What Is an Integrity Seal? Tamper-Evident Certificates Explained

Introduction

An integrity seal is, in one plain sentence, a SHA-256 hash computed over a certificate's content so that anyone can tell whether the document has been altered. Every certificate produced by e-Dex (formerly Hash Calculator) carries one. The idea is simple but powerful: the seal is a fingerprint of the exact bytes of the certificate, so if even one character later changes, the fingerprint no longer matches and the tampering becomes obvious. This article explains how a seal makes a document tamper-evident, how it differs from a signature and a timestamp, and how you can check one yourself for free.

How a Hash Makes a Document Tamper-Evident

A cryptographic hash such as SHA-256 takes any input — a line of text, a whole certificate — and produces a fixed-length string of characters that acts as a fingerprint of that input. The key property is sensitivity: change a single character, a space, or one byte, and the resulting hash is completely different. There is no way to nudge the content slightly and keep the same hash. So when a certificate prints its SHA-256 seal alongside its content, that seal is a commitment to the exact text. Recompute the hash over the content and compare: if it equals the printed seal, nothing was touched; if it differs, the content was edited, corrupted, or replaced. That recomputable check is exactly what "tamper-evident" means.

Seal vs Signature vs Timestamp

These three layers answer three different questions and are easy to confuse. The integrity seal answers has the content been altered? — it proves the document is unchanged, but says nothing about who made it. A PAdES digital signature answers who? — it binds a signer's verified identity (via a Digital Signature Certificate) to the document, so attribution is provable. An RFC-3161 timestamp answers when? — it records, against an independent Time-Stamping Authority, that the document existed at a particular moment. They layer cleanly: the seal is the base integrity check, a signature can be applied over the sealed content to add identity, and a timestamp can seal the moment in time. For a deeper walk through signing and timestamping, see our guide on how to sign and timestamp a forensic certificate with PAdES and RFC-3161.

How to Check an Integrity Seal Yourself

Checking a seal is something anyone can do, and it needs no special trust in the issuer. The manual route is to recompute the SHA-256 hash over the sealed content and compare it, character for character, with the seal value printed on the certificate — a match means the content is unaltered. If you would rather not run a hash tool by hand, the easiest path is the free online verifier at /verify-certificate.html, which recomputes the seal for you and shows the result. Either way the comparison is yours to make; you are not asked to take the issuer's word for it. If you want to compute SHA-256 over your own files directly, the e-Dex desktop app does that offline as well.

Why It Matters for Evidence, Audit and Compliance

In evidence, audit and compliance work, the recurring need is for an artifact that can defend itself. A report, a ledger extract, or a certificate that simply asserts "this is correct" carries no weight if it cannot be checked. An integrity seal turns the document into a self-checkable artifact: months later, a reviewer, an auditor, or an opposing party can recompute the seal and see for themselves whether the content is the same one that was issued. That makes the document defensible without relying on memory or on the issuer's good faith, and it is cheap to verify, which is why a seal sits well at the base of any evidence or audit trail.

A Note on Trust

It is worth being precise about what a seal does and does not prove. A seal proves that the content is unaltered — it does not prove who created the document. Anyone can compute a SHA-256 hash over any content, so the seal alone does not establish authorship or authority. Proving identity is the signature's job: a PAdES signature backed by a Digital Signature Certificate binds a known signer to the document. Used together, the seal and the signature give you both halves of the picture — the content is intact, and you know who stands behind it. Treating the seal as a proof of identity is the one mistake to avoid.

Frequently Asked Questions

What is an integrity seal on a certificate?
An integrity seal is a SHA-256 hash computed over the content of a certificate. Because the hash changes completely if even one character of the content changes, the seal makes the certificate tamper-evident: anyone can recompute it and confirm whether the document is exactly as it was issued. Every e-Dex certificate carries such a seal.

How does an integrity seal make a document tamper-evident?
SHA-256 produces a fixed-length fingerprint of the content. Changing a single character, space or byte produces a completely different fingerprint. So if the seal printed on the certificate still matches a freshly computed SHA-256 over the content, the content is unaltered; if it no longer matches, something was changed. That recomputable check is what makes the document tamper-evident.

What is the difference between an integrity seal, a digital signature and a timestamp?
A seal proves the content is unaltered. A PAdES digital signature proves WHO issued or signed it, by binding a signer's identity to the document. An RFC-3161 timestamp proves WHEN it existed, against an independent Time-Stamping Authority. They layer: the seal is the base integrity check, the signature adds attribution, and the timestamp adds a trusted point in time.

How can I verify an integrity seal myself?
You can recompute the SHA-256 hash over the sealed content and compare it to the seal value printed on the certificate. If the two match, the content is unaltered. The simplest way is the free online verifier at /verify-certificate.html, which recomputes the seal for you in the browser. No account, payment or upload of your files to a server is required.

Does an integrity seal prove who created the certificate?
No. A seal proves only that the content has not changed since it was sealed. It does not prove identity or authorship. Establishing who issued the document is the job of a digital signature, such as a PAdES signature backed by a Digital Signature Certificate. The seal and the signature answer two different questions and are strongest used together.

Conclusion

An integrity seal is a small thing that does a great deal: a SHA-256 fingerprint that turns any certificate into a tamper-evident, self-checkable document. It proves the content is unaltered, while a PAdES signature adds who and an RFC-3161 timestamp adds when — three layers that fit together neatly. You can produce sealed certificates, and recompute SHA-256 over your own files, fully offline on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start issuing documents that prove their own integrity. Related reading: our explainer on the evidence integrity certificate.