npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@dotit/pades

v1.0.1

Published

PAdES (PDF Advanced Electronic Signatures) for IntentText — export a sealed .it as a digitally-signed PDF (ECDSA P-256 + X.509 + CMS) that Adobe/readers recognize. The standards bridge on top of @dotit/sign's native Ed25519 trust.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

emadjumaahemadjumaah

Keywords

intenttextpadespdfsignaturex509ecdsaeidastrust

Readme

@dotit/pades

PAdES (PDF Advanced Electronic Signatures) for IntentText — export a sealed .it document as a digitally-signed PDF that Adobe Reader, courts, banks, and government portals recognize.

It's the standards bridge on top of IntentText's native trust: a .it stays Ed25519-signed and queryable (@dotit/sign); the exported PDF carries an X.509 / CMS PAdES signature the outside world auto-accepts. The two coexist.

  • Algorithm: ECDSA P-256 + X.509 + CMS/PKCS#7 (ETSI.CAdES.detached). (Adobe doesn't validate Ed25519 PDF signatures — hence X.509 here.)
  • Levels: PAdES-B (baseline) and PAdES-T (with an RFC-3161 trusted timestamp — proves when).
  • Trust: self-signed for dev, or a real X.509 chain to a CA root (the UTS authority).
  • Runtime: Node 18+ (uses built-in WebCrypto; no native crypto deps). ESM.
npm i @dotit/pades

Quickstart — issue a signed PDF (server)

The easiest path is via @dotit/pdf, which renders the .it then signs the PDF:

import { renderSignedPDF } from "@dotit/pdf";
import { generateSelfSignedCert } from "@dotit/pades";

const id = await generateSelfSignedCert({
  commonName: "Dalil Technology",
  organization: "Dalil",
});

const signedPdf = await renderSignedPDF(sealedItSource, {
  executablePath: process.env.CHROME_PATH, // puppeteer-core needs a Chrome
  signer: {
    certPem: id.certPem,
    privateKeyPem: id.privateKeyPem,
    name: "Dalil Technology",
    reason: "Issued invoice",
    tsaUrl: "http://timestamp.digicert.com", // optional → PAdES-T
  },
});
// signedPdf: Uint8Array — opens in Adobe as a digitally-signed document.

Sign an existing PDF buffer

import { signPdfWithPem, verifyPdfSignature } from "@dotit/pades";

const signed = await signPdfWithPem(pdfBytes, {
  certPem,
  privateKeyPem,
  name: "Sarah Al-Ahmad",
  tsaUrl: "http://timestamp.digicert.com", // optional
});

const info = await verifyPdfSignature(signed);
// { present, valid, coversWholeFile, signerCommonName, signedAt,
//   timestamped, timestampTime, chainValid }

Signing identity (persist + reuse)

generateSelfSignedCert returns PEM strings — store them securely (e.g. the OS keychain) and reload with signerFromPem:

const id = await generateSelfSignedCert({ commonName: "Acme Corp" });
// keep id.certPem + id.privateKeyPem  (private key → keychain / KMS)
const signer = await signerFromPem(id.certPem, id.privateKeyPem);

Trusted identity — a CA chain (UTS-as-CA)

A self-signed cert is cryptographically valid but shows as "identity not trusted" until installed. Issue signer certs from a CA whose root verifiers trust:

import { createCertificateAuthority, issueCertificate, signPdf, verifyPdfSignature } from "@dotit/pades";

const root = await createCertificateAuthority({ commonName: "UTS Root CA", organization: "UTS" });
// keep root.privateKeyPem OFFLINE

const signer = await issueCertificate({
  issuer: { certificate: root.certificate, privateKey: root.privateKey },
  commonName: "Dalil Technology",
});

const signed = await signPdf(pdfBytes, {
  certificate: signer.certificate,
  privateKey: signer.privateKey,
  chain: signer.chain,          // embeds the CA cert(s) in the signature
});

const info = await verifyPdfSignature(signed, { trustedRoots: [root.certificate] });
// info.chainValid === true

For production, keep the root key offline and issue an intermediate (issueCertificate({ ..., isCa: true })) for online signing.

API

| Function | Purpose | |---|---| | generateSelfSignedCert(opts) | ECDSA P-256 self-signed cert + key (PEM/DER) | | createCertificateAuthority(opts) | a CA root/intermediate (cA:true) | | issueCertificate({ issuer, commonName, isCa? }) | CA-signed cert + chain | | signerFromPem(certPem, keyPem) | load a signer from PEM | | signPdf(pdf, { certificate, privateKey, chain?, tsaUrl? }) | PAdES-sign a PDF | | signPdfWithPem(pdf, { certPem, privateKeyPem, tsaUrl? }) | sign via PEM identity | | verifyPdfSignature(pdf, { trustedRoots? }) | verify (signature, whole-file, timestamp, chain) | | requestTimestampToken(data, tsaUrl) | low-level RFC-3161 timestamp | | signDetachedCms / verifyDetachedCms | low-level CMS over arbitrary bytes | | PUBLIC_TSA | { digicert, sectigo, swisssign } free TSA URLs |

Standards

PAdES-B-B / PAdES-B-T (ETSI EN 319 142), CMS (RFC 5652) with ESS signing-certificate-v2 (RFC 5035), RFC-3161 timestamps, X.509 (RFC 5280), ECDSA P-256 (FIPS 186-4). Built on pkijs + @signpdf + Node WebCrypto.

License

MIT