The problem
We distribute software. Installers, mods, assets. The usual.
Every week we get messages like:
- "Hey I downloaded this from some forum, is it real?"
- "Someone shared your file on Discord, should I trust it?"
- "How do I know this wasn't tampered with?"
We used to tell them to check the SHA-256 hash. Nobody does that. They don't know how, and honestly, it's a pain.
What we wanted
A simple way for anyone to verify if a file is legitimate. No technical knowledge required. Just drag, drop, done.
What we built
TRACE. A file verification system.
As the creator, you register your files:
npx @sekyuriti/trace register installer.exe
This gives you a TRACE ID like TRC.A7X2.9K4M. Share this ID alongside your downloads.
When someone downloads your file from wherever, they verify it:
npx @sekyuriti/trace verify installer.exe
Or they can just drag the file to sekyuriti.build/trace if they don't want to use the terminal.
If the hashes match, it's real. If not, someone modified it.
How it works
Nothing fancy. When you register a file:
- SHA-256 hash is computed locally (your file never leaves your machine)
- Hash + metadata gets stored in our database
- You get a TRACE ID
When someone verifies:
- They compute the hash locally
- We check if that hash exists
- If yes, we show who registered it and when
That's it. The file itself is never uploaded anywhere.
The "aha" moment
A user messaged us last week. They downloaded a mod from a sketchy reupload site. Before installing, they ran the verify command. Hash matched. They knew it was safe.
That's the whole point. Trust, but verify.
Try it
If you distribute files and deal with the same "is this legit" questions, give it a shot:
Free tier covers most use cases. Questions welcome.
Top comments (0)