type a signature
• Add initials, a stamp, or typed text at any position
• Strike through existing text
• Add a watermark
• Multi-person signing via shared link (requires server storage configuration)
• Server certificate signing — cryptographic digital signature, verifiable by PDF readers, requires additional setup [README]

Organization:

• Merge multiple PDFs
• Reorder, extract, rotate, delete pages
• Change or standardize paper size
• Generate a booklet layout
• Convert images to PDF [website]

Metadata:

• Add, edit, or remove PDF metadata fields (title, author, subject, etc.) [website]

Compression:

• Compress and reduce PDF file size [website]

The distinction between an electronic signature (your name drawn or typed on a document) and a digital signature (cryptographically bound to a certificate, mathematically linked to the signer’s identity) matters when evaluating this tool [1]. By default, Signature PDF produces electronic signatures. The server certificate feature adds genuine digital signatures, but enabling it requires installing poppler-utils and libnss3-tools on the server and running a certificate generation script [README]. It works — it’s just not automatic.

Multi-signature mode is the most practical workflow feature. Multiple parties can sign a document sequentially or in parallel via a shared link. Enabling it requires configuring PDF_STORAGE_PATH in config/config.ini and granting the web server write permissions to that directory [README]. You can optionally enable GPG encryption of stored documents — stored PDFs are encrypted with a symmetric key known only to the signers [README]. Neither feature is enabled by default, which is a sensible privacy-first choice.

---

Pricing: SaaS vs self-hosted math

Signature PDF is free software. There are no pricing tiers, no usage limits, no envelopes.

Two deployment options:

1. Use an existing public instance (pdf.24eme.fr, framapdf.org, and 14 others) — $0, zero infrastructure required [README]
2. Self-host your own instance — $0 software cost, ~$5–6/month for a VPS

What the SaaS alternatives cost [5]:

Tool	Approx. monthly cost	Annual
DocuSign Standard	~$25/user	~$300/year
Adobe Acrobat Sign (entry)	~$23/user	~$276/year
Dropbox Sign (Standard)	~$20/user	~$240/year
Signaturely (Personal)	~$20/user	~$240/year
Signature PDF (public instance)	$0	$0
Signature PDF (self-hosted)	~$5–6 (VPS)	~$60–72

For a solo founder or freelancer sending 10–20 contracts a month, the annual savings from switching is $180–$300 against the cheapest SaaS competitors. Over three years, that’s close to $1,000 for functionality a $6 VPS provides.

The caveat on public instances: you’re trusting a third-party server with your document content, even if the operator is a reputable nonprofit. For anything commercially sensitive, self-hosting is the correct call.

---

Deployment reality check

Signature PDF runs on PHP and deploys via Debian/Ubuntu package, Docker (xgaia/signaturepdf), or Alpine Linux [README]. No database required for basic operation. No Redis. No Node.js runtime. This is a PHP application with file system state, which makes it genuinely simple to run.

What you actually need:

• A Linux VPS with 512MB–1GB RAM
• Docker, or a PHP-capable web server (Apache, nginx)
• A domain name and reverse proxy for HTTPS
• Optional: poppler-utils + libnss3-tools if you want cryptographic digital signatures [README]
• Optional: gpg if you want encrypted document storage [README]

What can go sideways:

• Multi-signature storage is manual. Setting PDF_STORAGE_PATH and configuring filesystem permissions is a documented step, not automatic [README]. If you skip it, multi-party signing silently doesn’t persist documents.
• Digital signature setup has real steps. The README includes a shell script (create_nss_certs.sh) that generates the NSS certificate database, but you still need to understand what you’re doing with certificate nicknames and passwords [README]. Not hard, just not automatic.
• No documented retention policy. If you enable multi-signature storage, the README doesn’t specify automatic cleanup. You’ll want a cron job to purge old files if storage is a concern.
• No horizontal scaling documentation. For a tool processing potentially sensitive documents, high availability matters — but the project documentation doesn’t address this.

Realistic time estimate for a technical user: 20–30 minutes on a fresh VPS with Docker. For someone following a guide: 1–2 hours including domain setup and HTTPS. If you’ve deployed a Dockerized PHP application before, nothing here is new.

---

Pros and Cons

Pros

• Zero cost for basic use. Public instances are free; self-hosting costs only the VPS [README].
• No account required for signers. Multi-signature workflows run via shared link — counterparties don’t register anywhere [README][website].
• Privacy-preserving by default. Documents are processed in-memory only unless you explicitly configure server storage [README].
• Broad PDF manipulation. Beyond signing, it replaces several separate tools: PDF merger, page organizer, metadata editor, compressor [website].
• GPG-encrypted document storage. For multi-party signing, stored PDFs can be encrypted with a key only the signers hold [README].
• 16 community-operated public instances. Including Framasoft’s instance — the operator reputation is genuine [README].
• Lightweight. PHP with no database dependency runs fine on the smallest VPS tier.
• Active translation via Weblate. Community translations indicate ongoing maintenance beyond the French-language origin [README].

Cons

• No audit trail. No timestamps, IP logging, or identity verification. You get a PDF with a drawn signature — not a legally defensible record in the way DocuSign’s sealed audit export is [1][2].
• Cryptographic signatures require manual setup. The server certificate feature requires system package installs and NSS certificate generation — not automatic, not documented for non-technical users [README].
• No API. No REST endpoints, no webhooks, no programmatic document dispatch or status queries. You cannot trigger this from a CRM or workflow tool.
• Small community (753 stars). The contributor base is narrow. Maintenance has been consistent but this is not a project with hundreds of active contributors.
• AGPL-3.0 complicates commercial embedding. Wrapping this into a product you sell requires open-sourcing your modifications — less permissive than MIT [README].
• No mobile app. Browser signing on mobile works but there is no native iOS or Android application.
• French-origin documentation. The homepage is in French; English README exists, but community resources may assume French-language context.
• No bulk sending. You cannot send the same document to a list of signers simultaneously [3].

---

Who should use this / who shouldn’t

Use Signature PDF if:

• You’re a freelancer or solo founder currently paying $15–25/month for DocuSign or HelloSign to sign a handful of contracts, and the audit trail isn’t something you actually need.
• You want document privacy — no third-party cloud vendor holding copies of your agreements.
• You want zero friction for counterparties — no account creation, just a link.
• You’re comfortable with Docker deployment, or willing to use an existing public instance.
• Your signing use case is simple: freelance agreements, NDAs between known parties, internal approvals.

Skip it (use DocuSign, Dropbox Sign, or Signaturely) if:

• You need legally defensible e-signatures with a sealed audit trail — timestamps, IP records, identity verification, chain of custody documentation [1][2].
• Your contracts are high-value and your lawyers will scrutinize the signing record.
• You need API access to automate document sending from your CRM, HR system, or workflow tool.
• You need bulk sending to many recipients [3].
• Your industry requires ESIGN Act, eIDAS, or specific compliance certifications from your signature vendor.

Skip it (look at LibreSign or Docuseal) if:

• You want self-hosted e-signatures with proper audit infrastructure and API access. LibreSign (Nextcloud-based) and Docuseal (MIT-licensed, API-first) cover more ground on the compliance side while still being open source.

---

Alternatives worth considering

• DocuSign — the category leader. Best audit trail, most integrations, most expensive. Appropriate for high-stakes legal contracts [5].
• Dropbox Sign (HelloSign) — simpler than DocuSign, ESIGN-compliant with audit trail, integrates with the Dropbox ecosystem. ~$15–20/user/month.
• Signaturely — competitive pricing among SaaS options, ESIGN-compliant, good template library [2][3].
• Docuseal — open-source (MIT), self-hostable, includes API, email delivery, template builder. More infrastructure than Signature PDF but closer to a complete signing platform.
• LibreSign — open-source, built on Nextcloud, includes digital certificates and audit trails. Heavier setup, more compliance coverage.
• Stirling PDF — if PDF manipulation (merge, split, compress, rotate) is primarily what you need and signing is secondary, Stirling PDF has a larger organizational feature set.

The practical shortlist for escaping SaaS costs: Signature PDF if simplicity and privacy are the goals and audit trails aren’t needed. Docuseal if you want self-hosted with API and audit infrastructure. DocuSign if you need vendor-backed compliance for legally sensitive documents.

---

Bottom line

Signature PDF does exactly what it says it does: lets you sign a PDF in a browser with no account, no monthly bill, and no document retention by default. For solo founders currently paying DocuSign $25/month to sign a handful of NDAs and freelance contracts, the math is straightforward — you’re paying for compliance infrastructure that most routine business documents don’t require [1][2]. The tool is genuinely simple, the Docker deployment is low-complexity, and the Framasoft-hosted public instance gives you a zero-infrastructure option if you trust the operator. The limits are equally clear: no audit trail, no API, no compliance certification. Use it for the contracts that don’t need those things — which is most of them — and keep a DocuSign account for the ones that do.

If deploying the self-hosted instance is the blocker, that’s exactly the kind of one-time setup that upready.dev handles for clients.

---

Sources

1. Will Cannon, Signaturely — “5 Types of Signatures and When to Use Them” (Feb 20, 2024). https://signaturely.com/types-of-signatures/
2. Signaturely — “Free Electronic Signatures to eSign Online”. https://signaturely.com/electronic-signature/
3. Signaturely — “How Electronic Signatures Work”. https://signaturely.com/how-electronic-signatures-work/
4. Will Cannon, Signaturely — “Witness Signatures & When to Use Them” (Jul 11, 2025). https://signaturely.com/witness-signature-meaning/
5. Will Cannon, Signaturely — “Signeasy vs. DocuSign: Comparison Guide for 2025” (Jun 17, 2025). https://signaturely.com/signeasy-vs-docusign/

Primary sources:

• GitHub repository and README: https://github.com/24eme/signaturepdf (753 stars, AGPL-3.0 license, 24ème cooperative)
• Official hosted instance: https://pdf.24eme.fr
• Framasoft public instance: https://framapdf.org/home