16 Free BUILD_RECEIPT Hash and Manifest Validator Tools for Indie Q3 2026 Partner Packets

You wrote BUILD_RECEIPT.json by hand. You ran the SHA256 cold-validation drill once. Then a contractor edited MANIFEST.json on a Mac while you hashed on Windows—and Q3 2026 intake returned yellow on “checksum inconsistent” even though gameplay was fine.

This Listicles & Resource Roundups post lists sixteen free tools that turn receipt and hash discipline into repeatable checks you can run before every partner ZIP upload. None replace governance judgment; they remove “we forgot to diff the sidecar” from your vocabulary.

Why this matters now (May 2026)

1. Partner portals re-hash cold — Reviewer laptops are not your CI agents; you need local validators that match portal behavior.
2. Receipt + hash trilogy shipped on this site — Beginner tutorial, cold drill, and ZIP naming posts assume tools exist; this list names them.
3. Mock audit season — Seven-dimension tabletop dimension 2 fails when teams cannot reproduce hash results in the room.

Direct answer: Install four tools this week—sha256sum or PowerShell Get-FileHash, jq, a text diff, and CSV lint—then add the rest as packet complexity grows.

Who this list is for

• 1–5 person teams preparing first publisher or platform cert packets
• Studios with release-evidence folders but no dedicated release engineer
• Anyone resubmitting after hash or manifest mismatch tickets

Not for: teams already running full SLSA attestations with paid compliance platforms—this is the free floor, not the ceiling.

Minimum four-tool stack

Target ninety minutes to wire a validate-packet.sh that calls these four before zipping.

The sixteen tools (free tier focus)

1) GNU coreutils sha256sum (Linux / Git Bash on Windows)

Job: Canonical line format for SHA256SUMS.txt: lowercase hex, two spaces, relative path.
Workflow: Run from inside 01_build/game/ so paths stay zip-relative.
Pair with: Cold-validation drill block B.

2) PowerShell Get-FileHash (Windows-native)

Job: Same digest as sha256sum when you lowercase hex and use forward slashes in the sidecar.
Snippet:

(Get-FileHash -Algorithm SHA256 .\Riftbound.exe).Hash.ToLower()

Failure mode: Hashing from wrong working directory—paths in sums file no longer match zip layout.

3) shasum (macOS default)

Job: macOS-friendly SHA256 for teams packaging .app bundles file-by-file.
Note: Hash contents inside .app, not the bundle directory as opaque blob, unless partners instruct otherwise.

4) jq (JSON processor)

URL: jqlang.github.io
Job: Assert MANIFEST.json fields exist and match BUILD_RECEIPT.json:

jq -e '.build_id == "northlake_riftbound_steam_a1b2c3d_cert_20260518"' MANIFEST.json

Pro tip: Store jq one-liners in release-evidence/scripts/validate-manifest.jq.

5) Python json.tool (stdlib)

Job: Pretty-print and syntax-check JSON when jq is not installed.
Limit: No assertions—pair with a small Python script for CI later.

6) jsonschema (Python package, CLI via check-jsonschema)

Job: Validate receipt and manifest against a checked-in JSON Schema in release-evidence/templates/.
2026 habit: Bump receipt_version when schema changes—document in README.

7) diff / git diff --no-index

Job: Compare SHA256SUMS.txt vs SHA256SUMS.recomputed.txt after cold machine replay.
Empty output = pass. Anything else blocks upload.

8) Meld / WinMerge / VS Code Compare

Job: Human-readable diff when manifest paths shift after folder renames.
Use when: Partner naming sprint changes 02b_build to 02_build.

9) git rev-parse and git status --porcelain

Job: Source truth for BUILD_RECEIPT.json commit field—built into Git, not a separate download.
Rule: Receipt git.dirty: true requires KNOWN_ISSUES.md entry or stop.

10) 7-Zip CLI (7z t)

URL: 7-zip.org
Job: Test zip integrity before portal upload—corrupt archives fail before hash review.
Evidence: Log 7z t exit code in upload_log.csv notes column.

