DocuTrack
Tamper-evident document verification: a hybrid AES-256-GCM + RSA-PSS signing pipeline with an offline verifier that proves a file is untouched — without trusting the channel it travelled through.

The problem
Documents that move between organisations need a way to prove they have not been altered, without trusting the channel they travelled through.
Approach
A signing service seals each document with AES-256-GCM for confidentiality and integrity, then signs the result with RSA-PSS so the origin can be verified.
A separate verifier service re-checks signatures and runs fully offline, so verification never depends on the signing host being reachable.
Decisions
Why AES-256-GCM and RSA-PSS together, not one
GCM gives authenticated encryption — confidentiality plus a tamper check — but it is symmetric, so it cannot prove who signed. RSA-PSS adds verifiable origin. Splitting the two roles keeps each primitive doing the one job it is strong at.
Offline verifier as a separate service
Verification is the trust-critical path. Isolating it from the signing service gives it a smaller surface, no database writes, and the ability to run where the signing host is not reachable.