UPack Documentation

Validation & Security

  • Last Modified: 2019-04-10

A Universal Package is intended to be read-only, and once created, its contents and metacontents sealed within the package, untampered. However, the simple format of a Universal Package makes it easy to tamper with its contents using nothing more than a zip file editor.

This is where cryptographic hashing comes in. It is a small string of text that acts as a "thumbprint" of a file and lets you verify that, after you've downloaded "Accounts/HDars v1.3.4" from a package source, you can be certain it's the file you expect.

Because a package's hash is calculated from the bytes of the package file, it is impossible to store a package's hash inside of that package, since changing the package would change its hash. For this reason, a trusted package source should be used to verify the hash of the package.

However, a package manifest file may reference other packages' hashes in the dependencies and repackageHistory properties.

Package Hash Format

Package hashes are calculated using the SHA-1 algorithm, and encoded visually as a 40-character case-insensitive string of hexidemical digits without spaces or other separator characters. For example: 2660bf74fc8147ca41bd53bdb1defc3aae35bc91

More on this topic:

Is this documentation incorrect or incomplete? Help us by contributing!

This documentation is licensed under CC-BY-SA-4.0 and stored in GitHub.