Transparency Log#
Every day HashWatch publishes a single Ed25519-signed Merkle root committing to that day’s verified hash feed, chained to the previous day (append-only). Anyone can verify the feed was not altered after publication, or prove a specific hash was included — without trusting us.
Endpoints#
| Endpoint | Returns |
|---|---|
GET /public/transparency | recent signed roots + the public key |
GET /public/transparency/key | the Ed25519 public key + the verification recipe |
GET /public/transparency/{date} | one day’s signed root |
GET /public/transparency/{date}/proof?sha256=<hex> | an inclusion proof for a hash |
Verifying#
- Fetch the day’s entry and the public key.
- Check the signature with Ed25519 over the canonical message
hashwatch-transparency-v1\n<log_date>\n<merkle_root>\n<entry_count>\n<prev_root>. - To prove a single hash is in the feed, request its proof and recompute the root from the audit
path: leaves are
SHA-256(executable\0sha256\0version\0platform\0arch), interior nodes areSHA-256(0x01 || left || right), leaves sorted and de-duplicated. The proof endpoint also returnsverifiedandroot_matchesfor convenience.
The prev_root field chains each day to the one before it, so the log is append-only: a silently
altered past day would break the chain.