Delphi XAdES & PAdES Digital Signatures | sgcSign | eSeGeCe

XAdES & PAdES Digital Signatures in Delphi

sgcSign produces eIDAS-grade digital signatures from Delphi, C++Builder and .NET code: XAdES for XML, PAdES for PDF, CAdES for any binary content and ASiC containers to bundle documents with their signatures. All four AdES levels, 10 key providers and 21 pre-configured EU country profiles, with native CNG/BCrypt cryptography and no external DLLs.

Every ETSI format, B-B through B-LTA

One signing engine behind four signature families. Pick the format your regulator or counter-party expects; the profile does the rest.

A Delphi XAdES / PAdES digital signature component has one job: produce output that the receiving portal actually accepts. sgcSign covers the four ETSI signature families: XAdES (EN 319 132, XML), PAdES (EN 319 142, PDF), CAdES (EN 319 122, CMS/PKCS#7) and ASiC-S / ASiC-E containers (EN 319 162), at every AdES level from B-B (basic) through B-T (timestamped) and B-LT (long-term, with embedded chain and revocation data) up to B-LTA (long-term with archive timestamps).

Keys come from wherever yours live: local PFX/PKCS#12 and PEM files, the Windows certificate store, PKCS#11 smart cards and HSMs, or cloud services (Azure Trusted Signing, AWS KMS, Google Cloud KMS, HashiCorp Vault, Certum SimplySign, CSC v2 remote QTSPs). Every provider implements the same IsgcKeyProvider interface, so switching from a PFX file to a cloud HSM is a one-component change.

XAdES

Enveloped, enveloping and detached XML signatures: TsgcSignXML + TsgcSignProfile_XAdES

PAdES

PDF signatures with visible appearance, Adobe Acrobat compatible: TsgcSignPDF + TsgcSignProfile_PAdES

CAdES & ASiC

CMS/PKCS#7 signatures over any file, plus ZIP-based ASiC-S / ASiC-E containers

Compilers

Delphi 7 through RAD Studio 13, C++Builder and .NET

Built for EU compliance work

The pieces that turn a raw signature into a document a public administration accepts.

RFC 3161 timestamps

Point TSA.URL at any timestamp authority and levels B-T and above embed a signature timestamp automatically.

Long-term validation

For B-LT / B-LTA, OCSP.AutoFetch and CRL.AutoFetch retrieve and embed the full chain and revocation data, so the document verifies for years without network calls.

21 country profiles

VeriFactu, TicketBAI, Facturae, FatturaPA, KSeF, Factur-X / ZUGFeRD, e-Factura, SAF-T PT, Peppol and more. Each profile pre-tunes hash, canonicalization, level, timestamp and revocation policy for the target regulator.

Employment contracts

Nine EU employment-contract profiles (Germany, Italy, Spain, France, Austria, Belgium, Portugal, Netherlands, Poland) pre-set the AdES / QES level each jurisdiction expects.

Verification & reports

TsgcSignatureVerifier validates digests, chains, OCSP revocation and timestamps, and returns a structured report with the detected level, signer and status.

EU Trust List

TsgcEUTrustList parses the live LOTL and the per-Member-State Trusted Lists, so you can classify any certificate as eIDAS-qualified against the official EU registry.

Visible PDF signatures

Signer name, reason, location, contact info and a configurable signature rectangle on any page, compatible with Adobe Acrobat.

Native cryptography

Windows CNG/BCrypt under the hood. No OpenSSL DLL to deploy alongside your executable.

Library or server

The same engine ships as an in-process component library and as sgcSign Server, a self-hosted REST signing daemon for build farms and CI pipelines.

Sign an XML invoice, then a PDF

Load a key provider, configure a profile, sign. The same three-step pattern for every format.

uses
  sgcSign_KeyProvider_PFX, sgcSign_XML, sgcSign_Profile_XAdES;

var
  vKeyProvider: TsgcPFXKeyProvider;
  vProfile: TsgcSignProfile_XAdES;
  vSigner: TsgcSignXML;
  vXML, vSigned: string;
begin
  vXML := TFile.ReadAllText('invoice.xml', TEncoding.UTF8);

  vKeyProvider := TsgcPFXKeyProvider.Create(nil);
  vKeyProvider.FileName := 'certificate.pfx';
  vKeyProvider.Password := 'secret';
  vKeyProvider.LoadFromFile;

  vProfile := TsgcSignProfile_XAdES.Create(nil);
  vProfile.Level := xalT;            // or xalLT, xalLTA
  vProfile.Packaging := xpkEnveloped;
  vProfile.HashAlgorithm := shaSHA256;
  vProfile.TSA.URL := 'https://freetsa.org/tsr';

  vSigner := TsgcSignXML.Create(nil);
  try
    vSigner.KeyProvider := vKeyProvider;
    vSigner.Profile := vProfile;
    vSigned := vSigner.SignXML(vXML);
    TFile.WriteAllText('invoice-signed.xml', vSigned, TEncoding.UTF8);
  finally
    vSigner.Free;
  end;
end;
var
  vProfile: TsgcSignProfile_PAdES;
  vSigner: TsgcSignPDF;
begin
  vProfile := TsgcSignProfile_PAdES.Create(nil);
  vProfile.Level := palT;
  vProfile.HashAlgorithm := shaSHA256;
  vProfile.TSA.URL := 'http://timestamp.digicert.com';

  // Optional visible signature widget
  vProfile.SignatureField.Visible := True;
  vProfile.SignatureField.Page := 1;
  vProfile.SignatureField.Rect := Rect(50, 50, 250, 120);
  vProfile.SignatureField.Reason := 'Approved';
  vProfile.SignatureField.Location := 'Madrid';

  vSigner := TsgcSignPDF.Create(nil);
  try
    vSigner.KeyProvider := vKeyProvider;
    vSigner.Profile := vProfile;
    vSigner.SignFile('invoice.pdf', 'invoice-signed.pdf');
  finally
    vSigner.Free;
  end;
end;

Verify before you ship

Every signing workflow should end with a verification pass. TsgcSignatureVerifier takes the signed XML or PDF and returns a report per signature: the AdES level actually achieved, the signer subject, the timestamp and any chain or revocation problems. If you asked for B-T and the report says B-B, the timestamp request failed and you find out on your machine, not in the regulator's error queue.

For eIDAS qualification checks, combine the verifier with the EU Trust List component: sgcSign validates signatures the same way the EU validates them, against the live LOTL, and can produce a standardised validation report.

Keep going with sgcSign

Tutorial: XAdES signing

From a plain XML invoice to XAdES-B-T: packaging modes, timestamps and verification, step by step.

Tutorial: PDF signing

The same walkthrough for PAdES: profiles, visible signatures and incremental updates.

Country profiles

The 21 pre-configured EU profiles for e-invoicing and employment contracts.

Key providers

PFX, PEM, Windows store, PKCS#11 tokens and the cloud KMS providers in detail.

sgcSign Server

Centralised remote signing over REST. GitHub Actions, Azure DevOps, Docker and Helm ready.

Pricing

Licenses for the component library and the server, plus the All-Access bundle.

Best value: All-AccessEvery eSeGeCe product, Premium Support included, from €1,059/year.
See All-Access pricing

Sign your first document today

Download the trial, run the XAdES tutorial against your own invoice and verify the result end to end.