Proving File Existence, Ownership, and Integrity: A Step-by-Step Guide

This guide outlines a reliable method to prove a file's existence, ownership, and integrity at a specific time using emails, SHA-256 hashing, and OpenPGP digital signatures. Follow these steps to create an indisputable record.

Step 1: Email Files to Establish Timestamp

Send the file to two independent email addresses (e.g., emailaddress1@gmail.com and emailaddress2@outlook.com) in a single email. Email providers timestamp the receipt, which cannot be altered by users. Forwarding the email to a requesting party reveals the original timestamp in the email header and metadata, proving the file existed at that time. Using two services ensures redundancy, as it’s highly unlikely both would have incorrect timestamps simultaneously.

Step 2: Generate SHA-256 Hash to Prove File Integrity

Use software like RapidCRCUnicodePortable.exe or the Windows command line (certutil -hashfile "filename.ext" SHA256) to create a SHA-256 hash of the file. This generates a unique 256-bit “fingerprint.” Even a one-byte change produces a different hash, proving the file hasn’t been tampered with. Verify the hash at https://emn178.github.io/online-tools/sha256_checksum.html. Store the original file on a USB drive for additional verification if needed.

Example:

For a file named letter.jpg:

  • Run: certutil -hashfile letter.jpg SHA256
  • Save the output as letter.jpg.sha256.

Step 3: Sign Files with OpenPGP to Prove Ownership

Use Kleopatra or OpenPGP to sign the file with your private cryptographic key, producing a .sig file. This digital fingerprint (e.g., LK43JHTG54IOT34HIFO4ING4IOAL4ITJIRENV4IOIJ) proves you own the file. Verify the signature using:

cd C:\Users\Downloads
gpg --verify letter.jpg.sig letter.jpg

Expected output:

gpg: Signature made 10/08/25 13:05:40 Eastern Daylight Time
gpg:                using RSA key LK43JHTG54IOT34HIFO4ING4IOAL4ITJIRENV4IOIJ
gpg: Good signature from "Your Name <emailaddress2@outlook.com>" [ultimate]

Check for a matching RSA key and “Good signature.” The timestamp relies on the computer’s clock, which isn’t fully reliable, but alignment with email timestamps strengthens validity. Verify the fingerprint at https://keys.openpgp.org/.

Workflow Example: Proving a Received Letter

  1. Photograph the Letter: Take a photo of the letter with your phone and transfer it to your computer (e.g., letter.jpg).
  2. Generate SHA-256 Hash: Use RapidCRCUnicodePortable.exe or certutil to create letter.jpg.sha256.
  3. Sign the File: Use Kleopatra to sign letter.jpg, creating letter.jpg.sig.
  4. Email Files: Attach letter.jpg, letter.jpg.sha256, and letter.jpg.sig to an email from your primary account (e.g., originatingemail@gmail.com) to emailaddress1@gmail.com and emailaddress2@outlook.com.
  5. Check Metadata: Optionally, verify the file’s metadata (e.g., creation date) for additional timestamp evidence.

What this does

  • Emails: Prove existence at a specific time via unalterable timestamps from trusted providers.
  • SHA-256 Hashes: Confirm the file remains unchanged, as identical hashes mean identical files.
  • OpenPGP Signatures: Verify ownership through your unique cryptographic key.
  • Combined: These methods create a forensic-standard record of existence, ownership, and integrity.

This process is also effective for digital files like voicemails or drafted letters, ensuring undeniable proof of their existence and authenticity.