11) rsync --checksum (optional dry-run)

Job: Detect byte drift between CI artifact download folder and 01_build/ before hashing.
Pair with: Asia-EU handoff when overnight copies land in inbox.

12) csvkit (csvclean, csvstat)

URL: csvkit.readthedocs.io
Job: Validate upload_log.csv column count and UTF-8 encoding.
Beginner alternative: Open in VS Code and count commas per row manually until csvkit is installed.

13) OpenSSL dgst (cross-platform)

Job: Secondary digest implementation when auditors ask for algorithm agreement—openssl dgst -sha256 file.
Use sparingly: sha256sum is enough for daily work; OpenSSL settles disputes.

14) manifest-tooling from Q3 resource templates

Internal link: 15-free Q3 submission intake templates
Job: Starter folder skeletons and checklist CSVs that reference receipt and hash filenames—copy structure, then validate with tools 1–8.

15) shellcheck (for validate-packet.sh)

URL: shellcheck.net
Job: Lint your validation script before you trust it on upload night.
Pro tip: Run script on cold laptop and CI with same exit codes.

16) Git pre-commit hook (local, free)

Job: Block commits that change 01_build/ without updating archived receipt under 05-operations/receipts/.
Starter rule: If git diff --name-only includes release-evidence/01-build/, require receipts/ diff too.

Deep notes on core validators (tools 1–4 expanded)

sha256sum line discipline

Partners and open-source tooling expect GNU format. A correct line looks like:

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  game/Riftbound.exe

Generate from the directory that will become the zip root interior. If your zip unpacks to 01_build/game/, run hashing inside game/, then prefix paths in the sums file to match README bullets.

Batch tip: sha256sum $(cat files_to_hash.txt) fails on Windows Git Bash when paths have spaces—use xargs or PowerShell loops from the cold-validation post.

jq assertions worth copying

Store these in release-evidence/scripts/:

# build_id present
jq -e '.build_id | length > 0' BUILD_RECEIPT.json

# every manifest file entry has matching sums line
jq -r '.files[].path' MANIFEST.json | while read -r p; do
  grep -q "  $p$" SHA256SUMS.txt || exit 1
done

Exit non-zero blocks upload. Humans read logs; scripts enforce gates.

diff habits after cold replay

Never eyeball hash files. diff -u SHA256SUMS.txt SHA256SUMS.recomputed.txt produces auditable text you can attach to validation/2026-05-18_cold_pass.log. When diff shows CRLF-only changes, normalize text manifests with dos2unix before hashing—not after.

upload_log.csv without csvkit

Minimum viable rules:

• Header row exactly once
• Same column count on every line
• ISO-8601 UTC timestamps ending in Z
• No commas inside notes unless quoted

When in doubt, open CSV in VS Code and enable Rainbow CSV extension—free visual lint.

Tools 5–8 in production scenarios

jsonschema shines when contractors edit receipts. Check in a schema requiring human_signoff.signed_at_utc so empty signoffs fail CI instead of partner review.

Meld wins when two people disagree whether MANIFEST.json changed—export both versions from receipts/ archive, not from memory.

git diff --no-index compares exported zip trees without polluting git status—useful when game repo is clean but packet folder is not tracked.

Tools 9–12 for overnight and portal workflows

git status --porcelain output belongs in BUILD_RECEIPT only when non-empty; otherwise partners assume you did not check.

7z t takes seconds; skipping it cost teams re-upload slots when USB sticks returned bad zips.

rsync --checksum dry-run between CI download and 01_build/ catches “green job, wrong artifact link” bugs—common when handoff envelopes point at stale inbox paths.

csvkit csvstat -c 1,2 upload_log.csv verifies you did not duplicate build_id rows on the same UTC minute by accident.

Tools 13–16 for maturity ladder

OpenSSL dgst is the “second opinion” when a partner tool reports a different hash algorithm name—rare on PC, slightly more common in mixed enterprise portals.

