Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| At least one signature has problems | Yellow banner across the top of Adobe Acrobat / Reader | — |
| The signer's identity is unknown because it has not been included in your list of trusted certificates | Signature Properties dialog → Summary tab | — |
| Document has not been modified since the signature was applied / Document has been altered or corrupted | Signature Properties dialog (mutually exclusive — both are diagnostic) | — |
Why Acrobat flags a signature as invalid
Adobe Acrobat validates two independent things at open time: byte-integrity of the signed region (the document hasn't been altered) and trust of the signing certificate (the chain resolves to a root in Acrobat's own trust store, the AATL, or the Windows / macOS system store, depending on preferences).
Either check failing produces the same yellow banner, but the inner dialog tells you which one. The fix path is different for each — never apply trust-chain steps when the real problem is post-signing alteration.
Windows vs macOS — what differs
Windows 10 / 11
- Acrobat optionally reads the Windows certificate store ('Windows Integration' in preferences). Disabled by default in enterprise installs.
- Root certificates installed via certmgr.msc are not honored by Acrobat unless Windows Integration is enabled.
- AATL refresh runs in the background; check Edit → Preferences → Trust Manager → 'Update Now' to force a pull.
macOS Sonoma / Sequoia
- Acrobat on macOS does not read the system Keychain by default. Trust must be set in Acrobat itself or via AATL.
- macOS Gatekeeper sometimes quarantines downloaded .cer files — run 'xattr -d com.apple.quarantine <file>.cer' before import.
- On Sonoma/Sequoia, Acrobat ships its own NSS-style PKCS#11; vendor tokens may need their .dylib explicitly loaded.
Browser-specific behaviour
Chrome
Chrome's built-in PDF viewer does not perform signature validation. A signature that looks 'invalid' in Chrome may be valid — open in Acrobat to confirm.
Edge
Edge's PDF viewer shows a basic 'signed' badge but does not chain-validate. Use Acrobat for verdicts.
Firefox
pdf.js does not validate signatures; treat its output as informational only.
Safari
Safari's PDF preview shows the signature glyph without validation; right-click → Open With → Adobe Acrobat for an authoritative check.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Open Signature panel (left rail) and expand the signature
Expected: See 'Signature is valid' / 'Signature validity is unknown' / 'Document has been altered'.
2. Right-click signature → Show Signature Properties
Expected: Summary tab states which of the two checks failed.
3. Show Signer's Certificate → Trust tab
Expected: Either 'This certificate is trusted for signing documents' or 'Not Trusted'. If not trusted but you recognise the CA, proceed to AATL refresh.
4. Edit → Preferences → Trust Manager → Update Now
Expected: AATL list refreshes; banner clears for any AATL-anchored signature after reopen.
5. Edit → Preferences → Signatures → Verification → More → enable 'Use expired timestamps'
Expected: Signatures signed with now-expired timestamp authorities re-validate against the timestamp at signing time.
Frequently asked questions
Why does the same PDF show valid on one machine and invalid on another?
Trust stores differ. The valid machine has either the signer's CA in its AATL, the root in its Windows/macOS store with Windows Integration enabled, or has explicitly trusted the signer. The invalid machine has none of those — the document is fine.
Does 'Use expired timestamps' weaken security?
No, when used correctly. It tells Acrobat to validate the signature against the certificate state at the time the timestamp authority signed, not 'now'. This is the standard behaviour for long-term archival signatures (PAdES-LTV).
Why does Acrobat say 'document has been altered' for a PDF I haven't touched?
Cloud storage clients (OneDrive, Dropbox, Google Drive) sometimes rewrite metadata blocks on sync. Re-download the file directly from the signer rather than from a synced folder, or ask the signer to re-issue without flattening.
What is the AATL?
Adobe Approved Trust List — a curated list of CAs whose roots Acrobat trusts automatically. It refreshes silently every 30 days; a freshly installed Acrobat with no internet has an empty AATL and will distrust most signatures until it can update.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.