01 · section
What is verified
At install time, the package payload should be treated as verifiable package content rather than an opaque black box. The current trust stack is hash-based, not signature-based.
Security & trust
SHA256 verification.
Verification today is grounded in package hashes, compiler version metadata, and package ownership. That is the accurate trust story to tell today.