step 1 · recompute
Every hash, re-derived
Your browser hashes the contents of each record with SHA-256 and confirms it matches the hash on file. Change one character and the hash changes.
Proof you can run yourself
Below is a real Watchtower evidence pack: four signed records of configuration changes across three Microsoft 365 tenants. Press verify and your browser recomputes every SHA-256 hash and checks the Ed25519 signature, entirely on your device, with nothing sent anywhere. Then tamper with a record and watch the maths catch it.
Tip: verify the pack, then tamper with the highlighted value in block #4 and verify again.
What just happened
step 1 · recompute
Your browser hashes the contents of each record with SHA-256 and confirms it matches the hash on file. Change one character and the hash changes.
step 2 · the chain
Each record carries the hash of the one before it. To rewrite history, an attacker would have to re-hash every later record too, not just one.
step 3 · the signature
The head of the chain is signed with an Ed25519 key. Without the private key a forged chain cannot be re-signed, so tampering is caught. The maths held the trust, not us.
Every other tool stores its evidence in its own cloud and asks you to trust the dashboard. This pack needed no dashboard, no login, and no trust in us - the one thing a management tool cannot hand you.