Powered by

Content distribution integrity

Publish assets to multiple mirrors under one content-addressed ID, so consumers verify-on-pull that what they received is exactly what you published — regardless of which mirror served it — while deduplication keeps every mirror cheap.

The problem

Distributing release assets, game content, or static bundles across several mirrors or CDNs raises a trust question: did the file a user downloaded from mirror-eu actually match what you published to mirror-us? A compromised mirror, a botched rsync, or a partial upload can serve subtly wrong bytes, and the usual mitigation — publishing a sidecar checksum file — is itself just another file on the same untrusted mirror. Meanwhile each mirror stores a full, independent copy, so unchanged assets are paid for again and again.

Why snapdir

The published snapshot ID is a self-certifying name: it is the BLAKE3 hash of the content's manifest, so the consumer derives the expected hashes from the ID itself, not from a file the mirror could have tampered with.

  • Verify-on-pull. Every object is re-hashed against the manifest as it is fetched; a mismatched or truncated download is rejected and retried automatically. A successful pull is a proof the bytes are authentic.

  • Mirror-agnostic trust. The ID does not depend on which mirror served the bytes — pull the same ID from any mirror and integrity is checked the same way.

  • Cheap mirrors. Objects are content-addressed and deduplicated, so publishing a new release only ships the assets that changed, and identical assets are stored once per mirror.

Walkthrough

Publish a release bundle and capture its ID — this single string is what you advertise to consumers as the authoritative version:

release_id=$(snapdir push --store s3://cdn-us/releases ./build/site)
echo "release $release_id"

Replicate it to other mirrors without a local round trip, copying only objects each mirror is missing:

snapdir sync --id "$release_id" --from s3://cdn-us/releases --to gs://cdn-eu/releases

Consumers pull by ID from whichever mirror is closest; the pull verifies every object against the manifest derived from that ID:

snapdir pull --store gs://cdn-eu/releases --id "$release_id" ./download

To audit a mirror without distributing the content, verify the snapshot against that mirror directly:

snapdir verify --store gs://cdn-eu/releases --id "$release_id"

Outcome

Published content carries its own proof of authenticity: consumers verify on every pull that the bytes match the advertised ID, so a compromised or faulty mirror is caught automatically rather than trusted blindly. Deduplication across releases and mirrors keeps distribution cheap, and any mirror can be audited on demand. Use snapdir sync to fan a release out to every mirror and snapdir revisions to track what each one holds.