python
diff --git a/‎Misc/sbom.spdx.json
+4-4 b/‎Misc/sbom.spdx.json
+4-4
diff --git a/‎Tools/build/generate_sbom.py
+14 b/‎Tools/build/generate_sbom.py
+14
@@ -183,6 +183,20 @@ def check_sbom_packages(sbom_data: dict[str, typing.Any]) -> None:
             ),
         )
 
+        # HACL* specifies its expected rev in a refresh script.
+        if package["name"] == "hacl-star":
+            hacl_refresh_sh = (CPYTHON_ROOT_DIR / "Modules/_hacl/refresh.sh").read_text()
+            hacl_expected_rev_match = re.search(
+                r"expected_hacl_star_rev=([0-9a-f]{40})",
+                hacl_refresh_sh
+            )
+            hacl_expected_rev = hacl_expected_rev_match and hacl_expected_rev_match.group(1)
+
+            error_if(
+                hacl_expected_rev != version,
+                "HACL* SBOM version doesn't match value in 'Modules/_hacl/refresh.sh'"
+            )
+
         # License must be on the approved list for SPDX.
         license_concluded = package["licenseConcluded"]
         error_if(