Build provenance · Minecraft mods
Prove your build is the real one.
ModHarbor gives every release of your Minecraft mod a Build Verified badge — cryptographic proof it came straight from your own build pipeline, that anyone can check for themselves. No keys to manage. No account to babysit. No lock-in.
- Artifact
- aurora-shaders-1.4.2.jar
- SHA-256
- a1b2c3d4…e5f60041
- Signer
- github.com/aurora/shaders
- Origin
- Integrity
- Continuity
- Track record
Free for mod makers. The badge travels with your file and verifies offline — with or without us.
How it works
Trust the build, not the name.
ModHarbor moves trust from "who says so" to "prove it." When your project's CI builds a release, it signs the artifact under your repository's own identity — no keys for you to hold, lose, or leak.
-
01
Your CI builds and signs
A build step signs each release using your repository's OIDC identity and Sigstore's public infrastructure — the same keyless signing the wider software world already relies on. ModHarbor never holds a key.
-
02
The proof travels with the file
The signature is embedded in the mod artifact itself. Wherever the file goes — CurseForge, Modrinth, a Discord, a direct download — the proof goes with it.
-
03
Anyone can verify it, offline
A player, a launcher, or a hosting provider can check the badge without calling ModHarbor at all. Swap the file, and the badge stops matching. That's the whole point.
What a verified build tells you: this exact file was built and signed by your pipeline, under your identity, and hasn't been altered since. If someone hijacks an account and uploads a file that never came from your build, it simply doesn't verify.
The honest part
What a verified build means — and what it doesn't.
We'd rather tell you exactly what we defend against than sell you a badge that implies more than it can prove. So, plainly:
What it proves
- Origin — the file came from your real build pipeline, under your identity.
- Integrity — it hasn't been changed since your CI signed it.
- Continuity — it's the same author-identity behind your previous releases, so a sudden switch is visible.
- Track record — an honest, fact-derived history: how many releases you've signed, and whether any were ever revoked.
What it doesn't
- It does not mean the code is safe, reviewed, or free of bugs or malware.
- A signature proves where a file came from — not what's inside it. A genuine pipeline can still build something bad.
- We don't scan for malware, and we won't pretend to. Single-engine scanning gives a false sense of safety against exactly the novel threats that matter.
- Deciding whether to trust what an author ships is still yours. ModHarbor makes that decision an informed one — it doesn't make it for you.
That candor is the product. Provenance you can verify is worth more than a reassuring badge you can't.
For mod makers
Add it once. Every release proves itself from then on.
You add one workflow to your repository. After that, every release you cut gets a Build Verified badge automatically — a README badge for your repo, a link people can check, and proof embedded in the download itself that it's really yours.
- No keys, no secrets. Signing uses your repo's own CI identity — nothing to generate, store, or rotate.
- No lock-in. The badge verifies offline, with or without ModHarbor. Walk away any time and your proofs still check out.
- Free for makers. Signing and verifying are free and stay free. That's the whole supply side of the ecosystem.
- Wherever you publish. CurseForge, Modrinth, or a direct link — ModHarbor never hosts your mod, it just proves the file.
The badge you get
[](https://modharbor.com/verify/<sha256>)
Designed and in use today. The live badge URL and the verify page it links to arrive alongside verification.
The five states
Every release shows exactly one state — its real provenance, carried by colour and strike pattern together, never colour alone.
-
Author verified — valid signature, identity mapped.
-
Signed — valid signature, author not yet registered. Neutral.
-
Unsigned — no provenance record. Not the same as bad.
-
Withdrawn — the author pulled it. Not an accusation.
-
Revoked — provenance repudiated.
For platforms & hosting providers
Provenance infrastructure you can build on.
ModHarbor is an open, verifiable trust layer — not a walled garden. The verifier is open source and embeddable: verify inside your own stack, with no dependency on our uptime and no data leaving your systems.
- Verify locally, always. Cryptographic verification runs entirely in your environment. If ModHarbor is unreachable, verification still works — it never fails a valid file.
- Signed, fact-derived assurance. On top of the public root, ModHarbor attests to fact-based signals — author track record and identity continuity — that you can consume under an agreement.
- Your policy, your call. Want to gate deployments on provenance you can positively verify? That's a policy you set on your side — ModHarbor gives you the signal, not the mandate.
- Not a competitor. ModHarbor doesn't host or distribute mods. It adds a layer of proof to the files you already handle.
For players
Check who really made it.
When you download a mod, a Build Verified badge lets you confirm it genuinely came from the person who makes it — not a look-alike upload, a re-pack, or a copy that was changed along the way. You don't have to take anyone's word for it, ours included: the proof travels with the file and checks out offline.
Here's the honest part. A verified build tells you a file is authentic — that it's really from the author, and hasn't been altered. It does not promise the mod is safe to run. A creator you trust is still a creator you're choosing to trust; ModHarbor just makes sure you're getting their work, and not someone pretending to be them.
Over time, launchers and platforms will check the badge for you and show it right next to the download. Until then, you can check it yourself — free, no account, no tracking.
The shape of it
A trust layer, not a walled garden.
ModHarbor never hosts your mods and doesn't compete with the places you already publish. It's one thing, done honestly: verifiable proof of where a file came from — free for the people who make mods, open for the people who verify them.