$ ./verify.sh --deployment
Deployment Verification
This page lets you confirm that the code running on this server matches the public open-source repository, and that the cryptographic implementation in your browser is correct.
How to verify the deployed build matches the source:
1. Open Vercel Dashboard → Deployments → click this deployment → check Git commit SHA
2. Compare with the commit above: 2b691bdb47
3. Browse the GitHub commit to audit every file in this build
Critical Source File Hashes
SHA-256 computed at build timesha256sum <file>on each GitHub raw file at build time. Run the command below locally to reproduce and compare.Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/lib/crypto.ts" | sha256sumExpected: cc5d4fcab2e13d7e14e9f0b63f92dd4832e0f68797ed9a57109c030755c9bde3
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/components/VaultForm.tsx" | sha256sumExpected: 3cd6010526e90ff9cb9e755772d77c1850ea19c3fc4443e87cb09aacbb4d36a3
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/components/VaultFetch.tsx" | sha256sumExpected: 9aeca7ea079f7cc1d28f162f7b75fe48fa845e1eaf1722b6317a803bec79fe66
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/components/VaultSave.tsx" | sha256sumExpected: da1f10cd57c9a42677573ea566f3ca4cfd12d7876efabd6fd58d2528c011f28e
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/components/VaultEdit.tsx" | sha256sumExpected: d27a8a97296bcb82e246769074f3bb00dde98cc378ab9b860568dd0ab646dd4a
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/app/api/vault/save/route.ts" | sha256sumExpected: fe0b435102073bd5dc1266d98471fbe3fe05ab2b69b0b6e98041ad277ac36bb5
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/app/api/vault/fetch/route.ts" | sha256sumExpected: 8c0bf46bff0300b4234cdb090d1cc0450bcd6d700a930576f8be11e759c05273
Verify locally:
curl -sL "https://raw.githubusercontent.com/milshop/PingVaults/2b691bdb47b3f7e99e9fcf5c0185221d13dd9d9c/app/api/ping/reset/route.ts" | sha256sumExpected: bc58697a4c243d37d188a48a1d350865a64d759344e3f6d36d1b6a02f61351ca
If the command output matches the expected value, the source used to build this deployment is identical to GitHub — no tampering.
One-click Batch Verify Script
Automatically checks all critical files and prints ✓ / ✗
How to run (after copying the script):
macOS pbpaste | bash
Linux xclip -o | bash (or save as verify.sh && bash verify.sh)
The script downloads each source file from GitHub and computes its SHA-256. If all results match the expected hashes, the build is verified as untampered.
JS Bundle Integrity
Why manually verify JS Bundles?
The source-file hashes above prove: source code used by Vercel to build = source code on GitHub. But they cannot prove that the compiled JS actually delivered to your browser hasn't been tampered with by the CDN or Vercel Edge layer. Bundle verification closes this gap — you compare the bundle downloaded from the server against one you compile yourself locally.
Both checks passing is what fully proves the chain: source → compile → delivery was untampered.
Step 1: Find the JS filename your browser loaded
Open DevTools (F12) → Network tab → reload the page → filter by JS → find the chunk containing core logic, e.g.:
_next/static/chunks/app/layout-abc1234.jsStep 2: Download and hash it (live version)
Run the command below in your terminal, replacing HASH with the actual filename:
curl -sL "https://pingvaults.com/_next/static/chunks/HASH.js" | openssl dgst -sha256 -binary | base64Step 3: Build locally and hash the same file
Clone the repo, check out the same commit, run a local build and find the matching chunk:
git clone https://github.com/milshop/PingVaults cd PingVaults git checkout 2b691bdb47 npm install && npm run build find .next/static/chunks -name "HASH.js" | xargs openssl dgst -sha256 -binary | base64
Step 4: Compare the two hashes
Identical hashes → live bundle = local build output. The CDN has not tampered with the file.
Cryptographic Self-Test
Runs a live AES-256-GCM encrypt → decrypt round-trip entirely in YOUR browser using the same code that protects your vault. No data leaves your device.
Test vector:
plaintext "PingVaults crypto OK ✓"
name "Alice"
question "Verify?" → "yes"
algo PBKDF2-SHA256 × 600,000 → AES-256-GCM
Clone the exact commit above, run it yourself, and compare behaviour. The source code is identical to what Vercel deployed.
$ git clone https://github.com/milshop/PingVaults
$ cd pingvaults
$ cp .env.local.example .env.local # fill in your own keys
$ npm install && npm run dev
$ open http://localhost:3000
You will need your own AWS DynamoDB table, Irys private key, and JWT secret. See README for setup instructions.
These single-file HTML tools implement the full decryption flow with zero external dependencies. Download them, open in any browser, and verify the source with Ctrl+U.
These files are the ultimate fallback: even if PingVaults.com shuts down, your emergency contact can decrypt the vault using only this HTML file + the metadata JSON.