How to burn out signatures before a public-records release
- Step 1Rasterize the responsive page — If the record is a PDF, export the page that bears the signature to PNG or JPG — the Signature Burner uses the browser's
<img>decoder and will not render a.pdf. Rasterizing also flattens any existing annotation layer, which for a release page is usually what you want. - Step 2Drop one page image into the tool — The burner is single-file, so process one page at a time. The picker draws it into a preview canvas capped at 640px wide; the caption shows the true source size, e.g.
source 2550×3300, so you know the resolution the burn will run at. - Step 3Drag a rectangle over the withheld signature — Press and drag across the signature you must withhold. A red box tracks the drag and the readout reports the region in source pixels:
Region: 840×170 @ (420, 2760). The box is captured asx,y(top-left) andw,h(width, height). - Step 4Square the box with the numeric fields — Four number inputs — X, Y, Width, Height — are pre-filled from your drag. For a defensible release, type exact values so the box fully encloses the signature with margin; editing a field repaints the red overlay so you can confirm complete coverage before you commit.
- Step 5Burn the region — Run the tool. The processor fills your rectangle with solid
#000and re-encodes the image as PNG. The burn only applies when bothwandhare greater than zero — a zero-area box redacts nothing and just re-encodes the image, so verify the region is non-zero first. - Step 6Download, verify, then release — The output downloads as
<original>-burned.<ext>, keeping the input's extension though the bytes are PNG. Before release, open it cold, zoom into the black box, and attempt select/copy — there is nothing to select. Document the verification in your release log alongside the local audit entry.
The four burn-region controls (all there is)
The Signature Burner exposes exactly four numeric options, all in source-image pixels. There is no exemption-label, color, blur, or auto-detect control — drawing on the preview sets these four numbers, which you can also type.
| Option | Meaning | Default | Set by |
|---|---|---|---|
x | Left edge of the burn rectangle, in source-image pixels | 0 | Drag start, or the X field |
y | Top edge of the burn rectangle, in source-image pixels | 0 | Drag start, or the Y field |
w | Rectangle width in px. Burn applies only when w > 0 | 0 | Drag distance, or the Width field |
h | Rectangle height in px. Burn applies only when h > 0 | 0 | Drag distance, or the Height field |
Annotation black box vs. a pixel burn
Why a records release needs a burn, not a viewer annotation. Behaviour verified against the burn step, which decodes the image, fills the rectangle with #000, and re-encodes as PNG every run.
| Property | PDF-viewer black box | Signature Burner |
|---|---|---|
| What it is | A separate annotation layer on top of the ink | Solid #000 painted into the pixels themselves |
| Recoverable? | Yes — delete annotation, flatten, or pdftotext | No — the ink was never written into the output |
| Underlying data | Original signature still in the byte stream | Absent — only the burned pixels exist |
| Output | A PDF with a removable object | A flat PNG raster, no layers or form XObjects |
Where it runs and the file caps
Signature Burner is browser-only (Canvas) and gated at the Pro tier. File-size caps are the per-tier security-family limits; the tool processes one file per run.
| Tier | Can run? | Max file size | Files per run |
|---|---|---|---|
| Free | No — requires Pro | — | — |
| Pro | Yes | 100 MB | 1 |
| Pro-media | Yes | 500 MB | 1 (single-file) |
| Developer | Yes | 2 GB | 1 (single-file) |
Cookbook
Release workflows for records and FOIA officers. Coordinates are illustrative but use the tool's real x/y/w/h model and its actual image-in / PNG-out behaviour.
Withhold a signature on a single responsive page
A FOIA officer must release a memo but withhold the signer's signature under a privacy exemption. Rasterize the page, drag over the signature, burn.
Input: responsive-memo-p3.png (2550×3300, scan) Drag over the signature → Region readout: 840×170 @ (420, 2760) Options captured: x=420 y=2760 w=840 h=170 Burn → solid #000 fills that rectangle; whole page re-encoded as PNG. Output: responsive-memo-p3-burned.png • signature pixels absent — nothing under the box • body text of the memo left intact
Withhold two third-party signatures (two passes)
A page with both the signer and a witness. The burner takes one rectangle per run, so burn the first, download, drop the result back in, and burn the second.
