Login

Guaranteeing trust with XBRL digital signatures

Posted on February 5, 2026 by Editor

This guest blog is by Tom Wacha, Director of XBRL Product Management at Workiva and a volunteer on the Arelle open source XBRL platform. He is also a member of XBRL International’s Best Practices Board.

Today, business reporting has transitioned from paper documents to digital data. While this shift has increased transparency and efficiency, it has introduced a critical new challenge: trust. While organisations spend millions on internal controls, the final digital report can be altered in seconds and is often transmitted to the regulator without proof of integrity.

The challenge is real. Multiple enforcement cases over the past several years highlight the dangers of relying on assumed trust rather than guaranteed authenticity.

How can regulators, investors, and stakeholders be certain that the document, as well as the machine-readable XBRL data, is authentic?  The answer lies in the Digital Signatures in XBRL (D6) specification from XBRL International, which provides a digital seal of authenticity that guarantees the identity of the sender and the integrity of the data.

The new specification:

  • Permits the addition of any number of any legally recognized digital signatures to a report. For example, it would permit separate digital sign-off by the CEO, CFO and Auditor.
  • Reduces the potential for fraudulent filings by third party bad actors.
  • Reduces the potential for fraudulent filings by companies themselves (as it would be difficult to fake an auditor signature without the auditor being involved in the fraud).
  • Provides a range of other possibilities for clarity, consistency and accountability for policy makers to consider.

What is a Digital Signature?

A digital signature is a cryptographic mechanism that serves as verifiable proof that a document was signed by a specific individual or entity. It performs two essential functions:

  1. Identity Verification: It proves that the document was created by the claimed author or auditor.
  2. Integrity Assurance: It ensures that the document has not been modified since it was signed. If even a single character in the report is changed after signing, the signature is immediately invalidated.

Why It Matters

For regulators and companies, the adoption of digital signatures offers significant strategic advantages beyond simple compliance.

  1. Preventing Fraud and Protecting Reputation: There are multiple examples of market disruptions caused by fake or tampered reports. Digital signatures address this vulnerability head-on. By establishing a chain of custody, stakeholders can verify that the data they receive is exactly what was authorized by the issuer, minimizing the risk of cybercrime and AI-powered fraud.
  2. Non-Repudiation (The “You Signed It” Guarantee): One of the most powerful features of digital signatures is “non-repudiation.” Once a report is digitally signed, the signatory cannot later deny their involvement. This increases accountability at all levels, ensuring that executives and auditors stand firmly behind the data they release.
  3. Granular Accountability: Modern corporate reports are complex, often combining financial data with sustainability (ESG) metrics. The Digital Signatures in XBRL standard supports “partial signatures,” which allows for multiple signatures within a single report.
    • The CFO can sign the financial statements.
    • The Sustainability Officer can sign the environmental disclosures.
    • The Auditor can sign the portions they are responsible for.
    • The CEO can sign the overall report.

This granularity allows organizations to assign precise responsibility, ensuring each stakeholder signs off only on the sections for which they are directly accountable.

  1. Streamlined Audits and Oversight: For regulators and auditors, digital signatures provide transparency. They can easily trace the origin of the data and verify that the report has been audited by the stated auditor without unauthorized modifications.

How It Works – Overview

Before we dig into the more technical details of digital signatures, we’ll summarize how they work at a high level. The Digital Signatures in XBRL standard uses something called a Report Package, which acts as a secure container.

This container holds either the standard report and XBRL file or the Inline XBRL report, along with the digital signature files. Importantly, the specification is technology agnostic, allowing any legally recognized digital signature specification to be used.

The Technical Architecture: Solving the “Modification Paradox”

Implementing digital signatures in XBRL presents a unique technical challenge. In traditional PDF workflows, signatures are often embedded directly into the document. However, blindly inserting a signature block into an XBRL code file counts as a modification to that file—paradoxically invalidating the very integrity check being performed. The D6 specification solves this through containerization.

Instead of modifying the report file, the standard uses the Report Package format—essentially a specialized ZIP file that acts as a “black box” shipping container. This container holds:

  1. The original, untouched XBRL report
  2. A new “META-INF” directory containing the digital signatures

This “detached signature” approach ensures the financial data remains byte-for-byte identical to what the company generated, while the cryptographic proof travels securely alongside within the same report package.

Under the Hood: d6.json and Granularity

Within the “META-INF” directory, a file named “d6.json” acts as the traffic controller. It identifies the version of the specification and lists every signature applied to the package. This architecture is what enables the granular accountability that is so valuable to organizations.

The specification uses specific JSON structures to target “partial signatures”:

  • Fact IDs: For data-centric signing, a signature can target specific XBRL facts (e.g., “sign only the revenue tag”).
  • CSS Selectors: For human-readable Inline XBRL reports, the signature can target visual sections of the document. For example, using a selector like “div#auditors-report” allows an auditor to cryptographically lock only their specific opinion letter within the larger annual report.

Securing the Supply Chain: “What You See Is What You Sign”

An Inline XBRL report often relies on external dependencies like CSS stylesheets, company logos (images), and taxonomy schemas. A common cyber-attack vector involves swapping a referenced image or font file to alter how a number appears to the human eye without changing the underlying code.

The D6 specification counters this by requiring cryptographic digests for all dependencies. The system creates a “manifest” using SHA-256 (or SHA-512) hashes for every supporting file. If a malicious actor tries to swap the company logo or alter a stylesheet to hide a negative number, the hash will not match, and the digital signature validator will return an error code. This guarantees that the report the regulator sees is identical to the one the executive signed.

Future-Proof Flexibility

Because the specification is technology agnostic, it does not force organizations to adopt a proprietary encryption method. Instead, it allows for the use of any legally recognized standard, such as XAdES, CAdES or whichever standard may emerge in the future.

Furthermore, it is designed to support vLEI (Verifiable Legal Entity Identifiers). By tying the cryptographic keys to a LEI, the system validates not just who signed the report, but their authorized role within the specific legal entity, effectively preventing identity spoofing.

Call To Action

In an era in which open source AI-powered tools can boost the technical prowess of any would-be securities fraudster or thief to previously unimaginable levels of skill, policy makers and regulators can’t afford to ignore existing risks in their infrastructure and policies.  Some, while seemingly minor in size could have catastrophic consequences for individual companies and overall trust in markets.

The introduction of digital signatures marks a shift from a system where trust is assumed to one where trust is guaranteed. The next step is for software vendors to integrate the specification into their software to demonstrate the value it provides. That in turn will make it easier for regulators to mandate the use of digital signatures in XBRL filings, which is needed if they are to gain widespread adoption so that we can secure the global reporting supply chain.

 

Other Posts

Calendar

February 2026
M T W T F S S
 1
2345678
9101112131415
16171819202122
232425262728  

Newsletter
Newsletter

Would you like
to learn more?

Join our Newsletter mailing list to
stay plugged in to the latest
information about XBRL around the world.

  • This field is for validation purposes and should be left unchanged.

By clicking submit you agree to the XBRL International privacy policy which can be found at xbrl.org/privacy