An event album export is usually treated as a zip file and a success toast. That is not enough for a handover containing hundreds of photographs, videos, and voice messages. The recipient needs evidence that the package is complete, readable, and tied to a specific export request.
Define the export boundary
Capture the event identifier, export request ID, creation time, selection rule, media states included, and requester role. An export of “approved media only” is different from an administrative archive containing removed or pending items.
Freeze the selection at a consistent point. If uploads continue while the archive is built, either use a database snapshot or state clearly which cutoff timestamp applies.
Create a machine-readable manifest
Include one entry per file:
{"path":"photos/IMG_1042.jpg","mediaId":"m_8f2","bytes":4821931,"sha256":"...","uploadedAt":"2026-07-17T12:10:00Z","state":"approved"}
Use stable internal media IDs, not contributor contact details. Add the original filename only if the product promises to preserve it and the recipient needs it.
Hash the bytes you deliver
Compute the checksum from the exact exported object, after any transformation. If the archive contains an original and a display derivative, list both separately. A hash stored only in an internal database does not prove the downloaded bytes match.
For very large exports, stream each object through the hash function while writing the archive. Avoid loading files into application memory.
Make partial failure visible
Do not quietly skip an unavailable object. Mark the export failed or include an explicit error section that prevents the UI from claiming completeness. Retry transient storage reads with bounded backoff, then preserve the failure reason for the operator.
The archive builder should be idempotent. Repeating the same request may create a new package, but its selection and manifest should remain comparable.
Sign or anchor the manifest
A server-side signature over the canonical manifest can show that it was produced by the service and not modified during handover. Key rotation requires a key identifier and a public verification procedure. For lower-risk use, storing the manifest hash in the audit log may be sufficient.
Do not oversell a checksum. It proves byte integrity, not consent, authorship, or legal ownership.
Verify before announcing success
After upload to the delivery location, read the archive footer, parse the manifest, and open a sample from every media type. Compare file count and total bytes with the frozen selection. Only then mark the export ready.
Use a short-lived download link scoped to one package. Export authority should not grant album administration or access to future packages.
Help the recipient verify
Include a small README with the event label, cutoff, file count, total size, manifest format, and checksum command. Nontechnical recipients still benefit from a clear statement of what is present and what was excluded.
I help build Gathmo and have a commercial interest in reliable media handovers. The Gathmo help centre provides product-specific guidance; the manifest approach works for any service that exports user media.
A trustworthy export is not merely downloadable. It is defined, reproducible, checked, and accompanied by evidence that the bytes handed over are the bytes the system selected.
Top comments (0)