Skip to content
/ pkgverify Public

A companion to pkgsign. A simple utility for verifying package signatures.

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

justinjsmith/pkgverify

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
TestCert.crt
TestCert.crt
 
 
file.txt
file.txt
 
 
file.txt.manifest
file.txt.manifest
 
 
pkgverify.go
pkgverify.go
 
 

Repository files navigation

pkgverify

A companion to pkgsign. A simple utility for verifying package signatures.

The goal of these two utilities is to add cryptographic assurance of file authorship and integrity.

# when relying on a certificate available at a well-known network location
pkgverify -f="/path/to/file/to/verify" -u="http://example.com/cert"

# when relying on a certificate on disk
pkgverify -f="/path/to/file/to/verify" -c="/path/to/cert"

If the file to verify is foo.tar.gz, then the manifest generated by pkgsign must be named foo.tar.gz.manifest.

A successful verification means:

  1. The SHA1 in the manifest matches the SHA1 of the file.
  2. The manifest has not been altered since it was signed with the certificate's companion private key.

The combination of these two facts mean the file has not been altered since the manifest was generated and signed.

About

A companion to pkgsign. A simple utility for verifying package signatures.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages