Even after hash match, validate the Authenticode signature:
gpg: Good signature from "Witbe SAS (Software Signing Key) <security@witbe.net>" gpg: WARNING: This key is not certified with a trusted signature! witbe workbench download verified
Workbench versions ≥8.0 include a built-in self-verifier: Even after hash match, validate the Authenticode signature: