Verify this build.
Hashden is open source. You shouldn't have to take our word that hashden.app runs that code — you can check it. This deployment reports the exact commit it was built from, and our CI signs every image so anyone can confirm it came from the public repo. The check below runs on your machine, against public logs — not on ours.
What's running now
- Commit
- 30a23cd44b7b
- Branch
- main
- Built at
- 2026-05-25T09:21:24Z
Machine-readable at /api/version.
Verify it yourself
Pick either tool. Both confirm the image above was built by our CI from the public repo — not hand-rolled or tampered with.
1 · GitHub attestation — simplest
Needs the GitHub CLI. Confirms a signed SLSA provenance attestation links this image to a build of TheIcarusWings/hashden.
gh attestation verify oci://ghcr.io/theicaruswings/hashden-web:sha-30a23cd44b7bf47a809f3a93e04b983459980cf5 --repo TheIcarusWings/hashden2 · cosign — public transparency log
Needs cosign. Verifies the keyless signature recorded in the public Rekor log, tied to our release workflow's identity.
cosign verify ghcr.io/theicaruswings/hashden-web:sha-30a23cd44b7bf47a809f3a93e04b983459980cf5 \
--certificate-identity-regexp '^https://github.com/TheIcarusWings/hashden/.github/workflows/release-web.yml@refs/heads/main' \
--certificate-oidc-issuer https://token.actions.githubusercontent.comWhat this proves — and what it doesn't
✓ Proves: the published image is authentically built from the commit shown above, by our CI, from the public repo. Tampering or a hand-built image fails the check.
⚠ Doesn't prove on its own: that the live server is running only that image. A server can claim one commit and run another — that gap closes with the coming verifier extension (checks the code your browser actually receives) and, ultimately, with hardware attestation.
The strongest guarantee is structural, not a badge: Hashden is non-custodial, so your payout is set by the coinbase your own miner hashes — which you can check on your own hardware, no trust in this site required.