Optionalname/Name — human-readable signer name.
Optionalreason/Reason — why the document is being signed.
Optionaldate/M — signing time as a PDF date string, e.g. D:20260616120000Z.
Optionallocation/Location — physical or logical signing location.
Optionalcontact/ContactInfo — how to reach the signer.
TSA endpoint URL, e.g. "https://freetsa.org/tsr".
OptionaltsaOptional override for the TSA round trip — lets the host add auth headers,
proxies, retries, and apply its own SSRF allow-list (the engine only
emits the request; the URL is host-supplied). Receives the TimeStampReq
DER and the URL, must resolve to the raw TimeStampResp bytes. When omitted,
defaultTsaPost POSTs application/timestamp-query via fetch.
Optionalp12PKCS#12 identity bytes. Omit to sign with a generated self-signed ID.
OptionalpasswordPKCS#12 passphrase.
OptionalrandomSelf-signed path: ≥ 256 bytes from crypto.getRandomValues.
OptionalkeySelf-signed path: RSA modulus size in bits (default 2048).
OptionalnotSelf-signed path: certificate notBefore, UTCTime YYMMDDHHMMSSZ.
OptionalnotSelf-signed path: certificate notAfter, UTCTime YYMMDDHHMMSSZ.
OptionalnonceOptional 8–16 random bytes echoed by the TSA (request/response correlation).
OptionalarchiveAdd a B-LTA document timestamp over the whole file (DSS included) after
the DSS. Requires a second TSA round trip. Default false (B-LT only).
OptionalrevocationOverride the OCSP round trip — receives the DER OCSPRequest and the
responder URL, must resolve to the raw OCSPResponse bytes. When omitted,
defaultOcspPost POSTs application/ocsp-request via fetch. Throw to
skip an unreachable responder (the DSS is built from whatever succeeds).
OptionalcrlOverride the CRL fetch — receives the CRL distribution-point URL, must
resolve to the raw CertificateList (CRL) bytes. When omitted,
defaultCrlGet GETs the URL. Throw to skip an unreachable CRL.
Options for GigaPdfDoc.signLtv — a PAdES long-term validation signature: a B-T signature, then a
/DSS(Document Security Store) carrying the certificate chain + OCSP/CRL revocation material the host fetched (B-LT), optionally finished with a document timestamp over the whole file (B-LTA).Extends SignTsaOptions: the B-T signature is produced exactly as GigaPdfDoc.signTimestamped, then the LTV material is added. The OCSP/CRL URLs come from the certificates, so the host fetches them — supply
revocationFetch/crlFetchto add auth, proxies, or an SSRF allow-list (the engine only computes which URLs to fetch).