Introduction link

Verified packages provide enterprise-grade package integrity through cryptographic verification, ensuring that packages maintain their exact content from build to deployment. This feature addresses growing enterprise requirements for package provenance and content verification through comprehensive manifest generation and automated verification processes.

What Are Verified Packages? link

Verified packages are IPM packages that include cryptographic proof of their integrity through manifest files. These packages receive a “verified” badge and provide mathematical assurance that their content has not been tampered with between build and publication.

Key Benefits link

• Cryptographic Integrity: Mathematical proof that package contents haven’t been tampered with
• Build-to-Publish Traceability: Guarantee that published packages match their build artifacts
• Supply Chain Security: Detection of unauthorized modifications between build and publish
• Compliance Assurance: Cryptographic evidence for audit and regulatory requirements
• Enterprise Trust: Verified badge provides immediate visual confirmation of package integrity

Two-Phase Verification System link

Verified packages use a sophisticated two-phase approach to ensure complete integrity throughout the package lifecycle.

Phase 1: Build-Time Manifest Generation link

During the build process, when using the --include-manifest parameter, IPM generates a comprehensive manifest file that includes:

Individual File Hashes link

Each file in the package receives a cryptographic SHA-256 hash:

{
  "path": "main.tf",
  "hash": "SHA256:11c0e73332a574b5cc312076a98b0b8ccba7e6d75e7816987322b0050bd6ca2f"
}

Complete Package Hash link

The entire package content is hashed for overall integrity verification:

{
  "hash": "SHA256:932bb7261627b147d9a8e4a41e282e9ccd07336399d41480e5623ef5d2459c06"
}

File Inventory link

Complete list of all files included in the package with metadata:

{
  "totalFiles": 23,
  "files": [...]
}

Verification Metadata link

Package structure and configuration details including timestamps:

{
  "timeStamp": "2025-06-08T14:48:53.195792+00:00"
}

Phase 2: Publish-Time Verification link

During publication, IPM automatically detects manifest files and performs comprehensive verification:

File Presence Check link

• Verifies all files listed in the manifest are present in the publish directory
• Ensures no files have been removed since build

Hash Validation link

• Recalculates SHA-256 hash for each file
• Compares current hash with build-time hash from manifest
• Fails publication if any hash mismatches are detected

Content Integrity link

• Ensures no files have been added, removed, or modified since build
• Validates directory structure matches manifest expectations

Package Completeness link

• Calculates complete package hash and validates against manifest
• Provides final cryptographic proof of package integrity

Creating Verified Packages link

Build with Manifest Generation link

To create a verified package, use the --include-manifest parameter during build:

ipm build --source ./my-package --destination ./build-output --include-manifest

This generates a manifest file alongside your package content in the destination directory.

Example Manifest Structure link

A complete manifest file looks like this:

{
  "timeStamp": "2025-06-08T14:48:53.195792+00:00",
  "hash": "SHA256:932bb7261627b147d9a8e4a41e282e9ccd07336399d41480e5623ef5d2459c06",
  "totalFiles": 4,
  "files": [
    {
      "path": "ipmhub.json",
      "hash": "SHA256:30f7156cf6bcae721b3b572290e34f916f117c6d7681e9b9541f62d016138b9a"
    },
    {
      "path": "main.tf",
      "hash": "SHA256:11c0e73332a574b5cc312076a98b0b8ccba7e6d75e7816987322b0050bd6ca2f"
    },
    {
      "path": "main.yaml",
      "hash": "SHA256:d19f3be446b9707c3ae93305813b58cdf8b89eeed252b54ee8417392fd781c86"
    },
    {
      "path": "README.md",
      "hash": "SHA256:47ec043a6a898afc2a5a19d8e93fa34283b49c0134f6188ddda6567c6a411024"
    }
  ]
}

Publishing Verified Packages link

When publishing packages that contain manifest files, IPM automatically:

1. Detects Manifest: Identifies manifest files in the package directory
2. Performs Verification: Runs complete integrity checks against the manifest
3. Validates Content: Ensures all files match their build-time hashes
4. Awards Verification: Packages passing all checks receive the “verified” badge

ipm publish --package mycompany/my-package --version 1.0.0 --folder ./build-output

If verification fails, the publish operation will be rejected with detailed error information.

Enterprise Workflow Integration link

CI/CD Pipeline Integration link

Verified packages integrate seamlessly into enterprise CI/CD workflows:

Build Stage link

- name: Build Verified Package
  run: |
    ipm build --source ./src --destination ./dist --include-manifest

Publish Stage link

- name: Publish Verified Package
  run: |
    ipm publish --package myorg/mypackage --version ${VERSION} --folder ./dist

Compliance and Governance link

Verified packages support enterprise compliance requirements:

• Audit Trails: Complete cryptographic evidence of package integrity
• Regulatory Compliance: Meets requirements for software supply chain security
• Security Reviews: Provides verifiable proof for security assessments
• Risk Management: Reduces risk of compromised packages in production

Verification States link

Verified Badge link

Packages that pass all verification checks display a “verified” badge, indicating:

• All files match their build-time hashes
• Package content is cryptographically verified
• No unauthorized modifications have occurred

Verification Failures link

Common verification failure scenarios:

File Hash Mismatch link

Verification failed: File 'main.tf' hash mismatch
Expected: SHA256:11c0e73332a574b5cc312076a98b0b8ccba7e6d75e7816987322b0050bd6ca2f
Actual:   SHA256:22d1e84443b685c6dd423187a99c1c9ddb8e7f86e8927aa8333c1161fe7ddb1g

Missing Files link

Verification failed: File 'config.yaml' listed in manifest but not found in package

Extra Files link

Verification failed: File 'temp.log' found in package but not listed in manifest

Troubleshooting link

Common Issues link

Manifest Not Generated link

• Ensure --include-manifest parameter is used during build
• Verify build completed successfully
• Check destination directory for manifest file

Verification Failures link

• Review error messages for specific hash mismatches
• Check for file modifications between build and publish
• Ensure no temporary files are added to package directory

Missing Verification Badge link

• Confirm manifest file was included in package
• Verify all verification checks passed during publish
• Check publish logs for verification status

Best Practices link

1. Immutable Artifacts: Treat build outputs as immutable after manifest generation
2. Secure Storage: Store build artifacts securely between build and publish
3. Automated Workflows: Use automated pipelines to minimize human intervention
4. Regular Validation: Periodically verify package integrity in production environments

Security Considerations link

Cryptographic Security link

• Uses SHA-256 cryptographic hashing for file integrity
• Provides cryptographic proof that cannot be forged
• Detects even single-bit modifications to package content

Supply Chain Protection link

• Prevents injection of malicious code between build and publish
• Provides audit trail for compliance and security reviews
• Enables detection of compromised build or publish environments

Enterprise Assurance link

• Meets enterprise requirements for software supply chain security
• Provides verifiable proof for security assessments and audits
• Supports compliance with industry security standards