// authenticity
Authenticity
arcane@prod:~$ sha256sum --check manifest
Every build of this site bakes a SHA-256 manifest of its stable assets — the résumé PDF, its Ed25519 signature, the signing key, the icons. Your browser can re-fetch those exact bytes and hash them itself, right here. A green result means the bytes your browser just fetched match the manifest this build shipped — it cannot rule out a fully compromised origin, which could rewrite this page too. What this page really provides is tamper-evidence: mismatches (drift, CDN corruption, partial tampering) become visible instead of silent. For an independent cross-check, the same manifest is committed in the open: authenticity.generated.ts on GitHub.
the manifest
| asset | bytes | sha-256 |
|---|---|---|
| /Gabriel_Carvalho_Resume.pdf | 203,282 | 2b2f61a58fcf5cf5d057d1fa184795737e1905eb7a342d396a41c425cc309f81 |
| /Gabriel_Carvalho_Resume.pdf.sig | 64 | 82b94129d9da076fbead81d016e16744963cfd65998cc8ea350b9873158da8f5 |
| /resume-pubkey.spki | 44 | c7255cefc7b4af1dd91b4efeac8b46bfac74409745a1f987d70c6a931c089d4b |
| /og.png | 43,866 | 1422ec03231835756e91dc96fa474d3d59f726d904fa6ca1bb08b42233936225 |
| /icon.svg | 776 | 347c3a5411dce85af4780c202e71f61be562958a21e8519723ce4d5e497864cc |
| /apple-icon.png | 17,668 | 260ec472dbd3397088b3d132942de9a063e093339d1fbae05de234f59ed718d4 |
Scope: the stable, human-downloaded artifacts. Next.js's own /_next assets use build-hashed filenames (cache-correctness, not browser-verified integrity) — out of scope here. The manifest proves served-bytes integrity; the résumé's Ed25519 signature proves offline authorship — complementary, not the same claim. The signature itself is verifiable on /connect (drop your downloaded copy on the verifier).
verify in your browser
résumé signature: checking…
core API: unavailable — a separate deploy unit from this web build; the web build's identity is the manifest above.