Q3 resource templates give you filenames; validators prove filenames contain truth.

shellcheck prevents silent bash failures like set -e missing before a pipeline.

pre-commit stops the “quick fix in 01_build without receipt” habit that breaks dimension 2 in mock audits.

Sample validate-packet.sh skeleton

#!/usr/bin/env bash
set -euo pipefail
ROOT="${1:?release-evidence root}"
cd "$ROOT"
jq -e '.build_id' BUILD_RECEIPT.json >/dev/null
test -f SHA256SUMS.txt
cd 01-build/game
sha256sum $(cat ../../files_to_hash.txt) > ../../SHA256SUMS.recomputed.txt
cd ../..
diff -u SHA256SUMS.txt SHA256SUMS.recomputed.txt
echo "validate-packet: PASS $(date -u +%Y-%m-%dT%H:%M:%SZ)"

Adapt paths to your taxonomy. Run shellcheck before trusting it.

Stack comparison vs paid release platforms

Paid tools help at scale; they do not remove the need for cold validation literacy.

Resubmission validator pass

When partners request resubmit:

1. Archive old SHA256SUMS.txt to validation/history/{old_build_id}/
2. Regenerate all three: receipt, manifest, sums
3. Run full sixteen-tool pass—not only the tool that failed
4. Append upload_log row with result=resubmit_required on old row notes

Yellow flags often mean two inconsistencies; fixing only one repeats the thread.

Fest and demo packet variant

October Next Fest demos sometimes ship smaller zips without full cert annexes. Still hash demo binaries; shrink files_to_hash.txt, not validation discipline. Link demo build_id to playtest branch tutorial names when possible.

Security notes for validator scripts

• Do not echo portal passwords in validation logs
• Sanitize ci.job_url tokens before committing logs to shared repos
• Treat validate-packet.sh like production code—review diffs in RC freeze week

Outbound references (credibility)

• NIST SHA-256 specification — algorithm background when partners ask
• GNU coreutils manual — sha256sum behavior
• Steamworks partner documentation — separate from evidence zip hashes but often reviewed in same quarter

Ninety-minute wiring sprint

Tool combinations by failure mode

Genre and platform notes

Co-op / dedicated server builds: Hash server binaries separately; second manifest or artifacts.server_zip in receipt extensions.
AI disclosure annex: Hash every file under 04_ai/ listed in receipt—see AI disclosure challenge.
Two storefronts: Two sum files, two manifest rows in upload log—two-storefront rule.

What not to buy first

Paid release orchestration is valuable later. Before Q3 2026 intake, free tools plus honest receipts beat a dashboard that nobody runs on upload night.

Skip until receipts work manually:

• Enterprise SBOM platforms (unless contractually required)
• Fancy artifact browsers without hash export
• “One-click cert” plugins with no diff output

Evidence folder layout (tool outputs)

release-evidence/
  05-operations/
    validation/
      2026-05-18_cold_pass.log
      SHA256SUMS.recomputed.txt
    receipts/
    upload_log.csv
  scripts/
    validate-packet.sh
    validate-manifest.jq

Store logs—not screenshots—in validation folder for publisher diligence.

Common mistakes with these tools

1. Running hash from repo root — paths in sidecar do not match zip interior.
2. jq on trailing-comma JSON — export from strict editors only.
3. Trusting CI badge without cold replay — always second machine once per release.
4. Validating zip before final files copied — partial zip passes 7z t but fails partner open.
5. Mixing MD5 and SHA256 in one sidecar—pick SHA256 end-to-end.
6. Skipping csvkit on merged Excel upload logs — merged cells break grep.
7. Automating before manual pass works — script encodes wrong paths permanently.

Operating review integration

Add to four-Friday operating review Block 3:

• “Did we run validate-packet.sh on every cert-facing zip this week?”

One checkbox. No new meeting.

RC freeze and validator freeze

During RC freeze challenge, freeze validator script version too—note validate-packet.sh git hash in BUILD_RECEIPT extensions.validator_script_commit.

Changing scripts mid-freeze without bumping build_id confuses resubmission diffs.

