setasign/setapdf-signer-addon-aws-kms

A SetaPDF-Signer component signature module for the AWS Key Management Service.

Maintainers

Details

github.com/Setasign/SetaPDF-Signer-Addon-AWS-KMS

Homepage

Source

Issues

Installs: 16 212

Dependents: 0

Suggesters: 0

Security: 0

Stars: 4

Watchers: 2

Forks: 0

Open Issues: 0

pkg:composer/setasign/setapdf-signer-addon-aws-kms

v1.1.2 2026-01-26 11:14 UTC

Requires

  • php: >=8.1 <=8.5.99999
  • aws/aws-sdk-php: ^3.368
  • setasign/setapdf-signer: ^2.47

Requires (Dev)

MIT ba44826622ca410fb32d8a11efaec7bb30397b48

  • Setasign GmbH & Co. KG <support.woop@setasign.com>

This package is auto-updated.

Last update: 2026-01-26 11:17:20 UTC

README

This package offers a module for the SetaPDF-Signer component that allow you to use the AWS Key Management Service to digital sign PDF documents in pure PHP.

Requirements

This package uses the official AWS SDK for PHP Version 3 to communicate with the KMS. You need appropriate credentials.

You also need a X.509 certificates related to your stored keys. To create a self-signed certificate for testing purpose or to create a CSR for the certificate authority of your choice, you can use a tool we prepared here.

The current version of the package is developed and tested on PHP >= 8.1 up to PHP 8.5. Requirements of the SetaPDF-Signer component can be found here.

Installation

Add following to your composer.json:

{
    "require": {
        "setasign/setapdf-signer-addon-aws-kms": "^1.0"
    },
    "repositories": [
        {
            "type": "composer",
            "url": "https://www.setasign.com/downloads/"
        }
    ]
}

and execute composer update. You need to define the repository to evaluate the dependency to the SetaPDF-Signer component (see here for more details).

The Setasign repository requires authentication data: You can use your credentials of your account at setasign.com to which your licenses are assigned or use an access token which you can create in your personal composer settings on setasign.com. See here for more options for authentication with composer.

You have to define your credentials for AWS KMS as documented here.

Usage

All classes in this package are located in the namespace setasign\SetaPDF\Signer\Module\AwsKms.

The Module class

This is the main signature module which can be used with the SetaPDF-Signer component.

A simple complete signature process would look like this:

use Aws\Kms\KmsClient;
use setasign\SetaPDF\Signer\Module\AwsKMS\Module;
use setasign\SetaPDF2\Core\Document;
use setasign\SetaPDF2\Core\Writer\FileWriter;
use setasign\SetaPDF2\Signer\Signer;

$kmsClient = new KmsClient([
    'region' => $region,
    'version' => $version,
]);
$awsKmsModule = new Module($keyId, $kmsClient);

$cert = file_get_contents('your-cert.crt');
$awsKmsModule->setCertificate($cert);
$awsKmsModule->setSignatureAlgorithm($algorithm);

// the file to sign
$fileToSign = __DIR__ . '/Laboratory-Report.pdf';

// create a writer instance
$writer = new FileWriter('signed.pdf');
// create the document instance
$document = Document::loadByFilename($fileToSign, $writer);

// create the signer instance
$signer = new Signer($document);
$signer->sign($awsKmsModule);

Make sure that you pass $algorithm value which match the configuration of the key in the KMS.

License

This package is open-sourced software licensed under the MIT license.