Verify

Don't take our word for it.

Two questions, two commands. Answer them yourself.

1. Is this copy genuine?

Every file in the package has a SHA-256 fingerprint listed in CHECKSUMS.txt. If you compute the fingerprint yourself and it matches, the file is exactly as it was published.

# macOS / Linux
shasum -a 256 -c CHECKSUMS.txt

# Windows (PowerShell)
Get-FileHash Elba.html -Algorithm SHA256

2. Does it really send nothing anywhere?

Elba's central promise is that it makes no network connection at all. No fonts fetched, no analytics, no "checking for updates," nothing. You don't have to believe that. You can read it.

  • · Open Elba.html in any text editor.
  • · Search for http — you're looking for the absence of any address it might send data to.
  • · Search for connect-src — you're looking for the presence of:
connect-src 'none'

This is an instruction to your browser to forbid Elba from opening any network connection whatsoever — and your browser enforces it, whether or not the code behaves. The promise isn't guarded by good intentions. It's guarded by your own browser.

On 1 January 2030, Elba's full source becomes public under MIT, and anyone at all will be able to read every line that makes these promises true. Until then, the file in your hands is already open to your own inspection. That was always the point.