Why HashWatch™ Exists

Independent verification for a trust-dependent world

The Problem

When you download a Linux ISO, best practice says to verify the hash. You compute the SHA256 of your download, compare it to the hash on the official website, and if they match — you're good. Right?

Not quite.

If an attacker compromises a download server, they can also update the hash page. You'd download a malicious ISO, verify it against the malicious hash, and everything would appear "verified."

Download ISO from Site A → Get hash from Site A → Compare → "Verified" ✓

But if Site A is compromised:
Download MALICIOUS ISO → Get MATCHING malicious hash → Compare → "Verified" ✓

This is circular trust, and it's a real gap in supply chain security.

The Solution

HashWatch™ independently crawls official ISO repositories and stores hashes with timestamps. When you verify a hash here, you're checking against a third-party record — not the same source you downloaded from.

We track:

  • When a hash was first seen
  • How long it's been stable
  • Any changes over time
  • Community reports of mismatches

Who This Is For

HashWatch™ is built for people who actually care about verifying their downloads:

  • Security professionals installing Kali, Parrot, or other pen-testing distros
  • Linux gamers grabbing Nobara, Bazzite, or other gaming-focused ISOs
  • Privacy-conscious users downloading Tails or Whonix
  • Sysadmins deploying Ubuntu, Debian, Rocky, or Alma in production
  • Anyone who understands that "verify the hash" has a trust problem

Request a Distro

Don't see your distro? We're always expanding coverage.

Request a Distro

For Distro Maintainers

If you maintain a Linux distribution and want to:

  • Verify your hashes are correct in our database
  • Report a legitimate hash change (new release, security update)
  • Request priority tracking for your distro
  • Dispute a "suspicious" flag on a hash change

Contact us at security@databaysolutions.com

Please email from your official project domain or include a link to a signed statement on your official site/repo. We're not going to update our records based on a random Gmail.

About Databay LLC

HashWatch™ is an R&D project from Databay LLC, a technology company focused on building practical solutions to real problems.

This project was born from a simple realization while installing Parrot OS: "If someone compromised this download, they'd update the hash page too." A quick search confirmed that no independent hash verification service existed. So we built one.

Built on the line, not in the boardroom.