A companion to pkgsign. A simple utility for verifying package signatures.
The goal of these two utilities is to add cryptographic assurance of file authorship and integrity.
# when relying on a certificate available at a well-known network location
pkgverify -f="/path/to/file/to/verify" -u="http://example.com/cert"
# when relying on a certificate on disk
pkgverify -f="/path/to/file/to/verify" -c="/path/to/cert"
If the file to verify is foo.tar.gz, then the manifest generated by pkgsign
must be named foo.tar.gz.manifest.
A successful verification means:
- The SHA1 in the manifest matches the SHA1 of the file.
- The manifest has not been altered since it was signed with the certificate's companion private key.
The combination of these two facts mean the file has not been altered since the manifest was generated and signed.