- 18 May 2021
- 1 Minute to read
Validation & Security
- Updated on 18 May 2021
- 1 Minute to read
A Universal Package is intended to be read-only, and once created, its contents and metacontents sealed within the package, untampered. However, the simple format of a Universal Package makes it easy to tamper with its contents using nothing more than a zip file editor.
This is where cryptographic hashing comes in. It is a small string of text that acts as a "thumbprint" of a file and lets you verify that, after you've downloaded "Accounts/HDars v1.3.4" from a package source, you can be certain it's the file you expect.
Because a package's hash is calculated from the bytes of the package file, it is impossible to store a package's hash inside of that package, since changing the package would change its hash. For this reason, a trusted package source should be used to verify the hash of the package.
However, a package manifest file may reference other packages' hashes in the
Secure Package Identifier
A universal package can be uniquely identified buy it's group, name, and version. In some cases, such as when specifying a dependency or describing an audit trail, these will all be combined in a single string.
The format for this string is fairly simple: the group and name are combined (separated by a forward-slash), and the version is appended (separated by a colon). For example:
To ensure a tamper-proof chain of packages, you may also use a package's cryptographic hash by appending a colon and then a hash string to the end of a package.
This will be used for verification purposes when possible. For example:
If the identified packages exist, but the hash doesn't exist, then the package will not be used.
Package Hash Format
Package hashes are calculated using the SHA-1 algorithm, and encoded visually as a 40-character case-insensitive string of hexidemical digits without spaces or other separator characters. For example: