iText 7 Core: enabling Sign with SingPass integration for secure document signing
How Dedoco uses iText to integrate Sign with SingPass capabilities into their innovative blockchain-based document signing platform for end-to-end digital signing, encryption and sharing of documents.
Dedoco is a Singapore-based company that has developed a decentralized, digital signing and document solution. The Dedoco platform allows end-to-end digital signing, encryption and sharing of documents. Built with the aim of improving efficiency and compliance, whilst ensuring document security and enhanced privacy, Dedoco aims to help enterprises digitize documents and signing with a SaaS that can be adopted across all industries using an easy-to-use API.
The platform is built around the notions of Privacy, Trust and Security; and aims to be more than just a digital signing solution. Unlike similar solutions, their decentralized architecture does not store an additional copy of your documents on their servers or have access to them. Business workflows are also configured by the user and managed end-to-end via smart contracts, which provides both automation and tamper-proofing functions. Whether you need a single document and signature to a more complex workflow with multiple document sequences and signers, these are all covered via Dedoco’s solution.
With their existing solution already offering electronic signing capabilities, Dedoco wanted to add support for the newly-introduced Sign with SingPass service, which allows users of the SingPass mobile app to digitally sign contracts, agreements and other legal documentation. This is part of Singapore’s National Digital Identity (NDI) platform, which is building a trusted digital identity ecosystem for citizens, public agencies and private sector companies.
To achieve this goal, Dedoco needed to interact with and call the NDI endpoints in order to retrieve and store the data required to authorize transactions. In addition, they had to generate and work with PAdES-compliant PDFs to meet the standards required for the Singapore government.
Since Dedoco was still building their platform when Sign with SingPass was introduced, it seemed a good opportunity to allow this functionality in addition to their electronic signing solution. However, being one of the first digital signing partners to support this feature meant a steep learning curve.
When the Government Technology Agency of Singapore (GovTech) was developing the NDI platform, they partnered with iText to develop an SDK and example code for developers to use when creating their own solutions for platform integration. Sign with SingPass utilizes PDF digital signatures, which are a key part of iText’s capabilities. So, when Dedodo was working with them to integrate Sign with SingPass before for its launch in November 2020, GovTech introduced them to iText.
“That’s really how we started using iText” says Dr. Ernie Teo, a co-founder of Dedoco. “We’re a relatively young company, and I think we had just passed our one-year anniversary when Sign with SingPass was introduced. Being a Singapore-based company, we needed to work with digital signatures to integrate with SingPass and generate PAdES-compliant documents, and so we use the iText PDF library to generate the PDFs and store the user certificates and digital signatures into them.”
We had quite a lot of valuable help from the iText team in supporting us.
Dr. Ernie Teo, Co-Founder & CTO, Dedoco.
Being a well-established solution for implementing digital signatures in PDF documents, using iText for its reference implementation was a natural choice for GovTech, and at their Stack 2020 conference iText presented the "Signing Documents for a Smarter Nation" workshop, where we demonstrated building a sample application that interacts with the NDI API to allow an authenticated and authorized user to digitally sign a contract.
However, when the conference was held in December of 2020, Dedoco’s implementation was already completed. How did they achieve this so quickly? “We had quite a lot of valuable help from the iText team in supporting us” laughs Ernie. “It was a learning curve because Sign with SingPass is such a special case, and we were not really familiar with the iText PDF library at that time.”
Dedoco initially began development of Sign with SingPass integration in October of 2020, and quite early on hit a roadblock in terms of producing PAdES documents. However, once GovTech introduced them to iText, it was plain sailing from then on with the implementation being completed in around a month.
How it works
By integrating Sign with SingPass directly into the Dedoco platform, this means anyone with an account can create a Sign with SingPass request for any document, which can then be sent out to anyone who needs to sign to authorize it. Since your documents are not uploaded to Dedoco’s servers, only you and your intended recipients will see a document’s content. Instead, only a cryptographically random, unintelligible, and irreversible code (or hash) representing the signed document will be transferred during transactions. And of course, being on the Dedoco platform all documents are immutable, auditable and trackable.
Signing documents with SingPass in this way is remarkably simple. When a SingPass user has been requested to sign a document, they receive an email requesting them to review and sign the document. When they click the link in the email, the document is displayed in a browser window with a signature allocation. The user clicks the signature allocation, the document is prepared, and a popup appears to “Sign with SingPass”. Upon clicking the button, a QR Code and a 4-digit reference code is displayed. By scanning the QR code using the SingPass mobile app, the document reference number is matched, and the user is prompted to confirm and sign using their biometric information.
Once a user’s digital signature has been captured, they can then download the completed document as a PAdES-compliant PDF and a copy is also sent to the requester. Of course, this PDF generation process and insertion of the authorized and timestamped digital signature is handled by the iText PDF library.
Digital signatures are identifiable and uniquely linked to the signer. By using the “Sign with SingPass” feature, the signature is cryptographically linked to the signer and automatically validated at the point of signing. Since signed documents are PDFs, they are platform agnostic, and thus the validated signature can be viewed with the user’s preferred system. Digital signatures made with “Sign with SingPass” use certificates issued by ATS, the National Certification Authority which has received accreditation under Singapore’s Electronic Transactions Act Therefore, signatures made using “Sign with SingPass” will be regarded as secure electronic signatures, making them legally valid.
We are seeing more demand for digital signatures in this region, and this is something we will definitely use iText for.
Dr. Ernie Teo, Co-Founder & CTO, Dedoco.
Being one of the first providers to support Sign with SingPass (and the first blockchain-based solution) led to quite some publicity for Dedoco and interest from industry partners who wanted to use the feature.
One in particular is the global property firm ERA Realty Network, who are the industry-leading real estate brand in Singapore. They became the first private sector company to pilot the Sign with SingPass service by introducing the use of digital signatures for tenancy agreements. This helps its agents save time, as they will no longer need to meet property owners in person for signatures, and also has helped to minimize physical contact during the Covid-19 pandemic. To achieve this, Dedoco built a white-label custom solution where they package the specific library for the SingPass component as an instance for integration directly into ERA’s website.
And it doesn’t stop there, as Dedoco plans to extend their use of iText and digital signatures into its other solutions. “We are seeing more demand for digital signatures in this region, and this is something we will definitely use iText for.” says Ernie. “We are targeting to expand out of Singapore and to work with more Certificate Authorities in the region in terms of doing digital signing, such as in decentralized identity use cases. We’re looking at using that kind of framework for digital signing, and we will probably explore how to use iText in those cases.”
Dedoco is an API-first document infrastructure technology company that allows people to digitally transform their workflow without compromising their document security and data privacy. Headquartered in Singapore, Dedoco also has offices in Jakarta and the US. It offers tiered API integrations for enterprises and tiered subscription plans designed to accommodate everyone, from budding entrepreneurs to mid-cap companies. Their client base includes governments and public sectors, HR and recruitment, financial services, corporate secretary, and accounting and audit firms.