I want to prove that the source code I am using is the same as the open-sourced version, which is publicly available. My idea was to publish a hash of the open-sourced version and compare it to the hash of the deployed server at boot. However, because the open-sourced hash is available pre-deployment, it is possible for a bad actor to hard code the hash into the server and avoid the hash function.
Is there a way I can prevent this from happening? I found that Heroku is using a similar approach where they are fetching the commit hash. Is this tamperproof? And if so, how is this different from my approach?