I think the only way you could do this is if a user trusted the PaaS underneath the software, and the PaaS offered a way for a user to verify the hash of whats running on their system.
The only other way you could find a hash of the code running on the server is if you asked the service, but in that case the service could always just lie. Even if you did some sort of challenge response that could only be answered with having the public source code and hashing it with a nonce, you could just provide the public source to your malicious binary, and it would respond as it wished.
The only other way you could find a hash of the code running on the server is if you asked the service, but in that case the service could always just lie. Even if you did some sort of challenge response that could only be answered with having the public source code and hashing it with a nonce, you could just provide the public source to your malicious binary, and it would respond as it wished.