arcane@prod : ~/authenticity
online

// authenticity

Authenticity

arcane@prod:~$ sha256sum --check manifest

Every build of this site bakes a SHA-256 manifest of its stable assets — the résumé PDF, its Ed25519 signature, the signing key, the icons. Your browser can re-fetch those exact bytes and hash them itself, right here. A green result means the bytes your browser just fetched match the manifest this build shipped — it cannot rule out a fully compromised origin, which could rewrite this page too. What this page really provides is tamper-evidence: mismatches (drift, CDN corruption, partial tampering) become visible instead of silent. For an independent cross-check, the same manifest is committed in the open: authenticity.generated.ts on GitHub.

the manifest

assetbytessha-256
/Gabriel_Carvalho_Resume.pdf203,2822b2f61a58fcf5cf5d057d1fa184795737e1905eb7a342d396a41c425cc309f81
/Gabriel_Carvalho_Resume.pdf.sig6482b94129d9da076fbead81d016e16744963cfd65998cc8ea350b9873158da8f5
/resume-pubkey.spki44c7255cefc7b4af1dd91b4efeac8b46bfac74409745a1f987d70c6a931c089d4b
/og.png43,8661422ec03231835756e91dc96fa474d3d59f726d904fa6ca1bb08b42233936225
/icon.svg776347c3a5411dce85af4780c202e71f61be562958a21e8519723ce4d5e497864cc
/apple-icon.png17,668260ec472dbd3397088b3d132942de9a063e093339d1fbae05de234f59ed718d4

Scope: the stable, human-downloaded artifacts. Next.js's own /_next assets use build-hashed filenames (cache-correctness, not browser-verified integrity) — out of scope here. The manifest proves served-bytes integrity; the résumé's Ed25519 signature proves offline authorship — complementary, not the same claim. The signature itself is verifiable on /connect (drop your downloaded copy on the verifier).

verify in your browser

résumé signature: checking…

core API: unavailable — a separate deploy unit from this web build; the web build's identity is the manifest above.