> at the point where you regularly have to scan that combination into a potentially malicious or compromised machine that knows how to generate and transmit the hash, you may as well just trust some centralised authority to store the originals.
Why would you have to do that regularly? The point is to do it once in a trusted environment and then the only thing you need to verify whatever is the hash itself, not to re-encode again and again.