Verify a release

Layer 1 — SHA256 (quick)

Byte-for-byte integrity. Every release page has a SHA256SUMS.txt.

# Linux / macOS / Git Bash
sha256sum -c SHA256SUMS.txt

# PowerShell
Get-FileHash wpsecscan.exe -Algorithm SHA256

Layer 2 — Sigstore keyless signature

Proves the .exe was built from bryanflowers/wpsecscan via the official GitHub Action — not a malicious lookalike.

# Install cosign once
brew install cosign       # macOS
go install github.com/sigstore/cosign/v2/cmd/cosign@latest

# Verify
cosign verify-blob wpsecscan.exe \
  --signature wpsecscan.exe.sig \
  --certificate wpsecscan.exe.pem \
  --certificate-identity-regexp \
  'https://github.com/bryanflowers/wpsecscan' \
  --certificate-oidc-issuer \
  https://token.actions.githubusercontent.com

# Output: "Verified OK"

Layer 3 — SLSA Level 3 attestation

The full build environment is recorded and verifiable.

go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest

gh release download v2.3.0 --pattern '*.intoto.jsonl'

slsa-verifier verify-artifact wpsecscan.exe \
  --provenance-path wpsecscan.exe.intoto.jsonl \
  --source-uri github.com/bryanflowers/wpsecscan \
  --source-tag v2.3.0

# Output: "PASSED: SLSA verification passed"

Layer 4 — Reproducible build (most paranoid)

Anyone can rebuild WPSecScan and prove the .exe matches ours bit-for-bit. The PyInstaller build is deterministic when these pin:

• Python 3.12 exactly
• PyInstaller version (pinned in requirements.txt)
• SOURCE_DATE_EPOCH set to the tag's commit time
• Build host arch (x86_64-linux for Linux)

git checkout v2.3.0
export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
python -m venv .venv && .venv/bin/pip install -r requirements.txt
.venv/bin/pyinstaller --noconfirm wpsecscan.spec
sha256sum dist/wpsecscan.exe
# Should match the SHA in SHA256SUMS.txt

SBOM

Each release includes a sbom.cyclonedx.json file with every dependency and its version. Plug it into any SCA tool.

cat sbom.cyclonedx.json | jq '.components | length'