Integrity

Verify this archive yourself.

Every file shipped with this archive has a published SHA-256 hash. This page recomputes those hashes in your browser — using the Web Crypto API your browser already ships — and compares them against the manifest. No kakao.io server endpoint is trusted in the loop. If anything has been tampered with between the source repository and your screen, the check fails visibly.

Zero trust posture — the verifier is plain JavaScript embedded in this page. You can read it with View Source. It fetches the dataset, hashes it locally, fetches the manifest, and compares. The result is computed on your machine.

Check cacao-origins.json

Check all source files

Check a specific origin record

Verify the dataset hash from the command line

If you would rather not rely on browser code at all, the same check is trivial with standard Unix tools.

# Verify the dataset hash matches:
curl -s https://kakao.io/data/cacao-origins.json | shasum -a 256
# Compare against the hash in:
curl -s https://kakao.io/.well-known/source-manifest.json \
  | jq '.files["data/cacao-origins.json"]'

Verify OpenTimestamps proofs locally

Each origin record is also stamped with OpenTimestamps — a free, Bitcoin-anchored timestamping protocol. The proof folds the record's SHA-256 into a published Bitcoin block header, so the record's existence at that block's timestamp is cryptographically attestable without trusting us or any timestamping authority.

# Install the OpenTimestamps client:
pip3 install opentimestamps-client

# Download an origin record and its proof:
curl -O https://kakao.io/data/ots/records/ve-chuao.json
curl -O https://kakao.io/data/ots/records/ve-chuao.json.ots

# Verify — folds the Bitcoin block hash into a verification chain:
ots verify ve-chuao.json.ots

How this works

SHA-256 is computed in your browser via window.crypto.subtle.digest — the same primitive used by TLS and HTTPS, available in every modern browser without a polyfill. The manifest is a small JSON file listing the expected hash for each shipped file. OpenTimestamps proofs are submitted to public calendar servers and aggregated into the Bitcoin blockchain — there is no account, no fee, no central authority to trust. All three checks above are pure client-side computation.

If a check fails, please open the licence page for the contact channel. This usually indicates a Netlify CDN cache anomaly during deployment rather than tampering — but the failure is worth reporting either way.