Pass 1: input: release-p7.jpg region: w=820 h=160 @ (400, 2600) # signer output: release-p7-burned.jpg (PNG bytes inside .jpg) Pass 2: input: release-p7-burned.jpg (pass-1 output) region: w=760 h=150 @ (400, 2980) # witness output: release-p7-burned-burned.jpg Rename final → release-p7-released.png
Add margin so the withholding is defensible
A tight box that just touches the ink can leave a recognizable outline. Type into the numeric fields to add a few pixels of margin on every side before burning.
After drag: x=420 y=2760 w=840 h=170
Add margin: x=410 y=2750 w=860 h=190
(10px left/top, 20px wider/taller)
Red overlay repaints → signature fully enclosed → burn.PDF page → image → burn (the correct PDF path)
Because the burner cannot decode a PDF, rasterize the page first. This also destroys the page's searchable text layer, which for a withheld signature page is acceptable; if you must keep other text searchable, use the PDF redactor instead.
1. Export page to image (PDF viewer: 'Export as PNG')
records-request.pdf → records-request-p3.png
2. Drop records-request-p3.png into Signature Burner
3. Burn the signature region
4. Output: records-request-p3-burned.png
Note: this raster page has NO selectable text. To redact
text in a born-digital PDF and keep the rest searchable,
use /pdf-tools/pdf-pii-redactor instead.Verify the release cannot be un-redacted
Before the file leaves the records office, prove the withholding holds. Open the output cold and probe it like a requester would.
Pre-release check on <file>-burned.png:
• Zoom 800% into the black box → uniform #000, no ghost ink
• Select/copy over the box → nothing selectable (pixels)
• File is one flat PNG raster — no annotation objects,
no /XObject form, nothing to flatten or delete
• Compare byte size to source — re-encoded, not appendedEdge cases and what actually happens
You drop the record PDF straight in
Fails to loadBoth the picker and the burn step decode with the browser's <img> element, which cannot render a PDF, so a .pdf throws 'Failed to load image' with no preview. Rasterize the page to PNG/JPG first, or for text-layer redaction in a born-digital PDF use /pdf-tools/pdf-pii-redactor.
Output is PNG even though you dropped a JPG
By designThe canvas is always re-encoded with toBlob(..., 'image/png'), so every released file is PNG bytes regardless of input. That re-encode is what makes the withholding permanent. The file keeps its original extension in the name (<name>-burned.jpg), so it is PNG bytes inside a .jpg name — rename to .png for a consistent release set.
Clerk clicked without dragging
No-opThe burn fills only when both w > 0 and h > 0. A click with no drag leaves w/h at 0, so nothing is withheld — the page is just re-encoded to PNG. Always confirm the region readout shows a non-zero w×h before treating a file as redacted for release.
Tight box leaves a readable outline
Add marginBurn covers exactly the rectangle you set; a box that hugs the ink can leave a recognizable shadow or descender. Add a few pixels of margin via the numeric fields, or re-run a slightly larger box over the output. Verify at 800% zoom before release.
Free-tier account tries to run it
Tier requiredSignature Burner is gated at the Pro tier (minTier pro); Free accounts cannot run it. Pro allows up to 100 MB per file, Pro-media 500 MB, Developer 2 GB. Records pages are typically well within any of these caps.
Preview is small but the scan is large
ExpectedThe preview is capped at 640px wide and only scaled down. The burn does not use preview coordinates — every drag is converted to source-image pixels (the caption shows the true source W×H), so a box drawn on the small preview lands exactly on the signature at full resolution.
Multiple withholdings on the same page
Run againThe tool takes one rectangle per run. For several signatures on one page, burn the first, download, drop the result back in, and burn the next. Each pass re-encodes to PNG and leaves untouched pixels visually identical, so chaining passes is safe.
Annotation black box used instead of a burn
Reversible — avoidA rectangle added as an annotation in a PDF viewer is a separate layer; a requester can delete it, flatten the page, or run pdftotext to expose the signature. That recoverable redaction is the exact re-disclosure risk this tool exists to prevent.
