Index: README.md ================================================================== --- README.md +++ README.md @@ -304,34 +304,17 @@ describes its purpose and role within the larger system. ## Verifying Code Authenticity -If you obtained an SQLite source tree from a secondary source, such as a -GitHub mirror, and you want to verify that it has not been altered, there -are a couple of ways to do that. - -If you have a release version of SQLite, and you are using the -`sqlite3.c` amalgamation, then SHA3-256 hashes for the amalgamation are -available in the [change log](https://www.sqlite.org/changes.html) on -the official website. After building the `sqlite3.c` file, you can check -that it is authentic by comparing the hash. This does not ensure that the -test scripts are unaltered, but it does validate the deliverable part of -the code and the verification process only involves computing and -comparing a single hash. - -For versions other than an official release, or if you are building the -`sqlite3.c` amalgamation using non-standard build options, the verification -process is a little more involved. The `manifest` file at the root directory -of the source tree +The `manifest` file at the root directory of the source tree contains either a SHA3-256 hash (for newer files) or a SHA1 hash (for -older files) for every source file in the repository. You can write a script -to extracts hashes from `manifest` and verifies the hashes against the -corresponding files in the source tree. The SHA3-256 hash of the `manifest` +older files) for every source file in the repository. +The SHA3-256 hash of the `manifest` file itself is the official name of the version of the source tree that you -have. The `manifest.uuid` file should contain the SHA3-256 hash of the -`manifest` file. If all of the above hash comparisons are correct, then +have. The `manifest.uuid` file should contain the SHA3-256 hash of the +`manifest` file. If all of the above hash comparisons are correct, then you can be confident that your source tree is authentic and unadulterated. The format of the `manifest` file should be mostly self-explanatory, but if you want details, they are available [here](https://fossil-scm.org/fossil/doc/trunk/www/fileformat.wiki#manifest).