Filepack: a fast SHASUM/SFV/PGP alternative using BLAKE3

I've been working on filepack, a command-line tool for file verification on and off for a while, and it's finally in a state where it's ready for feedback, review, and initial testing.

GitHub repo here: https://github.com/casey/filepack/

It uses a JSON manifest named `filepack.json` containing BLAKE3 file hashes and file lengths.

To create a manifest in the current directory:

filepack create

To verify a manifest in the current directory:

filepack verify

Manifests can be signed:

# generate keypair filepack keygen

# print public key filepack key

# create and sign manifest filepack create --sign

And checked to have a signature from a particular public key:

filepack verify --key <PUBLIC_KEY>

Signatures are made over the root of a merkle tree built from the contents of the manifest.

The root hash of this merkle tree is called a "package fingerprint", and provides a globally-unique identifier for a package.

The package fingerprint can be printed:

filepack fingerprint

And a package can be verified to have a particular fingerprint:

filepack verify --fingerprint <FINGERPRINT>

Additionally, and I think possibly most interestingly, a format for machine-readable metadata is defined, allowing packages to be self-describing, making collections of packages indexable and browsable with a better user interface than the folder-of-files ux possible otherwise.

Any feedback, issues, feature request, and design critique is most welcome! I tried to include a lot of details in the readme, so definitely check it out.