3 verifications are implemented in Mamba, on:
repositories packages index (experimental)
packages tarballs, fetched from package repo
packages files, expanded from tarballs
The goal is to ensure that a package tarball metadata are correct (including size and checksums).
It relies on multiple (asymmetric) cryptographic keys to:
define one or multiple trusted public keys for a given package (also called target in that context)
add to the
repodatafiles one or more (public key, signature) pair for each package tarball metadata
Further documentation will come soon.
paths.json file index extracted from the package tarball with files themselves.
This index also contains metadata such as the size and checksum (SHA-256) of each file of the package.
When a package has already been extracted during a previous operation, it can be directly re-used. The files sizes are nevertheless verified to be sure that they match package definition. It prevents from alteration of its content (manual editing of a file, etc.).
SHA-256 checksum verification can be additionally performed using
extra safety checks configuration.
By default, Mamba will only emit a warning if one of those 2 checks (file size and checksum) are failing. You can also configure a different policy:
After fetching a package tarball from a repo, its size and checksums are already verified (see the previous package tarball verification). There is no need to perform additional checks on each file.