The byte witness
A live demo of the one move emet makes · re-derive the bytes, compare, never say trusted.
Runs entirely in your browser / nothing is uploaded or sent anywhere / read about emet / github.com/HarperZ9/emet
What this demo does
emet checks a file by re-deriving its fingerprint and comparing that to a fingerprint it saved earlier. This page does the real version of that move, right here, with no server in the loop. You give it some text or a small file. It computes the actual SHA-256 of those exact bytes using your browser's own cryptography (window.crypto.subtle.digest), then compares the result to a stored target. It reports one of three honest answers and nothing else.
The fingerprint is a SHA-256 digest: a short code that is unique to those exact bytes. Move a single character and the whole code changes. There is no fourth answer that just means trust me. The verdict you see below is driven entirely by the hash this page actually computed, never by anything written into the markup.
The three answers
- MATCH. The fingerprint of your input equals the stored target. It means nothing moved, not that the input is good or safe.
- DRIFT. The fingerprint differs from the target. Something changed. The tool reports that and does not decide whose fault it is.
- UNVERIFIABLE. There is nothing to check yet, or your browser cannot run the cryptography (for example on an insecure origin where
crypto.subtleis unavailable). It says so plainly, with a reason, rather than guessing.
Try it
Type or paste below, or pick a small file. Set what you have as the target, then change a single character and witness again. The verdict will flip from MATCH to DRIFT, because it follows the bytes and nothing else.
Whatever you type here is hashed exactly as written. A file, if you choose one below, takes the place of this text.
Read locally and hashed in your browser. Nothing is uploaded. Keep it small, since the whole file is held in memory to hash it.
- Source
- no input yet
- Computed
- SHA-256 of your input appears here
- Target
- no target set yet
Why this is the real move
A witness is not a judge. It re-derives the bytes itself and tells you what it compared. It never speaks for the thing it is checking, and it never hands out a verdict of trusted, because it was never given any trust to pass along. That is the whole discipline, in your browser, with no backend to take on faith.
The stored target here is just a number you choose by pressing set the target. In the real tool, that saved fingerprint comes from an earlier known-good state, and the file is read straight off the disk. The shape of the check is the same: compute the fingerprint again from scratch, compare, and report MATCH, DRIFT, or UNVERIFIABLE.
Honest limits
- This page proves the move, not the product. It witnesses input you give it in the browser. It does not read your filesystem on its own, and it keeps no history.
- SHA-256 detects change. It does not tell you whether a change was intended or whether the content is correct. MATCH means unchanged, never approved.
- If your browser does not expose
crypto.subtle(some insecure origins withhold it), the demo reports UNVERIFIABLE rather than faking a result. That is the honest answer when it cannot check. - The full tool lives at github.com/HarperZ9/emet (v1.0, on PyPI:
pip install emet): one spec, four independent language implementations, run yourself and checked on every push. The one claim it still owes is an implementation built by a hand with no tie to mine, a different author.
No data leaves your machine. The verdict is computed from the actual SHA-256 of your input and compared to a target you set; it is never hardcoded. Updated 2026-06-30.