Scan with a CMYK or exotic color profile
Depends on browserThe tool uses the browser's native decoder. Standard sRGB PNG/JPG always work; a CMYK JPEG or unusual ICC profile may fail to decode in some browsers, surfacing as 'Failed to load image'. Re-save as a standard sRGB PNG/JPG and retry.
Released PNG is larger than the source JPG
ExpectedOutput is always a lossless PNG, so a small lossy JPG often grows on re-encode. The untouched pixels are visually identical; the size change is encoding, not data loss or appended hidden data.
Frequently asked questions
Can a requester un-redact a signature I burned?
No. The tool fills your rectangle with solid #000 and re-encodes the whole image as a new PNG. The released file contains only the pixels the canvas painted — the withheld signature was never written into the output. There is no annotation, layer, or form object to delete and no recoverable byte stream, which is the opposite of a deletable PDF-viewer black box.
Why not just draw a black box in our PDF viewer?
Because that box is an annotation layer painted on top of the ink. A requester can delete the annotation, flatten the page, or run pdftotext and recover the signature — a documented cause of re-disclosure incidents. Burning re-encodes a flat raster with nothing underneath. To redact text in a born-digital PDF while keeping the rest searchable, use /pdf-tools/pdf-pii-redactor instead.
Can I redact the signature in the PDF directly?
Not in this tool — it decodes input with the browser's <img> element, which cannot render a PDF, so a .pdf throws 'Failed to load image'. Rasterize the page to PNG/JPG and burn that, or use /pdf-tools/pdf-pii-redactor for the text layer. Strip hidden PDF metadata separately with /pdf-tools/pdf-metadata-scrubber.
Does the record get uploaded before release?
No. The burner runs entirely on the HTML Canvas in your browser tab; the document never reaches a server. That keeps records under review on your machine. An audit-log entry is emitted locally so the office has a contemporaneous note that the withholding was applied.
Why is my released file a PNG when I dropped a JPG?
The canvas is always re-encoded with toBlob(..., 'image/png') — that re-encode bakes the withholding permanently into the pixels. So a JPG in becomes PNG out. The file keeps its original extension in the name (<name>-burned.jpg); it is PNG bytes inside a .jpg name, so rename to .png for a consistent release set.
Can I add an exemption label or a colored box instead of black?
No. The fill is solid opaque black (#000) and is not configurable — there is no color, label, blur, or pixelate control. Add any exemption citation in your release log or cover letter, not in the burned pixels. Solid black is the standard withholding mark this tool produces.
How do I make sure the box fully covers the signature?
Use the four numeric fields to add margin on every side after dragging, then check the red overlay repaints to enclose the whole signature, including descenders. Verify the burned output at 800% zoom — the box should be uniform #000 with no ghost ink or readable outline.
I drew on the small preview — will it land right at full resolution?
Yes. The preview is capped at 640px wide for convenience, but every coordinate is converted to source-image pixels before the burn. The readout shows your region (840×170 @ (420, 2760)) and the true source size (source 2550×3300), so the box lands exactly on the signature at full resolution.
What formats can I drop in?
Anything the browser's image decoder reads: PNG, JPG, GIF, WebP, and BMP. Animated GIFs burn the first frame only. PDFs are not supported — rasterize the page first. CMYK JPEGs or files with unusual color profiles may fail to decode; re-save as standard sRGB PNG/JPG if you hit 'Failed to load image'.
Why did the run redact nothing?
The burn applies only when both width and height are greater than zero. A click with no drag leaves w and h at 0, so the rectangle is a no-op and the page is just re-encoded to PNG. Confirm a non-zero w×h in the readout, or type values into the Width/Height fields, before treating a file as redacted.
What tier and file size do records pages need?
The tool requires the Pro tier (Free cannot run it). File-size caps follow the security family: Pro 100 MB, Pro-media 500 MB, Developer 2 GB per file. It is single-file regardless of tier — one page per run, no batch mode.
How do I document that the redaction is sound?
Open the -burned.png cold, zoom to 800% into the box (uniform #000, no ghost ink), and try to select/copy over it (nothing, because it is pixels). The file is one flat PNG with no layers or annotations to delete. Pair this with the local audit-log entry, and for integrity across release copies see /security-tools/multi-hash-fingerprinter. Confirm your specific exemption and procedure with counsel.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.