All articles
Document integrityJuly 9, 2026 7 min read

SHA-256 hash — what it is and how to prove a file has not been altered

Also available in:中文РусскийPortuguêsBahasa Indonesiaहिन्दीFrançaisEspañolবাংলাالعربية

You receive a contract by e-mail today. Six months from now, someone presents "the same" file in a meeting — or in a dispute. How do you prove it is exactly the same document, without a single comma changed? The answer used by forensic examiners, courts and banking systems around the world fits in one word: hash.

This guide explains, without unnecessary jargon, what the SHA-256 hash is, why it works as a file's fingerprint, how to calculate the hash of a PDF (on Windows, on Mac and directly in the browser) and how to use it in the daily routine of anyone who works with important documents.

What a hash is, in plain language

A hash is the result of a mathematical calculation performed over the content of a file. The algorithm reads every bit of the document — every letter, every space, every pixel — and produces a fixed-length sequence, like this:

9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

With SHA-256 (Secure Hash Algorithm, 256 bits), that sequence is always 64 characters long, whether the file is 2 KB or 2 GB.

Four properties make the hash so useful:

  • Deterministic: the same file always produces the same hash — today, tomorrow, on any computer in the world;
  • Avalanche effect: changing a single character in the document — a comma, a space — produces a completely different hash, unrecognizable next to the previous one;
  • One-way: the document cannot be reconstructed from the hash. The hash reveals nothing about the content — which is why it can be shared freely, even for confidential documents;
  • Collision-resistant: in practice, it is computationally infeasible to fabricate two different files with the same SHA-256 hash.

That is why the hash is called the fingerprint of a file: it uniquely identifies that content, without exposing it.

What the hash is used for in practice

If you work in an office — legal, accounting, HR, engineering — the hash solves very concrete problems:

  1. Proving a document was not altered. Recorded the contract's hash on signing day? Anyone can recalculate the hash of the copy presented later and check. Same hash = identical document, bit for bit. Different hash = something was modified.
  2. Checking versions before comparing. Before spending time comparing two versions of a contract, the hash answers in seconds whether the files really differ — two PDFs with different names can be the same document, and vice versa.
  3. Chain of custody for attachments. When splitting a large PDF into parts to upload into systems with size limits, the hash of the original file records which intact document the parts came from.
  4. Validating downloads and file transfers. Received a file by link, USB stick or WhatsApp? The hash confirms it arrived complete and uncorrupted.
  5. Documenting review work. The RoseLab comparison report prints the SHA-256 hash of both compared files — whoever receives the report can confirm the analyzed versions are exactly those.

How to calculate the SHA-256 hash of a file

In the browser, nothing to install (the fastest way)

The RoseLab integrity checker calculates the SHA-256 hash of any file — PDF, Word, image, spreadsheet — directly in the browser:

  1. Open the checker (no account needed);
  2. Drag one or more files onto the page;
  3. Each file's hash appears instantly, with a copy button.

Important: the calculation happens inside your own browser, using the Web Crypto technology. The file is never sent to any server — which matters when the document is confidential.

On Windows (command line)

Open the Command Prompt and use the native certutil utility:

certutil -hashfile "C:\path\contract.pdf" SHA256

Or, in PowerShell:

Get-FileHash "C:\path\contract.pdf" -Algorithm SHA256

On Mac and Linux

In the Terminal:

shasum -a 256 contract.pdf

All three methods produce exactly the same result for the same file — that is the beauty of the standard: anyone, on any system, arrives at the same hash independently.

How to check whether a PDF was altered (step by step)

A common scenario: you have the recorded hash of a document (in a report, in an old e-mail, in meeting minutes) and someone presents a file claiming to be that document.

  1. Open the integrity checker;
  2. Drag in the file being presented;
  3. Paste the recorded hash into the verification field;
  4. The result is immediate: green — the file is identical, bit for bit, to the original; red — the content does not match: the file was modified or is not the same document.

There is no middle ground and no "almost equal": because of the avalanche effect, any change — visible or invisible — completely changes the hash. If the check fails and you want to know what changed, the next step is to open both versions in the PDF comparison tool with automatic difference highlighting turned on.

What the hash proves — and what it does not

Here is the part many people confuse, and it pays to get right:

The hash proves integrity: that the file's content is identical to what existed when the hash was recorded. For that purpose it is practically incontestable — it is the same mechanism used in digital forensics.

The hash does not prove authorship or date. It does not say who created the document, or when. For authorship there is the digital signature (qualified electronic signatures under eIDAS in the EU, ESIGN/UETA-recognized signatures in the US, national PKI schemes elsewhere); for a provable date there is the trusted timestamp. The three mechanisms complement each other — we explain the differences in detail in our guide on document encryption: hash, digital signature and timestamp.

For that reason, the honest way to use hashes with working documents is: record the hash early, in a place that is hard to dispute — in the body of an e-mail sent to the other party, in a shared report, in meeting minutes. The earlier and more public the record, the stronger the integrity evidence.

Hashes and the RoseLab comparison report

When you compare two versions of a document in RoseLab and generate the report, it comes out with:

  • Identification of both files (name and page count);
  • The SHA-256 hash of each version;
  • Date and time of the comparison;
  • The complete list of removed and added passages.

And with one instruction printed on it: don't trust, verify — anyone who receives the report can drag the original files into the public checker and recalculate the hashes on their own. It is independent verification: no need to trust RoseLab, or whoever sent the report — the math checks itself.

This flow is especially useful for reviewing contracts before signature, checking revised versions of official documents, and documenting any review someone else will audit later — the full method is in the complete document comparison workflow.

Good practices for offices

  • Record the hash of important documents the moment they arrive — it takes seconds and creates an integrity milestone;
  • Include the hash in the e-mail when sending final versions ("attached is the contract, SHA-256: abc123...") — the other party can confirm intact receipt;
  • Archive the comparison report together with the compared files — the three together tell the complete story;
  • Before manipulating a file (merging, splitting, compressing or removing pages), record the original's hash: the resulting file will naturally have a different hash, and you want to be able to prove where it came from;
  • Distrust "faithful copies" without verification — the check takes less than a minute and removes the doubt.

Frequently asked questions

Is a SHA-256 hash the same thing as encryption? The hash is a cryptographic function, but it does not "hide" the document — it identifies it. Confidentiality encryption (encrypt/decrypt) is a different mechanism, explained in our document encryption guide.

Can two different files have the same hash? In mathematical theory, collisions exist; in practice, no SHA-256 collision has ever been found, and producing one is beyond known computational capability. It is the standard used by banks, blockchains and digital forensics.

Does renaming the file change the hash? No. The hash is calculated over the content, not the name. final-contract.pdf and version-2.pdf with the same content have the same hash.

Does printing and re-scanning keep the hash? No — the scanned file is a new document (new images, new bytes) and will have a completely different hash, even if the text looks the same. Hashes verify digital files, not paper.

Does the RoseLab checker store my files? No. The hash calculation happens locally, in your browser. No file is ever uploaded or stored on servers.

Can I verify files that are not PDFs? Yes. The checker accepts any format: Word, Excel, images, videos, ZIP. Hashing is a universal file concept, not a PDF concept.

Ready to put it into practice?

Free, no sign-up — and your files never leave your computer.

Verify a file's integrity now — free