Module verify 

Minisign signature verification and SHA-256 checksums for release artifacts.

Functions

decode_public_key 🔒

Decodes a base64-encoded minisign public key.

sha256_hex 🔒

Computes the SHA-256 digest of data and returns it as a lowercase hex string.

verify_signature 🔒

Verifies a minisign signature over data and checks that every entry in expected_trusted_comments appears in the signature’s trusted comment (tab-separated tokens). This prevents cross-extension substitution and version replay attacks.