Someone hands you a contract and says it's the executed version. You check the document hash against the one on the signing certificate. They match. The document is the one that was signed. Done.
What a hash is
A hash function takes any input — a PDF in this case — and produces a fixed-length string of characters. The same input always produces the same output. Different inputs almost always produce different outputs.
The standard hash for PDFs is SHA-256, producing a 64-character hexadecimal string. Change one bit of the PDF and the hash changes completely.
Why hashes matter for signatures
When you sign a PDF, the signature is over the document's hash, not the document itself. The hash is small and easy to sign; the document might be 200 pages.
At verification time, anyone can recompute the hash of the document they have and compare it to the hash the signature was applied to. Match = same document. Mismatch = altered.
Computing a hash
On macOS or Linux: `shasum -a 256 contract.pdf`. On Windows: `Get-FileHash contract.pdf -Algorithm SHA256`. The output is the same 64-character string everywhere — anyone with the file can verify against the published hash.
Flint's signing tool records the document hash in the audit trail. To verify later, compute the hash of the received file and compare.
Edge cases
Adding annotations, comments or even opening-and-saving a PDF in some viewers can alter the hash. For the strongest integrity, ship the file with its hash and don't pass it through tools that re-save.
If the hash doesn't match the signing record, the document has been altered. Investigate before relying on it.
FAQ
Is SHA-256 secure for PDF hashing?
Yes. SHA-256 is the modern standard, considered secure for the foreseeable future. Older PDFs may use SHA-1 or MD5 — both should be considered weak.
Can two different PDFs have the same hash?
Theoretically yes (called a collision), but with SHA-256 the chance is astronomically low — no practical collisions have ever been found.
What if my PDF viewer modifies the file when I open it?
Modern viewers usually don't, but some do save updated metadata. To preserve the hash, store the file as received and only open copies for review.
Where do I see the hash in Flint?
On the certificate of completion. The hash appears in the document details section and is what binds the signature to the file.
If you care about integrity, compare hashes. Flint records yours at every signing.