Beginner path (first packet)

1. Pick tools 1, 4, 7, 9 from the list above.
2. Follow one-evening BUILD_RECEIPT tutorial.
3. Run SHA256 cold drill.
4. Zip with naming standard.
5. Score mock audit dimension 2.

Save-game and repro attachments

If packet includes save repro from save fuzz resources, hash saves as separate manifest roles (repro_save, fixed_build). Validators do not care about file type—only path and digest parity.

Key takeaways

• Sixteen free tools cover hashing, JSON assertion, diff, zip test, CSV hygiene, and script lint for Q3 2026 packets.
• Start with sha256sum/Get-FileHash + jq + diff + CSV discipline—expand only when complexity demands.
• Wire a validate-packet.sh and run it on a cold machine before every portal upload.
• Pair tools with BUILD_RECEIPT tutorial, cold drill, and ZIP naming.
• Log validation exits in 05-operations/validation/, not chat.
• Freeze validator scripts during RC weeks.
• Use Q3 resource templates for folder shape; use this list for tool names.

FAQ

Do I need all sixteen tools?

No. Four-tool minimum stack is enough for many first packets. Add tools when failure modes appear.

Can I validate only on CI?

CI plus one cold-machine replay is the bar. CI-only misses portal and laptop drift.

What if jq is not on Windows?

Use Python jsonschema or WSL Git Bash with jq packaged.

How does this relate to Steam depots?

Steamworks depot uploads are separate. These tools target partner evidence zips and internal release-evidence/.

Should validators run before or after zipping?

Both: hash unpacked tree, test zip with 7z, re-hash after self-download if portal allows.

Can we use Git LFS and still hash correctly?

Yes—hash the checked-out file bytes you place in 01_build/, not the LFS pointer file. CI must checkout LFS before hashing.

What about encrypted archives?

Hash the ciphertext you upload if the portal stores ciphertext. Document algorithm and whether reviewers can reproduce in KNOWN_ISSUES.md.

Tool index (quick reference)

Print this table into release-evidence/README.md for contractors.

Evidence minimum for mock audit dimension 2

When you run the mock audit tabletop, bring a folder containing:

• Latest validate-packet.sh exit log (pass)
• SHA256SUMS.txt plus recomputed diff empty capture
• Archived BUILD_RECEIPT.json matching zip build_id
• Last three upload_log.csv rows

Scorers should reproduce hash pass in the room using tool 1 and 7 only—if that fails, the stack is theater.

Honest limits of free tooling

These validators do not prove fun gameplay, legal compliance, or store featuring merit. They prove artifact integrity—which is prerequisite for partners to bother opening your build.

They also do not replace AI disclosure truth audits or wishlist truth challenges. Hash the annex files; separate workflows validate claims.

Weekly maintenance cadence

Cadence beats heroics on upload eve.

Shareability for small teams

Found this useful? Share the four-tool minimum with your co-founder before arguing about portal tickets—not the full sixteen-tool essay. Depth lives here for when the fourth yellow flag arrives.

Troubleshooting matrix (symptom to tool)

Work the matrix top-to-bottom; do not skip straight to re-exporting the game unless tools prove bytes changed.

Version pinning note (May 2026)

Document validator versions in BUILD_RECEIPT.extensions when partners ask about reproducibility:

"extensions": {
  "validator_notes": "sha256sum 9.1, jq 1.7, 7-Zip 24.08"
}

Version strings are not vanity—they explain why a reviewer’s older jq flag failed while yours passed. Keep the note updated whenever you upgrade Git Bash or WSL packages on the cold laptop.

Conclusion

BUILD_RECEIPT and SHA256 discipline are behaviors; tools make behaviors cheap enough to repeat weekly. Before Q3 2026 windows compress, pick your four-tool stack, script the checks, and log passes where Friday Block 5 can see them.

Partners will still find gameplay issues—but they will stop finding that your manifest described a binary that was not in the archive. That is the listicle promise: free validators, used consistently, beat expensive hope.