How cryptographic hashing (SHA-256) proves a document wasn't changed
A cryptographic hash function like SHA-256 turns a document of any size into a fixed-length string of 64 hexadecimal characters — a unique digital fingerprint of those exact bytes. Change anything at all, even a single space, and the fingerprint changes completely and unpredictably. So if you record a document's hash at signing and it still matches later, you have mathematical proof the file is unchanged. That's the core mechanism behind tamper-evidence: you don't have to trust that a document is unaltered, you can compute and verify it.
The everyday problem: did this file change?
You sign a contract. Weeks later, someone produces a copy and says it's the same one. Is it? Even a tiny alteration — a changed number, an added clause, a swapped signature — could matter enormously. Comparing two documents line by line is slow, unreliable, and impossible if you only have one version to check against.
Cryptographic hashing solves this elegantly. It reduces any document to a short, fixed fingerprint that acts as a stand-in for the entire file. Compare the fingerprints, and you know instantly whether the documents are identical — no page-by-page reading required.
What a hash function does
A hash function takes input of any size — a one-line note or a 500-page PDF — and produces an output of fixed length. SHA-256 (part of the SHA-2 family) always produces exactly 256 bits, written as 64 hexadecimal characters. For example, a document might hash to something like:
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
That string is the document's fingerprint. Two things make it useful for proving integrity.
The two properties that make it work
1. It's deterministic. The same input always produces the same output. Hash the identical file on any computer, in any year, and you get the same 64 characters. This is what lets you compare a hash recorded at signing against one computed today.
2. It's extremely sensitive to change. This is called the avalanche effect: change even one bit of the input, and roughly half the output bits flip. The result looks completely unrelated to the original hash. There's no "close" — a document that's 99.99% identical produces a totally different fingerprint. So any tampering, however small, is glaringly obvious.
Consider hashing "The fee is $500" versus "The fee is $5000." The two hashes share nothing recognizable in common, even though the text differs by a single character.
Why you can't fake it
A cryptographic hash isn't just any fingerprinting scheme — it's built to resist attack:
- One-way (preimage resistance): given a hash, you can't work backward to reconstruct the original document. The fingerprint reveals nothing about the content.
- Collision-resistant: it's computationally infeasible to find two different documents that produce the same hash. So an attacker can't craft a doctored file that matches the original's fingerprint.
These properties are why SHA-256 is trusted across banking, blockchains, software distribution, and digital signatures. Breaking them isn't a matter of a clever trick — it would take computing resources far beyond anything realistically available.
How this proves a document wasn't changed
The workflow is simple:
- At signing time, the system computes the SHA-256 hash of the completed document and records it — often inside the certificate of completion and within the digital signature itself.
- Later, when someone wants to verify the document, they recompute its SHA-256 hash.
- They compare. If the two hashes match exactly, the document is byte-for-byte identical to what was signed. If even one character differs, the hashes won't match, and the tampering is revealed.
Because the hash is deterministic and collision-resistant, a match is proof — not a guess.
Hashing plus signing: the full picture
Hashing is powerful, but on its own it just tells you whether a document changed, not who vouched for it. That's why hashing is paired with digital signatures. When you sign, the software hashes the document and then encrypts that hash with your private key. Verifiers decrypt it with your public key and compare it to a freshly computed hash. This links the fingerprint to a verified identity — so you get integrity (nothing changed) and authenticity (a known party signed) in one step. The digital seal on a PDF, often a PKCS#7 structure, wraps all of this together.
How PearSign uses SHA-256
PearSign fingerprints every completed document with a SHA-256 hash and records it in the certificate of completion. The document is then sealed with an AATL-backed digital certificate, so any later alteration breaks both the hash match and the seal. If someone ever asks "is this the exact document that was signed?", the answer is a computation, not an opinion.
FAQ
What is a SHA-256 hash?
SHA-256 is a cryptographic hash function that converts a document of any size into a fixed 256-bit fingerprint, shown as 64 hexadecimal characters. The same document always produces the same hash, and any change to the document produces a completely different one — which is what makes it useful for detecting tampering.
How does hashing prove a document wasn't changed?
The document's hash is recorded when it's signed. To verify later, you recompute the hash and compare it to the recorded one. Because the function is deterministic and highly sensitive to change, a matching hash proves the file is byte-for-byte identical, while any mismatch reveals that something was altered.
Can two different documents have the same hash?
In theory two inputs could collide, but SHA-256 is collision-resistant, meaning it's computationally infeasible to find two different documents that produce the same hash. In practice, a matching SHA-256 hash is treated as reliable proof that two files are identical.
Can someone reverse a hash to recover my document?
No. Cryptographic hashing is one-way. A hash reveals nothing about the content it came from and can't be reversed to reconstruct the original document. This is why a hash can be shared or recorded without exposing the document's contents.
How is hashing different from a digital signature?
Hashing tells you whether a document changed; a digital signature also tells you who vouched for it. Signing works by hashing the document and then encrypting that hash with the signer's private key, binding the integrity check to a verified identity. The two work together in a trustworthy e-signature.
Ready to send your first document with PearSign?
AI drafts it, places the fields, and collects every signature — sealed and audit-trailed.
This article is general information about electronic signatures and related standards — not legal advice. For your specific situation, consult qualified counsel in your jurisdiction.