verifyhash Get the verifier

Offline · Zero-trust · Reproducible from source

Don't trust us.
Verify it yourself.

A sealed artifact carries its own proof. You re-derive it from the bytes on your own machine — you don't take our word, and you don't call our server. There isn't one.

LIVE SHA-256 · COMPUTED IN THIS PAGE requests sent: 0

This box is pinned to the digest of its original text. Change one character and watch it flip to REJECT — that's the entire product, running with zero network.

Recomputed digestsha256
pinned →
ACCEPT — bytes match the pin exit 0

Why it's trustworthy

The trust model is: there is no trust.

0
Servers to trust
Verification is a pure function of the bytes. Nothing is phoned home; there is no backend to compromise or subpoena.
0
Accounts, keys, tracking
Download one file and run it. No signup, no telemetry, no API key to check a proof.
0/3
A plain exit code
Exit 0 accepted, 3 rejected. Drop it into CI to gate on the sealed file set — add --exact-dir when gating a build directory, so a file the seal never named is rejected too.
1:1
Reproducible bundle
Rebuild the verifier from source in memory and confirm it's byte-for-byte what we published.

Three ways to start

Check a sealed packet in under a minute.

Someone sends you a .vhevidence.json packet and the address they signed with. You confirm the bytes are unaltered and the signer is who they claim — offline.

01

In your browser

No terminal. Open one offline page (SHA-256 sidecar) — it has a built-in sample packet, so you can watch ACCEPT, tamper one byte, and watch REJECT before you ever drop a real packet in. The page contains no network API at all — the devtools Network tab stays empty. For CI/production gating use the node standalone, card 02.

Open the verifier

02

In the terminal

One file, zero dependencies, Node core only. Built for CI gating.

curl -O https://verifyhash.com/verify-vh-standalone.js
node verify-vh-standalone.js packet.json --vendor 0x…

Published SHA-256:699485793b6fb0e79281993e1c06e78ff331d26407796e871028200d29663b4f

03

From npm

Install the full vh toolchain — hash, anchor, seal, verify.

npm i -g verifyhash   # or, no install: npx --yes -p verifyhash vh
vh --help

Don't trust our checksum either. Rebuild the verifier from source in memory and confirm it's byte-for-byte what we published — node verifier/build-standalone.js --check. The build-provenance manifest maps every published hash back to the exact source modules it inlines, so you can root trust in code you read. Read the full source on GitHub →

For your coding assistant

Let your AI agent wire it up.

Paste this into Claude Code, Cursor, or any coding agent. It reads the machine-readable llms.txt and sets verifyhash up in your project — download, CI gate, and all — while keeping the honest trust boundary intact.

Add verifyhash (read https://verifyhash.com/llms.txt) to this project:
1. download the standalone verifier and check its published SHA-256,
2. add a CI step that runs it on any *.vhevidence.json artifacts and fails the build on exit 3,
3. show me how to seal our build outputs.
Keep verifyhash's trust boundary intact — a seal proves tamper-evidence + signer-pin, not time or identity.

The honest part

What a seal proves — and what it does not.

Most tools oversell. A verifyhash seal makes exactly two guarantees, and we lead with the four it doesn't, so nobody builds on a promise we never made.

It proves
  • Tamper-evidence. Every byte re-derives to the same root, or the check fails and names the file that drifted.
  • Signer-pin. The packet was signed by the exact key whose address you pinned — a forged or swapped signature is rejected, never silently passed.
  • Build integrity. The published verifier is faithfully built from the source you can read.
It does NOT prove
  • A trusted timestamp. "Sealed at time T" needs an external anchor — a seal alone can't date itself.
  • That the logic is correct. Reproducibility proves the build, not that the source does what you want. Read it; run the conformance corpus.
  • Real-world identity. A pinned address is a key, not a legal person.
  • Anything about the producer's intent. It attests bytes, not honesty of the URI they attached.

The head-on question

Why not sha256sum + a signed git tag — or cosign + Rekor?

Because for many needs those free tools are the right answer. Their strengths are real, and we state them as strengths — then say exactly what verifyhash adds, and what it does not do.

What sha256sum, a signed git tag, or cosign + Rekor already give you Real strengths: SHA-256 is a FIPS 180-4 hash; git + GPG and Sigstore are large, mature ecosystems your counterparty may already run; and Rekor's public transparency log records an inclusion timestamp — an existence bound you get out of the box. If these cover your need, use them.
What verifyhash adds One offline, single-file verifier your counterparty runs with no toolchain, no account, no CA — no git/GPG install, no Sigstore account or OIDC identity, no certificate authority to trust; one file plus Node (or the browser page), run on the bytes in hand. Plus signer-pin + per-file tamper localization — a REJECT names the exact file that changed, not just a digest mismatch — and an optional permissionless existence anchor (the ownerless on-chain registry below: no account there either, only gas).
What verifyhash does NOT do No trusted timestamp without the anchor — a seal alone never proves "sealed at time T"; Rekor gives an inclusion timestamp by default, while here that property arrives only once you anchor. And keccak256 is not a FIPS-approved hash — the Merkle cores here are keccak256, so a compliance regime that requires FIPS-approved digests end-to-end is better served by the tools above today.

Permissionless anchoring

An ownerless registry, live on Polygon.

Anchor a file or repository hash on-chain; anyone can later prove content is byte-for-byte what was anchored — trusting no server, admin, or key.

Polygon mainnet · chain 137

ContributionRegistry

No admin. No pause. No upgrade path. It never holds funds. Each hash anchors once, first-writer-wins, and can never be altered or deleted. That immutability is the product.

0x77d8eF881D5aeEda64788968D13f9146fE1A609B
Pin this out-of-bandview on polygonscan →

Pricing

Verifying is free. Forever.

Checking proofs never costs anything — that's what keeps the trust story true. You pay only when you want verifyhash to be your trust anchor or run signing for you at scale.

Free
$0
  • Verify any sealed packet, offline
  • The browser + Node standalone verifiers
  • Produce your own unsigned seals
  • Anchor & read the on-chain registry