Digital signature
A digital signature is the cryptographic mechanism that proves who signed a PDF and that nobody has altered it since. It is the technical engine that the strongest electronic signatures rely on, and it is built from public-key cryptography rather than any picture of a pen stroke.
The process works like this: a hash (a compact fingerprint) of the document is computed, then encrypted with the signer's private key to form the signature. Anyone holding the matching public key, distributed inside an X.509 certificate from a certificate authority, can recompute the hash and verify it. If even one byte of the file changes afterwards, the recomputed hash no longer matches and the signature shows as invalid. This gives two guarantees at once: authenticity (the key belongs to a named identity) and integrity (the content is untouched). Timestamps from a trusted authority can pin down when it was signed.
The maths gives a digital signature its legal and forensic strength, far beyond a visual mark. Because the private key is the crown jewel of the whole scheme, keeping the signing operation on hardware you control is the natural way to make sure that key is never handled by a third party.