Drop your Package ZIP (OEM or End‑User kit) below. Password‑protected ZIPs are supported.
What this verifier does: Validates that your package matches its SBOM and is signed.
• Checks SBOM integrity by comparing manifest.spdx.json with its .sha256 sidecar.
• Cryptographically verifies catalog signature(s) (.cat) and shows the signer/issuer/root.
• Recomputes SHA‑256 for every file and flags OK, TAMPERED, MISSING, and EXTRA.
What it does not do: It does not consult the Windows trust store or perform revocation checks. For official Windows trust, use signtool verify /kp /v on the catalog.
All processing happens locally in your browser. No files or passwords are sent anywhere.