How to verify a declassified document is authentic
Declassified and FOIA-released records are copied, re-scanned, and re-hosted endlessly as they circulate online — and along the way they get mislabeled, degraded, and occasionally altered. This guide shows how a SHA-256 fingerprint lets you confirm, in under two minutes and without trusting anyone, that the file in front of you is the genuine, unaltered record.
What a SHA-256 fingerprint actually is
A SHA-256 hash is a short, fixed-length fingerprint computed from a file's exact bytes. Three properties make it useful for provenance:
- Deterministic. The same file always produces the same 64-character fingerprint, on any computer, forever.
- Tamper-evident. Change a single byte — one redaction, one re-saved page — and the fingerprint changes completely.
- One-way and private. The fingerprint reveals nothing about the contents, so it can be published openly and checked locally.
A real fingerprint looks like this: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Verify a file in three steps
1. Find the published hash
Every document page on VeriFOIA shows the file's official SHA-256 fingerprint, recorded the moment the file was sealed. That published string is your reference value.
2. Compute the hash of your copy
The simplest way is our in-browser verification tool: drop in the file and it computes the hash locally — the file never leaves your device. Prefer the command line? Every operating system already has a hasher built in:
macOS / Linux
shasum -a 256 document.pdf
# or
sha256sum document.pdf
Windows
certutil -hashfile document.pdf SHA256
3. Compare the two strings
Match the 64 characters you computed against the published hash. If they are identical, your copy is authentic and byte-for-byte unaltered. If even one character differs, the files are not the same — see the troubleshooting note below.
What a matching hash does — and doesn't — prove
A matching fingerprint proves integrity: your copy is identical to the copy the archive sealed. It does not, by itself, prove origin — that a particular agency authored the record. Origin is established by tracing the document back to its official source. That's why every VeriFOIA record links to its public government source wherever one exists, so integrity and provenance reinforce each other.
If the hashes don't match
A mismatch simply means the two files aren't identical. Before assuming tampering, rule out the ordinary causes: an interrupted or incomplete download, a PDF that a viewer re-compressed or re-saved on the way to you, or a genuinely different edition of the document. Re-download from the original source and recompute the hash.
Frequently asked questions
SHA-256 is a standardized cryptographic function that reads a file and produces a fixed 64-character fingerprint. The same file always yields the same fingerprint, and changing even one byte produces a completely different one. It is one-way: the fingerprint reveals nothing about the file's contents.
No. A matching hash proves your copy is byte-for-byte identical to the copy the archive published — it proves integrity, not origin. To establish origin you still trace the document back to its official source, such as the U.S. National Archives, which VeriFOIA links wherever possible.
No. In-browser verification computes the hash locally on your device using the Web Crypto API. The file never leaves your computer; only the resulting hash is compared.
Primary-source records are routinely re-hosted, re-scanned, mislabeled, and sometimes deliberately altered as they spread online. A cryptographic fingerprint lets any reader confirm they are looking at the exact record — not a doctored or degraded copy — without having to trust the host.
A mismatch means your copy is not identical to the sealed one. Common innocent causes are an incomplete download, a re-compressed or re-saved PDF, or a different edition of the file. Re-download from the original source and check again before drawing any conclusion.
Start exploring verified records
Every document in the archive is sealed with a SHA-256 fingerprint you can check yourself.