How-to guide

How to sign a PDF with a tamper-evident seal

Apply a Completion Seal that proves your PDF existed in a specific state at a specific time — with the signing done locally in your browser.

The signing runs entirely in your browser — only the document hash touches the network.

Seal a PDF Open Seal PDF tool →

Why local signing matters

Most signing tools upload your document to their server to apply the signature. For confidential contracts, HR documents, or financial records, that means sensitive content is transmitted to and processed on third-party infrastructure.

Filecraft's Seal PDF tool computes the cryptographic hash and signature entirely in a Web Worker in your browser. The document content never leaves your device. The only network call is to a Timestamp Authority, which receives only the document hash — a 32-byte fingerprint that reveals nothing about the document's content.

Step by step

Five steps from file to sealed evidence package — all in your browser.

1
Open the Seal PDF tool
Navigate to the Seal PDF tool. This is a Pro feature — a Pro account is required.
2
Drop your PDF
Select or drag the document you want to seal. It is read into your browser's memory.
File location: Your browser
3
Enter your declared intent
State what this seal represents — e.g. "Final version approved for distribution." This text is included in the evidence manifest.
File location: Your browser
4
Click "Seal Document"
Your browser computes the SHA-256 hash, generates an ECDSA-P256 signature, and contacts an RFC 3161 Timestamp Authority. The TSA receives only the hash — not the document.
File location: Your browser
5
Download the evidence package
You receive a ZIP with the sealed PDF, evidence manifest, signature, and timestamp token — independently verifiable by anyone using the free Verify Document Proof tool.

Seal a PDF

Common questions

Is this a legally binding electronic signature?

Filecraft's Completion Seal is a tamper-evident integrity seal, not a qualified electronic signature (QES). It proves that a document existed in a specific state at a specific time and has not been modified since. For contracts requiring legal signatures, consult your legal team about jurisdiction-specific requirements.

How does the seal detect tampering?

The seal includes a SHA-256 hash of the original document and an ECDSA-P256 digital signature. If even one byte of the document changes after sealing, the hash will not match, and verification will fail. The timestamp is provided by an RFC 3161-compliant Timestamp Authority.

Does the signing key leave my browser?

The document hash is computed locally. The signing operation runs in a Web Worker in your browser. The only network call during signing is to the Timestamp Authority, which receives the document hash — not the document content or any identifying information.

Can anyone verify a sealed document?

Yes. The Verify Document Proof tool is free and does not require an account. Anyone with the evidence package can verify the seal independently.

What is included in the evidence package?

A ZIP archive containing: the sealed PDF, the evidence manifest (signer identity, timestamp, declared intent), the ECDSA signature, and the RFC 3161 timestamp token. Everything needed for independent verification.

How local processing works →Security architecture →