Skip to main content

Shipping & Verification

Shipping & Verification
#

Every EvilBit Labs release is built with transparency and verifiability in mind. Here’s how to verify the integrity of our tools.

Universal Verification Commands
#

Checksum Verification
#

# Download the release and checksum file
wget https://github.com/evilbit-labs/[PROJECT]/releases/latest/download/[PROJECT]-[VERSION].tar.gz
wget https://github.com/evilbit-labs/[PROJECT]/releases/latest/download/[PROJECT]-[VERSION].tar.gz.sha256

# Verify checksum
sha256sum -c [PROJECT]-[VERSION].tar.gz.sha256

GPG Signature Verification
#

# Import our public key (if not already imported)
gpg --keyserver keyserver.ubuntu.com --recv-keys [KEY_ID]

# Download and verify signature
wget https://github.com/evilbit-labs/[PROJECT]/releases/latest/download/[PROJECT]-[VERSION].tar.gz.asc
gpg --verify [PROJECT]-[VERSION].tar.gz.asc [PROJECT]-[VERSION].tar.gz

SBOM Verification
#

# Download and verify Software Bill of Materials
wget https://github.com/evilbit-labs/[PROJECT]/releases/latest/download/[PROJECT]-[VERSION].sbom.json
wget https://github.com/evilbit-labs/[PROJECT]/releases/latest/download/[PROJECT]-[VERSION].sbom.json.sig
gpg --verify [PROJECT]-[VERSION].sbom.json.sig [PROJECT]-[VERSION].sbom.json

Build Provenance
#

All releases include signed attestations proving:

  • Source Code: Exact commit hash and repository
  • Build Environment: Reproducible build conditions
  • Dependencies: Locked dependency versions
  • Artifacts: Cryptographic proof of artifact integrity

Project-Specific Verification
#

Each project page includes a Download & Verify section with:

  • Project-specific download links
  • Current version checksums
  • Build instructions for local verification
  • Links to this page for detailed verification steps

Our Commitment
#

  • Transparent Builds: All source code and build processes are public
  • Reproducible Artifacts: Anyone can rebuild and verify our releases
  • Signed Releases: All artifacts are cryptographically signed
  • No Surprises: Clear documentation of what each tool does and doesn’t do

Trust, But Verify
#

We believe in the principle of “trust, but verify.” While we strive for transparency and security, we encourage you to:

  1. Review our source code
  2. Verify our signatures and checksums
  3. Build from source when possible
  4. Report any issues or concerns

Your security is our priority. If you find any discrepancies or have questions about our verification process, please open an issue or contact us directly.

There are no articles to list here yet.