Verifying a document locally

When a seller seals a UnitVault snapshot, every file in it gets a SHA-256 hash that's recorded publicly. The whole point is that you, the buyer, don't have to trust Haubot or the seller — you can verify the file you downloaded matches the hash that was published, using tools that already exist on every operating system.

This is the practical walkthrough.

What you're checking

For each document in a sealed snapshot, the snapshot record stores:

• The file name as published.
• The file size in bytes.
• A SHA-256 hash of the exact file contents.
• The timestamp when the snapshot was sealed.

When you download the file, you compute the SHA-256 yourself and compare. If they match, the file is byte-for-byte identical to what the seller sealed. If they don't, something changed — either the file was modified, you didn't download what you think you did, or the snapshot record is wrong.

Where to find the published hash

On the listing page, open the UnitVault → Snapshots tab. Each snapshot shows the seal date and lists every file with its name, size and hash. You can also download the entire snapshot as a ZIP — the ZIP includes a manifest.json containing the same hashes in machine-readable form.

Computing the hash — by OS

macOS / Linux

shasum -a 256 path/to/file.pdf

Output:

2f4ad14a1c3d... (64 hex characters)  path/to/file.pdf

Compare the 64-character hash on the left against what's shown in the snapshot.

Windows (PowerShell)

Get-FileHash -Algorithm SHA256 path\to\file.pdf

Output:

Algorithm   Hash                                                                  Path
---------   ----                                                                  ----
SHA256      2F4AD14A1C3D...                                                       path\to\file.pdf

Hex case doesn't matter for comparison — 2f4a and 2F4A are the same hash.

From a browser (no install)

If you can't run a terminal — for example, you're checking from a phone — open a local hash tool that runs in the browser (look for "SHA-256 file hash" tools online). Pick one that's open-source and runs entirely client-side; the file should never leave your device. Drop the file in, compare the output.

Matching the hash

A SHA-256 hash is 64 hexadecimal characters (or 256 bits). When you compare, two patterns are common:

• Exact match — the file is the file. Go ahead and trust what it says.
• Different hash, same file name — either you downloaded a different version, the file was modified, or the snapshot is wrong. Don't trust the file as-is; ask the seller (or Haubot support) for clarification.
• Same hash, different file name — that's actually fine. Hashes are over file contents, not names. Renaming a file doesn't change its hash.

Cross-checking the snapshot record

The snapshot record itself can be verified independently — see Why hashes prove things for the chain-of-trust explanation. Briefly:

• The snapshot record carries a Haubot-signed signature.
• That signature uses a public key Haubot publishes at /.well-known/disclosure-keys.json.
• The signing key is rotated on a published schedule; old signatures verify against the key that was active when the snapshot was sealed.

So you can verify both: the file matches the hash, and the hash record was actually signed by Haubot at that time.

When to actually do this

You don't have to verify every document on every listing. The mechanism is here for the cases where it matters:

• High-value transactions — anything you'd send a lawyer to review, verify the document hash first.
• Disputes — if a seller claims they shared a document on a specific date, and you have the version they showed you, the hash decides who's right.
• Long delays between disclosure and closing — when months pass between the inspection report being shared and the deal closing, re-verify the file you're about to make decisions on.

Most buyers verify once on the inspection report and the title, then trust the snapshot for everything else. That's a reasonable middle ground.