3 verifications are implemented in Mamba, on:
repositories packages index (experimental)
packages tarballs, fetched from package repo
packages files, expanded from tarballs
The goal is to ensure that a package tarball metadata are correct (including size and checksums).
It relies on multiple (asymmetric) cryptographic keys to:
define one or multiple trusted public keys for a given package (also called target in that context)
add to the
repodatafiles one or more (public key, signature) pair for each package tarball metadata
Further documentation will come soon.
Assuming a valid repodata (see the previous repodata verification), package tarball metadata are used to check if a tarball is valid or not after fetching it from a repository.
paths.jsonfile index extracted from the package tarball with files themselves.
This index also contains metadata such as the size and checksum (SHA-256) of each file of the package.
When a package has already been extracted during a previous operation, it can be directly re-used. The files sizes are nevertheless verified to be sure that they match package definition. It prevents from alteration of its content (manual editing of a file, etc.).
SHA-256 checksum verification can be additionally performed using
extra safety checks configuration.
By default, Mamba will only emit a warning if one of those 2 checks (file size and checksum) are failing. You can also configure a different policy:
After fetching a package tarball from a repo, its size and checksums are already verified (see the previous package tarball verification). There is no need to perform additional checks on each file.