Form.io eSignature - COMING SOON

Introduction

Form.io eSignature is aimed to confirm that the signed piece of data and its context (the form, custom properties, etc.) have not changed since it was signed.

Peculiarities of the eSignature solution provided by form.io:

• Zero-trust. Deployed in your app, in your environment means you don't have to trust 3rd-party providers with your eSignatures. The eSignatures are stored in your database.

• API-driven digital signatures. You can access any signed data/form via API using its submission ID that's native to Form.io.

• Decoupled from PDFs. Form.io eSignature lets you take an immutable snapshot of data within your app without relying on PDFs (but still export to PDF if you need).

• Full control on eSignature private key. Signature data is stored in DB as a token signed with the private key provided by you. You can store your keys outside of your deployment (e.g. using AWS KMS) or set it as the form.io enterprise server environment variable.

• Sign using any field type, any context. Any input field can be used as a signature: checkbox, email, signature, text field and so on. Your signature can sign the whole form data or just a part of it.

• Customize your eSignature stamp. Use your custom templates for the eSignature stamp.

Availability

The eSignature functionality is available for self-hosted environments containing a license with the Security & Compliance Module and eSignature enabled.

Once eSignature is enabled for your license key, you will see the eSignature tab under the Modify section in the navigation sidebar of any form.

The eSignature configuration is available after the form has the following settings enabled:

1. Submission Revisions;

2. Form Revisions set to 'Use original form revisions when viewing submissions'.

eSignature Settings

1. eSignature components. First of all, decide what form components will be used as signature(s) in your form and add them to the eSignature configuration. Click 'Add eSignature' to attach eSignature functionality to some of your form components. A form can have one or more eSignatures.

• eSignature Component is a form component that will be used as a signature.

• eSignature Data. Select the form components those data is be confirmed by the eSignature. If the signed value of these components changes, the eSignature becomes invalid and the data is expected to sign again.

• Include all form data in eSignature. When this setting is enabled, the eSignature will be responsible for all form data. If the value of some form component is changed, the eSignature will be invalid and the data is expected to sign again.

1. The 'Submission properties to include in eSignature' are the comma separated paths to the data inside the submission object that will be used for the eSignature verification. Use this setting if you want the eSignature to confirm that some submission properties (except for submission data) stays unchanged since it was signed, e.g. some metadata properties.

2. Do not disable signed data. By default, the signed data is disabled in UI to protect it from modifications. Enable this setting, if you do not want to disable signed data.

3. The Templates settings allow to change the default template of the eSignature stamp and tooltip.

eSignature Templates

The Templates settings enables users to customize UI for eSignature stamp and tooltip using the JavaScript Lodash library.

Several variables are available inside templates:

esign object

The esign variable is available in both stamp and tooltip templates and contains main information about eSignature.

The esign object typically has the following properties:

• created - the ISO formated date of eSigature creation;

• valid - if eSignature is valid it has a true value, if not - the massage why eSignature is not valid;

• _id - eSignature ID;

• _sid - ID of the submission that contains this eSignature;

• signature - the object with eSignature data that has the following properties:

  • compPath - path to eSignature component inside the form JSON;

  • valuePath - path to the value of the eSignature component in submission data;

  • user - the id and email of the user who signs the eSignature field;

  • submission - the submission revision object (without submission data) created together with eSignature.

eSignature Stamp Template

Example of a custom stamp template:

{% if (esign.valid === true) { %}
<span class="formio-esign-stamp">
  <i ref="esignTooltip" style="cursor:pointer" data-tooltip="{{esignTooltip}}" class='{{esignIconClass}}' aria-hidden='true'></i>
  <span class="formio-esign-stamp-description">
    Signed on {{new Date(esign.created).toLocaleString()}}
  </span>
</span>
{% } %}
{% if (esign.valid !== true) { %}
<span class="formio-esign-stamp formio-esign-stamp-invalid formio-esign-stamp-description">
  <i ref="esignTooltip" style="cursor:pointer" data-tooltip="{{esignTooltip}}" class='{{esignIconClass}}' aria-hidden='true'></i>
  Invalid eSignature
</span>
{% } %}

Tips:

• To use tooltip with your eSignature stamp, add the following attributes to some HTML element inside your stamp template: ref="esignTooltip" data-tooltip="{{esignTooltip}}.

 <i ref="esignTooltip" data-tooltip="{{esignTooltip}}" class='{{esignIconClass}}'></i>< ref="esignTooltip" style="cursor:poer" data-tooltip="{{esignTooltip}}" class='{{esignIconClass}}' aria-hidden='true'></i>

• To use different stamp template for the form and printed PDF (when viewing submission as PDF), check if instance.options.pdf is true:

{% if (instance.options.pdf) { %}
 // stamp template for printed PDF
{% } %}
{% if (!instance.options.pdf) { %}
 // stamp template for the form
{% } %}

• To use different stamp template for valid and invalid eSignature, check if esign.valid is equal to true or not.

{% if (esign.valid === true) { %}
 // stamp template for valid eSignature
{% } %}
{% if (esign.valid !== true) { %}
 // stamp template for invalid eSignatrue
{% } %}

eSignature Tooltip Template

Example of a custom tooltip template:

<div class="formio-esign-tooltip">
  <span class="{{esign.valid !== true ? 'formio-esign-tooltip-header-invalid' : ''}} formio-esign-tooltip-header">
    <span>eSignature</span>
    <span class="formio-esign-tooltip-status" >{{esign.valid !== true ? 'invalid' : 'verified'}}</span>
  </span>
  <ul class="formio-esign-tooltip-info">
    <li class="formio-esign-tooltip-info-item"><span class="formio-esign-tooltip-info-item-title">ID:</span><<span>{{esign?._id || '-'}}</span></li>
    <li class="formio-esign-tooltip-info-item"><span class="formio-esign-tooltip-info-item-title">Path:</span><span>{{esign?.signature?.valuePath || '-'}}</span></li>
  </ul>
</div>

eSignature Cryptography

The eSignature uses the asymmetric cryptographic keys to sign and verify the snapshot of data. The key is required and must be provided by you.

