DriftTrack - Per-Product Change Timeline#

A single hash is a snapshot. DriftTrack is the film: a per-product timeline of how the verified hash, version, and signing identity have changed over time. It turns the data HashWatch already records - when each hash became current and who signed it - into a legitimate release history you can audit, so an unexpected change stands out against the normal cadence.

Status: in development.

How it works#

Every hash record HashWatch keeps carries a valid_from (the point from which that hash was the current “hash of the day”) and, for Windows binaries, its SigDiff signer chain. DriftTrack assembles these into one ordered timeline per product:

  • One entry per version, in time order, each with its SHA-256, the date it became current (valid_from), and its signer.
  • A change summary between entries - the hash always changes on a new release; DriftTrack highlights the cases that matter, especially a signer change (the publisher identity or certificate thumbprint moved between versions).

No extra storage is needed - DriftTrack is computed from records you can already see.

Where it appears#

DriftTrack is a Basic-tier capability (it sits on the same historical data as hash-of-day history):

GET /api/v1/intel/timeline?executable=<name>
{
  "product": "Google Chrome",
  "timeline": [
    { "version": "124.0.6367.82", "valid_from": "2026-04-24", "hash_sha256": "…", "sig_thumbprint": "d4e5f6…", "changed": ["version", "hash"] },
    { "version": "125.0.6422.60", "valid_from": "2026-05-14", "hash_sha256": "…", "sig_thumbprint": "d4e5f6…", "changed": ["version", "hash"] }
  ]
}

It is also browsable in the console.

How to use it#

  • Audit a release history. Confirm that a product’s versions and hashes line up with the vendor’s published releases.
  • Catch a quiet signer change. A sig_thumbprint that changes between two otherwise-normal releases is a flag worth chasing - DriftTrack surfaces exactly that transition.
  • Confirm cadence. An off-schedule or duplicate entry can indicate a re-release or an anomaly.

DriftTrack shows change over time; SigDiff and RevokeRadar explain what changed in the signing identity and whether that identity is still trusted.