SA Deadline: 20 Sep 2026 · {daysToDeadlineString()} Days

Technical Explainer

SHA-256 Hashing for CoC Documents: What It Is and Why It Matters

SHA-256 is a cryptographic hash function that produces a unique 64-character fingerprint for any digital file. When applied to a Certificate of Conformity PDF, it creates a tamper-evident record — if even a single character in the PDF is changed, the SHA-256 hash changes completely. CoC Vault uses SHA-256 hashing to provide verifiable proof that a CoC has not been altered since it was registered.

Quick Facts

Hash Algorithm

SHA-256 (Secure Hash Algorithm 256)

Hash Length

64 hexadecimal characters

Tamper Evidence

Any change alters the hash

Calculation

WebCrypto API in browser

Storage

Immutable ledger on CoC Vault

Use Case

CoC authenticity verification

⏱

Mandatory Deadline

20 Sep 2026 · 140 Days

What Is SHA-256?

A Cryptographic Hash Function

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function developed by the US National Security Agency and published by the National Institute of Standards and Technology (NIST). It is one of the most widely used cryptographic algorithms in the world, used in SSL/TLS certificates, Bitcoin, digital signatures, and many other security applications.

A hash function takes an input of any size (a file, a document, a string of text) and produces a fixed-size output (in the case of SHA-256, a 64-character hexadecimal string). The output is called the hash or digest. The key property of a cryptographic hash function is that it is deterministic — the same input always produces the same output — and collision-resistant — it is computationally infeasible to find two different inputs that produce the same output.

The SHA-256 hash of a PDF file is like a fingerprint of that file. If the file is unchanged, the fingerprint is always the same. If even a single byte of the file is changed — even a space or a comma — the fingerprint changes completely. This property makes SHA-256 ideal for tamper detection.

How SHA-256 Is Applied to CoC Documents

The Hashing Process on CoC Vault

When an importer uploads a CoC PDF to CoC Vault, the SHA-256 hash of the PDF is calculated in the browser using the WebCrypto API — a standard cryptographic API built into all modern web browsers. The hash is calculated client-side, which means the PDF content never leaves the browser until the hash has been calculated and the importer has confirmed the upload.

The calculated hash is displayed on the screen as it is calculated, allowing the importer to verify that the correct file has been uploaded. The hash is then submitted to the CoC Vault server along with the CoC metadata. The server records the hash on an immutable ledger — a permanent record that cannot be altered after the minting fee is paid.

The verification URL minted by CoC Vault resolves to a verification page that shows the CoC metadata and the recorded SHA-256 hash. Anyone who has the original CoC PDF can verify its authenticity by calculating the SHA-256 hash of the PDF and comparing it to the hash recorded on CoC Vault. If the hashes match, the PDF is authentic and has not been altered.

Why SHA-256 Matters for CoC Compliance

Tamper Evidence in the Compliance Chain

The PVoC compliance chain involves multiple parties: the inspection body, the importer, the freight forwarder, the clearing agent, and SARS Customs. At each step, the CoC document is handled and transmitted. Without a tamper-evident record, there is no way to verify that the CoC presented to SARS Customs is the same document that the inspection body issued.

SHA-256 hashing provides this tamper-evident record. When the inspection body issues a CoC PDF and the importer registers it on CoC Vault, the SHA-256 hash of the original PDF is recorded. If anyone attempts to alter the CoC — changing the goods description, the value, or the standards — the hash of the altered PDF will not match the hash recorded on CoC Vault. SARS Customs can detect the alteration by checking the verification URL.

This tamper-evidence property is why CoC Vault's verification URLs are more reliable than paper CoCs or email attachments. A paper CoC can be photocopied and altered. An email attachment can be replaced. A CoC Vault verification URL cannot be forged — the SHA-256 hash is a mathematical proof of authenticity.

Practical Implications for Importers

What the Hash Means for Your Compliance

For importers, the SHA-256 hash means that the CoC registered on CoC Vault is a permanent, tamper-evident record of the original CoC issued by the inspection body. If SARS Customs requests verification of the CoC, the importer can provide the verification URL, and SARS Customs can check the URL to verify that the CoC is authentic.

The hash also protects importers from fraud. If a supplier or intermediary alters a CoC — for example, by changing the goods description to cover a different product — the altered CoC will not match the hash recorded on CoC Vault. The importer can detect the alteration by checking the verification URL before submitting the CoC to SARS Customs.

The SHA-256 hash is calculated from the exact bytes of the PDF file. This means that even minor formatting changes — such as re-saving the PDF with a different PDF viewer — may change the hash. Importers should register the original PDF received from the inspection body without modification.

What is SHA-256 hashing?

SHA-256 is a cryptographic hash function that produces a unique 64-character fingerprint for any digital file. If even a single byte of the file is changed, the hash changes completely. This property makes SHA-256 ideal for tamper detection.

How is the SHA-256 hash calculated for a CoC PDF?

The SHA-256 hash is calculated in the browser using the WebCrypto API when the importer uploads the CoC PDF to CoC Vault. The hash is calculated client-side and displayed on screen before the importer confirms the upload.

Can the SHA-256 hash be forged?

No. SHA-256 is a cryptographic hash function — it is computationally infeasible to create a different PDF that produces the same hash. A CoC Vault verification URL cannot be forged.

What if the CoC PDF is re-saved or modified?

Re-saving a PDF with a different PDF viewer may change the file's bytes, which would change the SHA-256 hash. Always register the original PDF received from the inspection body without modification.

Why does CoC Vault use SHA-256 instead of a simpler method?

SHA-256 is a cryptographic standard used in SSL/TLS certificates, Bitcoin, and digital signatures worldwide. It provides a mathematically provable tamper-evidence guarantee that simpler methods (such as checksums or MD5) do not.

Continue Learning

Verification URL for SARS Customs

How the verification URL works for SARS Customs.

QR Code on CoC Explained

What the QR code on your CoC is for.

Is CoC Vault Real?

More detail on the service and its legitimacy.

CoC Registration Checklist

Step-by-step checklist for registering a CoC.

Your CoC Is Tamper-Evident With SHA-256

SHA-256 hashing makes your CoC verifiable and fraud-resistant. Create your CoC Vault record before the 20 September 2026 deadline.

Sources: Government Gazette No. 54374 (20 March 2026); Standards Act 8 of 2008; Customs and Excise Act 91 of 1964. Last verified: 3 May 2026. certificatesofconformity.co.za is an independent reference publication operated by LinkDaddy LLC, a Florida-registered US entity. Not affiliated with or endorsed by the SABS, NRCS, SARS, or any agency of the Government of South Africa.