Commands

scalp verify & checksum

Generate SHA-512 checksums for release artifacts and verify them against a checksums file. Dogfooding built in.

SCAL-P spends all day verifying npm packages. But what about SCAL-P itself? Binary verify closes the loop: the same hashing and policy engine that protects your dependencies also protects your SCAL-P binary.

Two commands form a release verification chain:

  • scalp checksum — generate SHA-512 checksums for files
  • scalp verify — verify a file against a checksums file

scalp checksum

Generate checksums for release artifacts:

scalp checksum scalp_linux_amd64.tar.gz scalp_darwin_amd64.tar.gz > checksums.txt

Output:

sha512-a1b2c3d4e5f6...  scalp_linux_amd64.tar.gz
sha512-7f8e9d0c1b2a...  scalp_darwin_amd64.tar.gz

Flags

FlagDefaultDescription
--outputstdoutWrite checksums to file instead of stdout

Write to file:

scalp checksum --output checksums.txt *.tar.gz

scalp checksum is a pure hash tool. No policy, no audit, no enforcement.

scalp verify

Verify a downloaded artifact against a checksums file:

scalp verify \
  --artifact scalp_linux_amd64.tar.gz \
  --checksum checksums.txt

On match:

binary verified

On mismatch:

hash_mismatch: expected sha512-a1b2c3d4e5f6..., got sha512-7f8e9d0c1b2a...

Flags

FlagDefaultDescription
--artifactrequiredPath to the downloaded release artifact
--checksumrequiredPath to the checksums file
--policy.scalp/policy.jsonPolicy controlling enforcement
--cifalseOverride enforcement to block

Enforcement

EnforcementHash matchHash mismatch
warn (default)exit 0logged, exit 0
blockexit 0exit 1
logexit 0silent, exit 0

With --ci, enforcement is forced to block.

Verify with CI enforcement

scalp verify \
  --artifact scalp_linux_amd64.tar.gz \
  --checksum checksums.txt \
  --ci

On mismatch, exit code 1:

hash_mismatch: expected sha512-a1b2..., got sha512-7f8e...

Audit events

Every scalp verify call produces one audit event:

{
  "ts": "2026-05-22T12:00:00Z",
  "event": "binary_verify",
  "pkg": "scalp_linux_amd64.tar.gz",
  "status": "verified",
  "hash_match": true
}

Appended to .scalp/audit.log alongside all other events.

How it works

  1. Parses the checksums file (skips blank lines and # comments)
  2. Looks up the artifact filename in the checksums map
  3. Computes SHA-512 of the artifact via hash.File()
  4. Compares hashes (constant-time comparison)
  5. Logs a binary_verify audit event
  6. Applies enforcement if mismatch

Example: release pipeline

# Generate checksums during release
- run: scalp checksum scalp_*.tar.gz > checksums.txt

# Upload both
- run: |
    gh release create v0.2.0 \
      scalp_linux_amd64.tar.gz \
      scalp_darwin_amd64.tar.gz \
      checksums.txt
# User verifies after download
- run: |
    scalp verify \
      --artifact scalp_linux_amd64.tar.gz \
      --checksum checksums.txt \
      --ci

What it does NOT do

  • Does not GPG-sign the checksums file (do that separately)
  • Does not verify checksums file authenticity (HTTPS + signing is on you)
  • Does not support wildcards in --artifact (one file at a time)

scalp stage verify

Audit & Reporting Guide

Architecture

scalp stage verify

Verify a staged npm package tarball from stdin — hash verification, identity check, denylist, and SARIF output.

Trust Scoring

How SCAL-P computes trust scores — hash verification, maturity, downloads, and CVEs. Offline-first, deterministic, no magic.

On this page

scalp checksumFlagsscalp verifyFlagsEnforcementVerify with CI enforcementAudit eventsHow it worksExample: release pipelineWhat it does NOT do