Self-hosting
Everything you need to run NoSign on your own infrastructure.
NoSign is designed to run on your own servers with no external service dependencies. The principle is “everything in the box.”
Tech stack
| Layer | Technology |
|---|---|
| Application | Laravel 12 |
| Database | PostgreSQL 16 (JSONB audit payloads) |
| Storage | Local private storage (no S3 or external object store) |
| Frontend | Blade + Alpine.js (CSP build, no eval) + PDF.js + signature_pad |
| Queues | Laravel Queues |
| Self-hosted SMTP with DKIM, SPF, and DMARC | |
| PDF processing | FPDI + TCPDF for stamping; Ghostscript for PDF/1.4 normalization |
| Cryptographic seal | PAdES-B-T via TCPDF-native signature + a self-built RFC3161 timestamp injector |
| Embedded evidence | Audit-certificate page + nosign-audit.json inside the sealed PDF |
| Offline verification | Stateless verifier built on openssl cms / openssl ts |
| Timestamp authority | Self-hosted TSA sidecar (RFC3161) |
| Webhook secrets | Encrypted at rest, zero-downtime rotation |
| API docs | OpenAPI via dedoc/scramble (sandbox surface) |
| Containerization | Docker + Coolify |
| Tests | Pest test suite |
Zero paid crypto dependencies
PAdES-B-T sealing — including the embedded RFC3161 timestamp — is built entirely on open tooling and a hand-rolled CMS timestamp injection. There is no commercial signing SDK.
Deployment
NoSign is distributed as a Docker image deployable with Coolify (or any Docker-compatible host). The application, database, SMTP, and TSA sidecar run together. No external services are required at runtime.
What you need
- A server with Docker installed.
- A domain for your NoSign instance (HTTPS required — signers open links directly).
- An SMTP server or relay with DKIM/SPF/DMARC configured (for ceremony emails and admin notifications).
- A PostgreSQL 16 instance (can run in the same Docker environment).
Certificate configuration
NoSign generates a self-signed organizational certificate for the PDF seal by default. To swap in an AATL or commercially-trusted certificate so PDF readers show a green checkmark:
- Obtain a
.p12certificate file from a trusted CA. - Place it in the configured certificate path.
- Restart the application.
No code change is required.
Admin access
The admin dashboard is isolated behind a separate authentication boundary with 2FA enforced and no public registration. Admin accounts are created directly by the instance operator.