The contract verification information file is a digital certificate proving that the contract is valid, securely sealed and signed by all contract parties, and that their signatures are verified. Contract verification is available only after all contract participants (with signatory role) sign the contract.
The signed contract is electronically sealed to ensure integrity and provide non-repudiation. This means that any change that is made to the contract, even if it is just a single character, will break the seal and the change can be detected.
To apply the seal to the contract Oneflow partners with Sovos Trustweaver. Sovos Trustweaver is a Qualified Trusted Service Provider and the seal that is applied to the contract is a Qualified Electronic Seal.
However, the qualified seal is not applied directly on the contract PDF but rather to a verification PDF. The verification contains a fingerprint (or hash or digest) of the contract PDF, and provides a cryptographically secure link between the seal, the content of verification and the contract content. The attachments to the contract are secured in the same manner, with cryptographically secure hashes to all attachment files.
To validate the integrity of a contract and attachments follow the steps below.
Contract verification is available only after all contract participants sign the contract.
Download the contract as a PDF
Before downloading the contract verification, you need to download your contract as a PDF:
- In Oneflow, open your contract and click Download as PDF.
Depending on your contract party, the feature will be available in different parts of the contract:
- Owner-side - Settings tab
- Counterparty - Participants tab.
Open the contract in Adobe Reader
Now that you have downloaded the PDF contract on your device:
- Open the PDF in Adobe Reader and click the Attachment icon to the left.
- Open the Verification.txt file, choose the Open this file option, and click OK.
- Copy the verification link and paste it into your browser.
- The verification should be downloaded, and you can open it in Adobe Reader.
If the verification wasn't downloaded, click Click here if the download does not start automatically.
- When you open the verification, it will look like this:
Note the blue bar at the top saying “Signed and all signatures are valid”. This will prove that the integrity of the verification PDF has not been broken.
Validate integrity of the contract PDF
To validate the integrity of the contract PDF you need to get the sha256 sum of the contract PDF.
On Windows this can be done by running the following command in a terminal window.
C:\> certUtil -hashfile C:\contract.pdf SHA256
Compare the output (the hash) of the command with the “Secure hash” in the verification PDF. If they are the same it proves the integrity of the contract PDF as even changing a single character/byte in the contract PDF will change the hash.
Further details on how to validate the contract PDF can be found on page two of the verification PDF.
If you want to be able to verify contracts after removing them from Oneflow, make sure you download both the contract.pdf and verification.pdf, including all attachments.