Someone alters a clause in a signed contract and re-sends it as the executed version. They hope nobody checks. Here's why they're wrong — and the multiple signals that flag tampering.
Cryptographic hashing
Every signed PDF has — or should have — a cryptographic hash recorded at the time of signing. Modify the file by one byte and the hash no longer matches. This is the strongest tamper-evidence signal.
Digital signatures (with embedded certificates) verify this automatically when you open the PDF. Electronic signatures rely on the platform's audit trail carrying the original hash for comparison.
Signature invalidation
When a PDF has a digital signature and you edit the document, most viewers (Acrobat, modern browsers) immediately flag the signature as broken. The signature was valid for the document at the moment of signing; the document is no longer that document.
For electronic signatures, opening the file alongside its audit trail reveals the mismatch — the hash on the audit trail no longer matches the file.
Metadata fingerprints
Every edit to a PDF leaves traces in the file's metadata, incremental updates, and stream structure. Forensic tools (PDFStreamDumper, pdfinfo) can show:
- The list of incremental saves and their timestamps. - Which software produced each change. - Cross-reference tables that don't line up cleanly when content has been spliced.
A carefully-edited PDF can hide visual changes; hiding structural fingerprints is much harder.
Visual forensics
Pixel-level analysis catches inserted text whose anti-aliasing or font hinting doesn't match the rest of the page. Font metadata reveals when a substituted glyph came from a different rendering pass. Whitespace patterns differ when paragraphs are reflowed.
For litigation, forensic PDF examination is a recognised discipline. It catches almost all amateur alterations and most professional ones.
FAQ
Can I tamper-proof a PDF myself?
Add a digital signature, or sign through a platform that records a cryptographic hash in an audit trail. Both make subsequent alterations detectable.
Will printing and re-scanning hide tampering?
It removes cryptographic evidence but leaves visual and metadata evidence. Forensic examination still catches most alterations.
Does PDF/A help with tamper-evidence?
PDF/A is an archival format, not a security format. It freezes appearance but doesn't add cryptographic protection. Combine with a digital signature for tamper-evidence.
Can signing platforms detect altered files?
Yes. Re-uploading an altered file to the platform shows a different hash from the recorded signing hash. The platform can flag this in its verification UI.
If a signed PDF matters, sign it through a tool that records the hash. Flint does this by default.