How to prove a document hasn't been altered
Storing a copy of a file doesn't prove it's the original. Here's how cryptographic hashing, signatures and timestamps give you evidence that stands up months or years later — and how to add it to any document in seconds.
Picture the moment you actually need it. A contract you signed eighteen months ago is now in dispute. A regulator asks for the exact dataset you used in a report. A client insists the terms they received were different from the ones you sent. You reach into your archive, pull out the file — and realise you have no way to prove that this is the same file, byte for byte, that existed back then. A copy is not evidence. Anyone can edit a PDF and re-save it with an innocent-looking modified date.
This is the problem of document integrity: not stopping change, but being able to detect it and prove it to someone who wasn't there. The good news is that the cryptography that solves it is well understood, fast, and free to start using. This guide walks through how it works and how to apply it to any file in a few seconds.
Prevention vs. tamper-evidence
There are two different goals people conflate. Tamper-prevention tries to make a document impossible to change — think locked-down document management systems or write-once storage. It is expensive, and it only protects the copies inside your walls. Tamper-evidence takes the opposite, more useful stance: assume a file can be copied and edited anywhere, but make any change provable after the fact. You don't need to control every copy; you only need one small, trustworthy record of what the original looked like.
Tamper-evidence is what lets you hand a file to a counterparty, publish it, or store it in an ordinary cloud drive, and still answer the question “is this unchanged?” with a confident yes or no. It rests on three cryptographic building blocks.
1. Hashing: a fingerprint for a file
A cryptographic hash function such as SHA-256 reads every byte of a file and produces a fixed 64-character fingerprint. Two properties make it powerful. First, it is deterministic: the same file always produces the same hash, on any machine, forever. Second, it is avalanche-sensitive: change a single character — a comma, one pixel, an invisible metadata field — and the hash changes completely and unpredictably.
So if you record the hash of a document today, anyone can re-hash their copy later and compare. Identical hash, identical file. Different hash, the file has changed — and you'll know, even if you can't immediately see what changed. Crucially, the hash reveals nothing about the contents, so you can safely publish or share it. The file itself never has to leave your hands.
2. Signatures: a record nobody can forge
A hash alone has a gap: what stops someone from altering the file and quietly swapping in a new hash to match? That's where a digital signature comes in. A trusted service signs the hash with a private key using an algorithm like Ed25519. Anyone holding the matching public key can verify that the signature is authentic and untouched, but nobody without the private key can produce a valid one. The signed record becomes the anchor: to fake it, an attacker would need to break the signature scheme, not just re-run a hash.
3. Timestamps: proving when
Integrity often isn't only about “is this the same file?” but “did it exist in this form at a particular time?” — think intellectual-property priority, a submission deadline, or a version freeze. Binding a trusted UTC timestamp into the signed record answers that. Together, the three pieces — a hash of the content, a signature over it, and a timestamp — form a compact certificate that proves what existed and when, without anyone having to trust your word for it.
How XSeal puts it together
This is exactly what a seal is on XSeal. You choose a file; the SHA-256 hash is computed and combined with a UTC timestamp and metadata into a certificate, which is then signed with XSeal's Ed25519 key. You get back a Seal ID and a downloadable certificate. The file's contents are never stored — only the hash and metadata — so sealing a confidential document leaks nothing. The documentation covers the exact certificate fields and the canonical form that gets signed.
To check a file later, open Verify, upload your copy and enter the Seal ID. XSeal recomputes the hash, checks it against the certificate, and validates the signature, then tells you plainly: authentic (byte-for-byte identical to what was sealed) or altered. Because the whole thing is public, you can hand the Seal ID to a counterparty and let them verify their own copy — no account required.
Don't just trust the tool — verify independently
The strongest integrity evidence is the kind you don't have to take on faith. Every XSeal certificate is signed with a published Ed25519 public key, so a third party can verify a signature offline, with any standard crypto library, without trusting the website at the moment they check. That independence is what turns a seal from “a service said so” into evidence a technical reviewer, auditor, or court expert can validate on their own machine. The documentation walks through the procedure step by step.
When a hash-seal is enough — and when it isn't
Be clear about what tamper-evidence does and doesn't give you, because it's easy to over-claim. A seal proves integrity and time: that a specific file existed in an exact form at a moment. It does not assert who authored the content, nor is it a qualified electronic signature (QES) under the EU's eIDAS regulation. If you need a legally recognised signature that binds a named individual's identity to an act of signing — for many contracts, that's the requirement — you want a QES or advanced e-signature from a qualified trust service provider.
The two are complementary, not competing. A common, robust pattern is to e-sign a contract for identity and consent, and separately seal the final executed PDF so you can later prove that this is the exact version everyone agreed to. Integrity underneath, identity on top.
Best practices for durable evidence
- Seal at the decisive moment. Seal the final version — the signed contract, the submitted report, the frozen dataset — not a draft. The seal is only as useful as the version it captures.
- Keep the Seal ID with the file. Store it in your filename, document management system, or a simple index. A free account keeps every seal in your dashboard so you never lose one.
- Seal each material revision. If a document changes legitimately, seal the new version too. A chain of sealed versions is itself a strong audit trail.
- Capture web evidence alongside files. Integrity applies to more than documents. To preserve what a web page — terms of service, a listing, a published statement — looked like at a point in time, take a screenshot with a tool such as screencap.site, then seal that image so you can later prove the capture itself is unaltered.
- Archive the certificate. Download and store the certificate JSON with your records; combined with the public key it lets anyone verify independently, even years later.
Try it on a real file
The fastest way to understand tamper-evidence is to use it. Seal a file now — it takes seconds and needs no account — then head to Verify, upload the same file, and watch it come back authentic. Change one character and watch it come back altered. When you're ready to build it into a workflow, the pricing page has plans from free upward. Once you've seen a single edited byte light up red, you'll never rely on “trust me, it's the same file” again.