How to confirm a signed sha-256 manifest before you install
- Step 1Get the signed manifest and the project's public key — Download the project's cleartext-signed checksum manifest (often
SHA256SUMSorSHA256SUMS.asc) and obtain the maintainer's-----BEGIN PGP PUBLIC KEY BLOCK-----from a source you already trust. - Step 2Set the verify action — Open the tool and choose
Verify signed message. The form shows a signed-message box and a public-key box. No private key or passphrase is needed to verify a manifest. - Step 3Paste the signed manifest — Copy the entire block from
-----BEGIN PGP SIGNED MESSAGE-----through-----END PGP SIGNATURE-----into the first textarea. This includes theHash:header, every checksum line, and the signature. - Step 4Paste the maintainer's public key and verify — Put the project's public key into the second textarea and run verify. OpenPGP.js checks the signature against the manifest text and returns
{ valid, keyId, text }. - Step 5Confirm the signature and key ID — Require
valid: trueand confirm the returned 16-hexkeyIdmatches the project's published key fingerprint. If either check fails, stop — do not install the artifact. - Step 6Hash your download and match the line — Compute your download's SHA-256 with multi-hash-fingerprinter and confirm that exact hash and filename appear in the verified
text. Only then is the artifact both authentic and intact.
The two-step supply-chain check
Verifying a signed manifest is necessary but not sufficient — you must also match your download's hash. This tool does the first step; multi-hash-fingerprinter does the second.
| Step | Tool / action | Confirms | Pass condition |
|---|---|---|---|
| 1. Verify manifest signature | pgp-message-signer · verify | Manifest is signed by the real maintainer and unaltered | valid: true and keyId matches published fingerprint |
| 2. Hash your download | multi-hash-fingerprinter | Your file matches a hash in the manifest | SHA-256 line appears verbatim in the verified text |
| Result if both pass | — | Artifact is authentic and intact | Safe to install |
| Result if either fails | — | Trust is broken somewhere | Do not install; re-fetch from source |
Reading the verify verdict for a manifest
How each verdict maps to a supply-chain decision. The error in keyId distinguishes a tampered manifest from a wrong-key paste.
| valid | keyId | Meaning | Action |
|---|---|---|---|
true | Matches published fingerprint | Manifest is genuine and unchanged | Proceed to hash-match step |
true | Unexpected key ID | Signed, but possibly by an attacker's key | Stop — verify the key's provenance first |
false | Signed digest did not match | Manifest was altered after signing | Discard; re-download the manifest |
false | Key/signature mismatch error | Wrong public key pasted, or wrong manifest | Get the maintainer's real key and retry |
Where verification runs and how it's gated
Execution and access facts, from the schema and registry. The manifest is pasted as text, so the family's per-file size limits never apply to this step.
| Property | Value | Source / note |
|---|---|---|
| Execution | Browser-only (OpenPGP.js WASM) | Listed in BROWSER_ONLY_SECURITY_SLUGS |
| Public API | Returns 400 with a pointer to the web tool | No server case exists for this slug |
| Secrets used | None — public key only | Verify never touches a private key or passphrase |
| Minimum tier | Developer | minTier: developer in the registry |
| File-size limit | Not applicable (manifest is pasted text) | Hashing the download is a separate, file-based tool |
Cookbook
Concrete supply-chain checks. Manifests and keys below are truncated — paste the complete blocks. Signature verification happens in your browser tab; the download hash is computed by a sibling tool.
Verify a signed SHA256SUMS manifest
Action verify. Paste the signed manifest and the project's public key. A valid result returns the manifest text so you can read the hash lines.
Action: verify
Signed message: -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
9f2c...e1a app-2.4.0-linux.tar.gz
4b81...77c app-2.4.0-macos.zip
-----BEGIN PGP SIGNATURE-----...
Public key: -----BEGIN PGP PUBLIC KEY BLOCK-----...
Result:
{ "valid": true, "keyId": "a1b2c3d4e5f60718",
"text": "9f2c...e1a app-2.4.0-linux.tar.gz\n4b81..." }Match your download's hash to the verified manifest
After a valid signature, hash your actual file and confirm the line is present in the verified text. Both halves must pass.
Hash app-2.4.0-linux.tar.gz with /security-tools/multi-hash-fingerprinter → sha256: 9f2c...e1a Verified manifest text contains: 9f2c...e1a app-2.4.0-linux.tar.gz ✓ exact match Signature valid + hash matches → safe to install.
Catch a manifest that was tampered with
If an attacker swaps a hash to point at a malicious file, the manifest signature breaks. Verification returns invalid before you ever compare hashes.
Action: verify (manifest with one altered hash line)
Result:
{ "valid": false,
"keyId": "Signed digest did not match",
"text": "<altered manifest>" }
→ Do not trust any hash in it; re-download the manifest.Detect a manifest signed by the wrong key
A manifest can be validly signed yet by an attacker's key. Match the returned key ID against the project's published fingerprint, not just valid: true.
Result: { "valid": true, "keyId": "deadbeef00112233" }
Project's published fingerprint ends: A1B2 C3D4 E5F6 0718
keyId deadbeef00112233 ≠ ...A1B2C3D4E5F60718
→ Signed by an unexpected key; stop and investigate.Cross-check the whole flow with gpg
When GnuPG is available, confirm the manifest verdict matches and then use gpg's own check. The 16-hex key ID lines up with this tool's keyId.
