I've been working on filepack, a command-line tool for file verification on and off for a while, and it's finally in a state where it's ready for feedback, review, and initial testing.

GitHub repo here: https://github.com/casey/filepack/

It uses a JSON manifest named `filepack.json` containing BLAKE3 file hashes and file lengths.

To create a manifest in the current directory:

  filepack create

To verify a manifest in the current directory:

  filepack verify

Manifests can be signed:

  # generate keypair
  filepack keygen

  # print public key
  filepack key

  # create and sign manifest
  filepack create --sign

And checked to have a signature from a particular public key:

  filepack verify --key <PUBLIC_KEY>

Signatures are made over the root of a merkle tree built from the contents of the manifest.

The root hash of this merkle tree is called a "package fingerprint", and provides a globally-unique identifier for a package.

The package fingerprint can be printed:

  filepack fingerprint

And a package can be verified to have a particular fingerprint:

  filepack verify --fingerprint <FINGERPRINT>

Additionally, and I think possibly most interestingly, a format for machine-readable metadata is defined, allowing packages to be self-describing, making collections of packages indexable and browsable with a better user interface than the folder-of-files ux possible otherwise.

Any feedback, issues, feature request, and design critique is most welcome! I tried to include a lot of details in the readme, so definitely check it out.