Supply-chain transparency

Release Transparency

A zero-knowledge product is only as trustworthy as the JavaScript your browser actually runs. We publish a list of every release so that high-stakes users can independently verify what was shipped.

Why this page exists

Client-side encryption protects your content from the server. But it does not protect you from a compromised client. If an attacker were able to swap the JavaScript bundle we deliver — at the CDN, build pipeline, or DNS layer — they could exfiltrate keys before encryption happens. We treat that as the single most dangerous threat to a zero-knowledge product, and we publish what we ship so it can be checked.

Current verification status

Transparency log
Every released version, with date and release notes, is listed below. The list is served from /releases.json at the same origin as the app — anyone can fetch it and compare with what they see in their browser.
Cryptographic signatures
Per-bundle SHA-256 hashes signed by an offline GPG key are on the roadmap. Until the offline signing key is generated and published, the log below is operational transparency, not yet cryptographic proof. We say so plainly rather than imply stronger guarantees than we provide.

Release log

How to verify (when signed releases ship)

  1. Open DevTools → Network in your browser, refresh DRIVUNO, copy the URL of any .js chunk loaded.
  2. Download that chunk with curl and compute its SHA-256: shasum -a 256 chunk.js.
  3. Compare against the hash listed for the current version above.
  4. If hashes do not match, do not enter your password — contact security@drivuno.com immediately.

Related transparency

Encrypted on your device · upload in 1 click
Upload