$ gpg --import project-public.asc $ gpg --verify SHA256SUMS.asc gpg: Good signature ... using ...A1B2C3D4E5F60718 $ sha256sum -c SHA256SUMS app-2.4.0-linux.tar.gz: OK Browser verify → valid:true, keyId a1b2c3d4e5f60718
Edge cases and what actually happens
Manifest signature is valid but the key is unexpected
Stop — verify key provenanceA valid: true only means the manifest matches whatever public key you pasted. If the returned 16-hex keyId does not match the project's published fingerprint, the manifest may be signed by an attacker's key. Confirm the key's provenance before trusting any hash in it.
A hash line was altered after signing
valid:falseChanging any character of the manifest — including a single hex digit in a checksum — breaks the signature. Verify returns valid: false with Signed digest did not match. Discard the manifest and re-download it from the project.
Wrong public key pasted
valid:falseIf the manifest was signed by key A but you paste key B, verification can't confirm it: valid is false and keyId holds a key/signature mismatch error. Get the maintainer's actual public key and verify again.
Public key field left empty
Paste the signer's public keyVerify throws Paste the signer's public key. when the public-key box is empty. There is no keyserver lookup — you must supply the maintainer's public key yourself.
Signed manifest field left empty
Paste the signed cleartext messageIf the signed-message box is empty, verify throws Paste the signed cleartext message.. Paste the complete -----BEGIN PGP SIGNED MESSAGE----- manifest block.
Pasting an unsigned plain SHA256SUMS file
Parse errorVerify expects a cleartext-signed block. A plain, unsigned SHA256SUMS list (no BEGIN/END armor or signature) is not a cleartext message and will fail to parse. There is nothing to verify without the maintainer's signature — get the signed .asc version.
Signature valid but your download's hash isn't in the manifest
Hash mismatch — investigateA valid manifest signature does not vouch for a file whose hash isn't listed. If your download's SHA-256 (from multi-hash-fingerprinter) doesn't appear verbatim in the verified text, the file is the wrong version or corrupted — re-download it.
Truncated manifest armor
Parse errorOpenPGP.js throws while reading armor if the BEGIN/END lines, hash lines, or signature are incomplete. Re-copy the whole signed manifest from the first dash of -----BEGIN to the last dash of -----END.
Tool is Developer-tier only
Tier-gatedThe registry sets minTier: developer, so Free, Pro, and Pro-media accounts cannot open the verify action — they see an upgrade prompt. Manifest verification shares the same Developer gate as the rest of the tool.
Trying to verify the manifest through the public API
400 rejectedVerification runs on the browser-targeted OpenPGP.js WASM bundle, so the server engine has no case for this slug and the API runner returns 400. To gate a release pipeline on this check, drive the browser UI rather than POSTing to the API.
Frequently asked questions
What does verifying a signed checksum manifest prove?
It proves the manifest was signed by the holder of a specific PGP key and that not one character of it has changed since. Combined with matching your download's hash to a line in that manifest, it establishes that the artifact you have is the genuine, unaltered release.
Do I need GnuPG to verify the manifest?
No. The verify action runs entirely in your browser tab with OpenPGP.js. Paste the signed manifest and the project's public key, and the tool returns the verdict — no GnuPG install, no keyring, no command line. If you do have GnuPG, you can cross-check, and the key IDs will match.
Is verifying the signature enough on its own?
No — it is necessary but not sufficient. A valid signature means the manifest is authentic and intact, but you still have to hash your actual download and confirm that hash appears in the verified manifest. Use multi-hash-fingerprinter for that second step.
How do I know the key that signed the manifest is the real maintainer's?
Match the returned 16-hex keyId against the fingerprint the project publishes on its own site or repository. A valid: true only confirms the manifest matches whatever key you pasted — it does not vouch for the key's identity, so confirm the fingerprint separately.
What happens if a hash in the manifest was tampered with?
The signature breaks. Changing any character of the manifest — even one hex digit of a checksum — makes verify return valid: false with Signed digest did not match. That is the safeguard: you can't be tricked into trusting a hash an attacker swapped in, because the whole manifest is covered by one signature.
Does the manifest or public key get sent to a server?
No. Verification runs on a browser-targeted WASM bundle, so the manifest and public key stay in the tab. The slug is on the browser-only list and the server API returns 400, so there is no code that could transmit them.
Can I verify a plain, unsigned SHA256SUMS file here?
No. This action verifies a cleartext-signed block (-----BEGIN PGP SIGNED MESSAGE-----). A plain unsigned checksum list has nothing to verify — there's no signature. Download the signed .asc version of the manifest from the project.
How do I hash my download to compare against the manifest?
Use multi-hash-fingerprinter, which computes SHA-256 (along with MD5, SHA-1, and SHA-512) of a file in the browser. Then confirm the resulting SHA-256 line — hash and filename — appears verbatim in the verified manifest text.
The manifest won't parse — what's wrong?
Usually a truncated copy. OpenPGP.js needs the full armor, from the first dash of -----BEGIN through the last dash of -----END, including the Hash: header, every checksum line, and the signature. Re-copy the entire signed manifest and try again.
Can I automate this in a release pipeline?
Not via the public API — the verify path is browser-only and the API runner returns 400 for this slug. You can drive the browser UI as a manual or browser-automated acceptance gate, but the server cannot verify the manifest on your behalf.
What tier do I need, and is there a size limit?
It is a Developer-tier tool. There is no file-size limit for the verify step because you paste the manifest as text. Hashing your download is a separate file-based tool, where the security family's per-file caps (Free 10 MB up to Developer 2 GB) apply instead.
Which JAD tools complete the supply-chain check?
Pair this verify step with multi-hash-fingerprinter to hash your download, and file-integrity-monitor to confirm two copies of an artifact are byte-identical. To produce your own signed manifest, use the sign action of pgp-message-signer.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.