Optionalname/Name — human-readable signer name.
Optionalreason/Reason — why the document is being signed.
Optionaldate/M — signing time as a PDF date string, e.g. D:20260616120000Z.
Optionallocation/Location — physical or logical signing location.
Optionalcontact/ContactInfo — how to reach the signer.
TSA endpoint URL, e.g. "https://freetsa.org/tsr".
OptionaltsaOptional override for the TSA round trip — lets the host add auth headers,
proxies, retries, and apply its own SSRF allow-list (the engine only
emits the request; the URL is host-supplied). Receives the TimeStampReq
DER and the URL, must resolve to the raw TimeStampResp bytes. When omitted,
defaultTsaPost POSTs application/timestamp-query via fetch.
Optionalp12PKCS#12 identity bytes. Omit to sign with a generated self-signed ID.
OptionalpasswordPKCS#12 passphrase.
OptionalrandomSelf-signed path: ≥ 256 bytes from crypto.getRandomValues.
OptionalkeySelf-signed path: RSA modulus size in bits (default 2048).
OptionalnotSelf-signed path: certificate notBefore, UTCTime YYMMDDHHMMSSZ.
OptionalnotSelf-signed path: certificate notAfter, UTCTime YYMMDDHHMMSSZ.
OptionalnonceOptional 8–16 random bytes echoed by the TSA (request/response correlation).
Options for GigaPdfDoc.signTimestamped — a PAdES-B-T signature with an RFC 3161 trusted timestamp embedded in the SignerInfo (
ETSI.CAdES.detachedsubfilter,signing-certificate-v2signed attribute,id-aa-timeStampTokenunsigned attribute).The signing identity is either an imported PKCS#12 (
p12+password) or, ifp12is omitted, a freshly generated self-signed digital ID (random+notBefore/notAfter).