📦 SBOM Artifact Verifier

Drop your Package ZIP (OEM or End‑User kit) below. Password‑protected ZIPs are supported.

Drag & Drop Package ZIP Here or Click to Select

What this verifier does: Validates that your package matches its SBOM and is signed.

• Checks SBOM integrity by comparing manifest.spdx.json with its .sha256 sidecar.
• Cryptographically verifies catalog signature(s) (.cat) and shows the signer/issuer/root.
• Recomputes SHA‑256 for every file and flags OK, TAMPERED, MISSING, and EXTRA.

What it does not do: It does not consult the Windows trust store or perform revocation checks. For official Windows trust, use signtool verify /kp /v on the catalog.

All processing happens locally in your browser. No files or passwords are sent anywhere.

Project: git@github.com:Belcarra/sbom_artifact_verifier.git  |  Version: 0.02 beta

Example reports: Belcarra SPDX SBOM Overview

Signature & Integrity

SBOM Catalog Signature: Pending
SBOM Integrity: Pending
Driver Catalog Signature: Pending

Dependency Relationship Notes

“Dependency Relationship (from Parent)” is contextual. It is derived when a nested kit is opened from a parent link and is not necessarily declared inside the nested SBOM itself.
CISA (2025 Draft) defines dependency relationship as inclusion or derivation between software components. SPDX reserves DESCRIBES for document-to-element relationships, so package-to-package “from parent” links are shown as CONTAINS.