dcmage DOCS APP
Compliance

Chain-of-custody integrity-manifest export

Export a study with a SHA-256 integrity manifest and audit snapshot so recipients can detect corruption or modification.

Problem

For regulatory or legal purposes, you want to export a DICOM file alongside an integrity manifest that lets a recipient detect whether the file (or its audit snapshot) was corrupted or modified after export. The manifest is a SHA-256 hash stored in a detached sidecar (.dcm.sig) that can be independently re-checked.

Scope. This is a corruption-detection control, not a cryptographic signature. The manifest is unkeyed, so anyone who edits the .dcm can recompute the hash and rewrite the sidecar; it does not prove authorship and is not tamper-proof against a deliberate adversary. Cryptographic non-repudiation via asymmetric signatures is the planned extension (use case 10.5).

Steps

  1. Open the DICOM file — click Open files… (⌘O) and load the file to export.
  2. Export with integrity manifest — click the Export button in the top bar, then select Export with Integrity Manifest….
  3. Download outputs — the system produces two files: filename_export.dcm (the exported DICOM file) and filename_export.dcm.sig (the detached integrity manifest sidecar).
  4. Verify integrity later — open the Verify Integrity Manifest modal (⌘P, then “Verify integrity manifest…”). Upload the .dcm file and its .dcm.sig sidecar. Click Verify — the modal shows “Integrity verified” in green.
  5. Test corruption detection — modify even a single byte of the .dcm file. Re-verify: the modal shows “Integrity check FAILED” in red, proving the hash detects any alteration.
  6. Verification scope — the manifest hashes the entire DICOM file and its audit snapshot. Any change to either — no matter how small — causes verification to fail.

Expected Result

  • The integrity-manifest export produces two files: the DICOM file and its .dcm.sig sidecar.
  • Verification of an unmodified file shows “Integrity verified” (green).
  • Verification of a corrupted/modified file (even 1 byte changed, or an edited audit snapshot) shows “Integrity check FAILED” (red).
  • Both files must be uploaded together in the Verify modal for validation.
  • The hash-based manifest provides corruption-detection assurance; adversarial tamper-evidence is the planned asymmetric-signing extension (10.5).
Previous
Label injection (custom private tags)