dpm verify

Compute the SHA-256 hash of a file and compare it against an expected value. Use this to confirm a downloaded binary or archive hasn't been tampered with.

dpm verify is a CLI-only command. The TUI does not have an interactive verify screen, but it does display a SHA-256 verification status badge on each tool in the Installed tab.

CLI usage

        dpm verify <file> <expected-sha256 | hash-file>
        # short alias
        dpm -k <file> <expected-sha256 | hash-file>
      

Arguments

file, path to the file to check.
expected-sha256, the known-good SHA-256 hash as a hex string.
hash-file, path to a file containing the expected hash (e.g. a .sha256 sidecar file).

Examples

        # inline hash
        dpm -k nmap-7.94.tar.gz e3b0c44298fc1c149afb...
        ✓  hash match
        # hash from sidecar file
        dpm -k nmap-7.94.tar.gz nmap-7.94.tar.gz.sha256
        ✗  hash mismatch
           expected: e3b0c44298fc1c149afb...
           got:      a94a8fe5ccb19ba61c4c...
      

TUI: verification badge

The Installed tab in the TUI shows a SHA-256 verification status badge next to each installed tool. This is a passive display, it reflects whether the installed binary matches the hash recorded in the catalog at install time. It does not re-verify on demand.

To actively re-check a file against a known hash, use dpm -k from the CLI.

Automatic verification on install

SHA-256 verification is built into every install. When DPM downloads a binary or archive, it checks the hash against the catalog entry before placing the file. If the hash doesn't match, the install is aborted. You don't need to run dpm verify manually after a normal install, it's already done.

Use dpm verify when you're checking a file from an external source, or when you want to confirm a specific file's integrity independently of DPM's install flow.

← dpm profiles

dpm bubble →