# Content distribution integrity

Publish assets to multiple mirrors under one content-addressed ID, so consumers
verify-on-pull that what they received is exactly what you published — regardless
of which mirror served it — while deduplication keeps every mirror cheap.

## The problem

Distributing release assets, game content, or static bundles across several
mirrors or CDNs raises a trust question: did the file a user downloaded from
`mirror-eu` actually match what you published to `mirror-us`? A compromised
mirror, a botched rsync, or a partial upload can serve subtly wrong bytes, and
the usual mitigation — publishing a sidecar checksum file — is itself just
another file on the same untrusted mirror. Meanwhile each mirror stores a full,
independent copy, so unchanged assets are paid for again and again.

## Why snapdir

The published snapshot ID is a self-certifying name: it is the BLAKE3 hash of the
content's [manifest](../concepts/manifests.md), so the consumer derives the
expected hashes from the ID itself, not from a file the mirror could have tampered
with.

- **Verify-on-pull.** Every object is re-hashed against the manifest as it is
  [fetched](../concepts/integrity.md); a mismatched or truncated download is
  rejected and retried automatically. A successful pull is a proof the bytes are
  authentic.
- **Mirror-agnostic trust.** The ID does not depend on which mirror served the
  bytes — pull the same ID from any mirror and integrity is checked the same way.
- **Cheap mirrors.** Objects are
  [content-addressed](../concepts/content-addressing.md) and deduplicated, so
  publishing a new release only ships the assets that changed, and identical
  assets are stored once per mirror.

## Walkthrough

Publish a release bundle and capture its ID — this single string is what you
advertise to consumers as the authoritative version:

```sh
release_id=$(snapdir push --store s3://cdn-us/releases ./build/site)
echo "release $release_id"
```

Replicate it to other mirrors without a local round trip, copying only objects
each mirror is missing:

```sh
snapdir sync --id "$release_id" --from s3://cdn-us/releases --to gs://cdn-eu/releases
```

Consumers pull by ID from whichever mirror is closest; the pull verifies every
object against the manifest derived from that ID:

```sh
snapdir pull --store gs://cdn-eu/releases --id "$release_id" ./download
```

To audit a mirror without distributing the content, verify the snapshot against
that mirror directly:

```sh
snapdir verify --store gs://cdn-eu/releases --id "$release_id"
```

## Outcome

Published content carries its own proof of authenticity: consumers verify on
every pull that the bytes match the advertised ID, so a compromised or faulty
mirror is caught automatically rather than trusted blindly. Deduplication across
releases and mirrors keeps distribution cheap, and any mirror can be audited on
demand. Use [`snapdir sync`](../guide/syncing.md) to fan a release out to every
mirror and [`snapdir revisions`](../guide/history.md) to track what each one
holds.