Usage
Hash an archive
go run main.go -output-dir "D:\" -verbose "D:\Checked.zip"
Usage of archive-hasher:
-format string Snapshot format override (default: derived from extension)
-output-basename string Base filename without extension for generated outputs (default "snapshot-hashes")
-output-dir string Directory for generated outputs (default: <artifact>.aamhs beside the artifact)
-overwrite Overwrite existing outputs if present
-snapshot-datetime string UTC datetime in RFC3339 format (default: artifact modified time)
-snapshot-name string Friendly snapshot name (default: derived from artifact name)
-verbose Print progress information
By default, output lands in <artifact>.aamhs beside the artifact itself — nothing is written elsewhere unless -output-dir is given.
Sign the manifest (PGP only)
./manifest-signer -key "AptlantisSigningKey-Private.asc" -overwrite -verbose "snapshot-hashes.txt"
Sign with both PGP and post-quantum (SLH-DSA)
# Generate a post-quantum keypair first
openssl genpkey -algorithm SLH-DSA-SHAKE-256s -out sphincs.key
openssl pkey -in sphincs.key -pubout -out sphincs.pub
# Sign with both PGP and PQ
./manifest-signer -key "AptlantisSigningKey-Private.asc" -pq-key ".\sphincs.key" -overwrite -verbose "snapshot-hashes.txt"
Usage of manifest-signer:
-key string Path to an ASCII-armored PGP private key
-openssl string OpenSSL command path for PQ signing (default "openssl")
-output string Output path for the detached ASCII-armored signature (default: <manifest>.asc)
-overwrite Overwrite existing detached signatures if present
-passphrase-env string Environment variable that stores the PGP private key passphrase
-pq-algorithm string PQ signature algorithm (default "SLH-DSA-SHAKE-256s")
-pq-key string Path to an OpenSSL SLH-DSA private key for the PQ detached signature
-pq-output string Output path for the armored PQ signature envelope (default: <manifest>.sphincs)
-verbose Print progress information
The PGP private key passphrase is read from an environment variable named via -passphrase-env, not passed as a CLI argument — avoids leaking it into shell history or process listings.