There are 2 ways to provide keys for eSignature cryptographic operations:

• set ESIGN_PRIVATE_KEY variable for the form.io server deployment;

• add integration with third-party key management service (e.g. AWS KMS).

ESIGN_PRIVATE_KEY server variable

The simplest way to provide your keys for eSignature is to set the ESIGN_PRIVATE_KEY variable for your deployment of the formio/formio-enterprise . There is no need to set the public key as an environment variable as it can be easily extracted from your private key.

Requirements for a private key set to ESIGN_PRIVATE_KEY:

• key type: RSA;

• key size: 2048-bit;

• public key: type - 'spki', format - 'pem';

• private key: type - 'pkcs8', format - 'pem'.

Example of the RSA2048 key generation using the node:crypto module:

    const crypto = require('crypto');

    const { privateKey } = crypto.generateKeyPair(
      'rsa',
      {
        modulusLength: 2048,
        publicKeyEncoding: {
          type: 'spki',
          format: 'pem',
        },
        privateKeyEncoding: {
          type: 'pkcs8',
          format: 'pem',
        },
      }
    );

Integration with Key Management Services (KMS)

If you prefer to use a third party provider to store and manage your eSignature keys, add eSignature integration settings on the project level.

AWS KMS

The form.io eSignature can use AWS KMS API to sign and verify the eSignature data. Follow these steps to add AWS KMS integration:

1. create RSA2048 key available for 'sign and verify' operations in AWS KMS:

1.1. log in to your AWS account;

1.2. open Services -> Security, Identity, & Compliance -> Key Management Service;

1.3. click on the 'Create a key' button in the main AWS KMS page or select 'Customer managed keys' on the sidebar and click on the 'Create a key' button on the top of the keys list:

1.4. follow the key setup wizard to create your key. The step 1 key settings are expected to look like this:

1.5. Open the created key from the key list in the 'Customer managed keys' section and copy the key ID:

1. Create an Access Key for your AWS account and copy your Access Key ID and Secret Key. Check AWS documentation to create the access key for your account:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

1. Add AWS KMS integration settings to the project settings in your form.io developers` portal:

3.1. Open your project Settings -> eSignature;

3.2. Add your AWS KMS settings:

3.3. Save the project settings. From this point, the AWS KMS API will be used for the eSignature cryptographic operations for this project.

eSignature Examples

1. Create a new form and add components as shown in the example below, or import the form using URL: https://remote-next.form.io/authoring-rwghbgwsuvdthxs/esignaturedemo.

This form is expected to have 3 signatures:

• the signature of the purchase initiator who is to fill in fields 1-3 and sign this data by adding the name in field 4;

• the signature of the head of department who express his approval of the purchase in field 5;

• the signature of the accountant who fills in the budget field and confirms it by adding a signature in field 7.

1. Configure the eSignature:

2.1. Enable submission revisions and original form revisions for the form:

2.2. Go to the Modify tab -> eSignature. Click the 'Add eSignature' button and configure eSignature for the field 4:

Click Save. Add eSignatures for fields 5 and 7 and save them:

2.3. Save eSignature settings clicking on the 'Save Settings' button.

1. Go to the Use tab, fill in fields 1-4 and submit the form. When viewing/editing this submission, the green eSignature stamp is displayed under field 4. This stamp confirms that the eSignature was created and the eSignature data (fields 1-4) and the form have not been changed since it was sign. More eSignature details are available on the stamp hover, :

1. Edit the submission. Pay attention that the signed fields 1-4 are disabled. Fill in field 5 and submit the form. You will see that eSignature is created for field 5.

2. Fill in fields 6 and 7 and submit the form. eSignatures are created for all signature fields:

eSignature validation when 'Do not disable signed data' is enabled

When the signed fields are not disable from modification in UI, eSignature data is validated on the client side. If some signed value is changed, eSignature becomes invalid and the signature field is cleared. That means the changed data is expected to sign again.

Example:

1. Follow steps 1-2 from the previous example.

2. Open eSignature settings and enable 'Do not disable signed data'. Save eSignature settings clicking on the 'Save Settings' button.

3. Sign the form following steps 3-5 from the previous example. Note that signed fields are not disabled.

4. Edit the submission and change the quantity field from 1 to 2. As a consequence, the eSignatures for fields 4 and 5 become invalid and signature values are reset.

The eSignature for field 7 is still valid as it is only responsible for the data in field 6. Change field 6, the field 7 value will be cleared and the eSignature will become invalid. You will have to sign these fields again and new eSignatures will be created for the form.

eSignature and PDF

Use eSignature with PDF-first forms in the same way as you would with web forms.

The PDF of the web form submission, that contains eSignature(s), displays eSignature stamp.

Render eSignature in your application

Use @formio/esignature module to render eSignatures in your application.

1. Use one of the following terminal commands to install the @formio/esignature module into your application:

npm i --save @formio/esignature

or

yarn add @formio/esignature

1. Connect the eSignature module in your application:

import {Formio} from 'formiojs';
import esignature from '@formio/esignature';

Formio.use(esignature);

1. Import the eSignature module styles in your application:

import '@formio/esignature/esignature.css';