Thiago Teixeira

How We Built Automatic Signature Verification for Digital Democracy in Brazil — And Why It Changes Everything

Published Março 10, 2026 • Updated Abril 11, 2026 • 19 views Cybersecurity Digital Democracy PKI & Cryptography
How We Built Automatic Signature Verification for Digital Democracy in Brazil — And Why It Changes Everything

Most online petition platforms collect emails. Our project collects legally-valid cryptographic proof.

I'm sharing the technical architecture behind "Petição Brasil" — the first platform in Brazil to validate ICP-Brasil digital signatures automatically, enabling real Popular Initiative Bills.

The Problem with Existing Platforms (Change, Avaaz, etc.)

  • Collect unverified emails (no identity proof)
  • No legal validity in Brazilian courts
  • Cannot be formally submitted to Congress/Senate
  • Vulnerable to bots and fraud
  • No cryptographic audit trail

What Is ICP-Brasil?

ICP-Brasil (Brazilian Public Key Infrastructure) is Brazil's official government digital certificate system established in 2001.

Our Approach — Legally-Valid Signatures with Automatic Verification

A 5-Layer Verification System

1. PKCS#7 Cryptographic Validation (pyhanko)
- Validates signature structure and integrity
- Confirms PDF hasn't been modified after signing
- Verifies signature was created with certificate's private key

2. ICP-Brasil Certificate Chain Verification
- Traces certificate to trusted Brazilian government roots
- Uses Authority Information Access (AIA) for intermediate certificates
- Validates each cryptographic signature in the chain

3. Real-Time Revocation Check (~10ms with caching)
- Checks cached CRLs (Certificate Revocation Lists)
- Falls back to OCSP when needed
- Automatically rejects revoked/expired certificates

4. Certificate Type Validation
- Accepts only CPF (individual) certificates
- Rejects CNPJ (company) certificates
- Parses ICP-Brasil OID fields (2.16.76.1.3.x)

5. Content Integrity Verification
- Validates petition UUID embedded in signed PDF
- Verifies SHA-256 content hash
- Ensures document matches original petition

The Game-Changer: Popular Initiative Bills

Brazil's Constitution (Art. 61, §2°) requires verified signatures from 1% of the electorate for popular bills. Traditional process:
- Takes months/years to collect physical signatures
- Manual verification (expensive and error-prone)
- High barrier to entry

Our project provides:
- Instant signature verification (10 seconds)
- Strong cryptographic proof
- Real-time transparency and audit trail
- 100% free
- Sign from anywhere (mobile-friendly)

Each signature generates a Custody Chain Certificate with:
- Complete verification timeline
- ICP-Brasil certificate details (serial, issuer, validity)
- SHA-256 hash of verification evidence
- QR code for instant public verification
- Legal validity equivalent to notarized documents

This creates a credible foundation for formal submission to national or state assemblies.

Tech Stack: Python, Django, cryptography, pyhanko, pypdf, PostgreSQL, Celery (async processing)

The Vision: Making constitutional democracy accessible to every Brazilian citizen — not just those who can afford lobbyists.

Currently based in Vancouver, I am continuing my studies in Cybersecurity Risk Management at CCTB, applying these principles to global challenges in digital trust.

← Back to all posts

Related Posts

Digital Petitions and the Legal Validity of Popular Will: An ICP-Brasil Authentication Proposal
Fevereiro 09, 2026