Skip to content

Digital Signature of Aleph Deliverables

Overview

Starting September 8th, 2025, all delivery packages are generated and delivered with a digital signature to ensure data authenticity and integrity. This cryptographic verification system allows customers to confirm that delivered data has not been tampered with after it has been generated and made available by Satellogic. This provides confidence in the data's integrity during transmission from Aleph to your systems or during storage at your premises.

What Digital Signatures Provide

Digital signatures offer several key benefits for satellite imagery users:

🔒 Data Integrity: Verify that files have not been altered, corrupted, or tampered with since delivery
🎯 Authenticity: Confirm that the data originates from Satellogic's processing systems
📋 Audit Trail: Maintain a verifiable record of data provenance for compliance and quality assurance

How It Works

Satellogic uses industry-standard RSA cryptography with SHA-256 hashing to sign all delivered imagery packages:

  1. Manifest Generation: A manifest file containing SHA-256 checksums of all package files is created
  2. Digital Signing: The manifest is signed using Satellogic's private RSA 4096-bit key
  3. Package Delivery: The signed package includes the original files, manifest, and signature
  4. Customer Verification: Customers can verify authenticity using Satellogic's public key

Package Structure

From September 8th 2025 onward, all delivered imagery packages include digital signature components alongside your imagery assets. Here's an example of a typical L1B package structure:

20240826_072740_SN26_L1B_MS_<TARGET_ID>
├── 20240826_072740_SN26_L1B_MS_<TARGET_ID>_manifest.txt      ← Checksum manifest
├── 20240826_072740_SN26_L1B_MS_<TARGET_ID>_manifest.txt.sig  ← Digital signature
├── 20240826_072740_SN26_L1B_MS_footprint.kml
├── 20240826_072740_SN26_L1B_MS_metadata_stac.geojson
├── 20240826_072740_SN26_L1B_MS_preview.png
├── 20240826_072740_SN26_L1B_MS_thumbnail.png
├── 20240826_072740_SN26_L1B_MS_toa_factors.geojson
├── 20240826_072740_SN26_L1B_MS_CLOUD.vrt
└── rasters/
    ├── 20240826_072740_SN26_L1B_MS_VISUAL_0.tif
    └── ...

Signature Files

File Description
*_manifest.txt Contains SHA-256 checksums for every file in the package using standard sha256sum format
*_manifest.txt.sig RSA+SHA256 digital signature of the manifest file with PKCS#1.5 padding

Manifest File Format

The manifest file follows the standard sha256sum format with one line per file:

a1b2c3d4e5f6... file_path1
f6e5d4c3b2a1... file_path2
9876543210ab... file_path3

Verification Process

Note: The verification process is completely optional. While it provides valuable assurance of data authenticity and integrity, it is not a mandatory step required to consume Satellogic imagery data. You can use your delivered imagery products immediately without performing any verification steps.

However, for customers who value data provenance verification, compliance requirements, or enhanced security workflows, the following verification methods are available:

Step 1: Download Satellogic's Public Key

Satellogic's public key is permanently available at this secure URL:

https://api.satellogic.com/.well-known/publickey.pem

Note that no authentication is needed to access this URL.

Download and save this file to use for verification:

curl -o publickey.pem https://api.satellogic.com/.well-known/publickey.pem

Step 2: Manual Verification Commands

You can verify your package integrity using these standard commands:

# 1. Verify the digital signature
openssl dgst -sha256 -verify publickey.pem -signature *_manifest.txt.sig *_manifest.txt

# 2. Verify file checksums
sha256sum -c *_manifest.txt

Step 3: Automated Verification Script

For convenience, you may use and adapt this comprehensive verification script:

#!/bin/bash

#################################################################################
# VERIFYING SCRIPT - Verify File Manifest and Signature
#################################################################################
#
# DESCRIPTION:
#   This script verifies the integrity of files in a specified folder by:
#   1. Using 'sha256sum -c' to verify all files against the manifest
#   2. Verifying the digital signature of the manifest file
#
# USAGE:
#   ./verify_package.sh [folder_name]
#
# ARGUMENTS:
#   folder_name    - Optional. Name of the folder to verify (must exist in current directory)
#                    If not provided, verification is performed in the current working directory
#
# EXAMPLES:
#   ./verify_package.sh 20240826_072740_SN26_L1B_MS_TARGET123
#   ./verify_package.sh                # Verify current working directory
#
# REQUIRED FILES:
#   *_manifest.txt     - Manifest file ending with '_manifest.txt'
#   *_manifest.txt.sig - Digital signature of the manifest file
#   publickey.pem      - Satellogic's public key for signature verification
#
#################################################################################

# Set folder name and working directory
if [ $# -eq 0 ]; then
    # No folder provided, work in current directory
    FOLDER_NAME=""
    WORK_DIR="."
    PUBLIC_KEY_PATH="publickey.pem"
else
    # Folder provided, work in specified folder
    FOLDER_NAME="$1"
    WORK_DIR="$FOLDER_NAME"
    PUBLIC_KEY_PATH="../publickey.pem"

    # Check if folder exists
    if [ ! -d "$FOLDER_NAME" ]; then
        echo "❌ Error: Folder '$FOLDER_NAME' does not exist"
        exit 1
    fi
fi

# Find manifest file (file ending with _manifest.txt)
MANIFEST_FILE=$(find "$WORK_DIR" -maxdepth 1 -name "*_manifest.txt" -type f | head -1)
if [ -z "$MANIFEST_FILE" ]; then
    echo "❌ Error: No manifest file (*_manifest.txt) found in $([ -z "$FOLDER_NAME" ] && echo "current directory" || echo "folder '$FOLDER_NAME'")"
    exit 1
fi

# Extract just the filename from the path
MANIFEST_FILENAME=$(basename "$MANIFEST_FILE")
MANIFEST_SIG="${MANIFEST_FILENAME}.sig"

# Change to working directory
cd "$WORK_DIR"

# Check if signature file exists
if [ ! -f "$MANIFEST_SIG" ]; then
    echo "❌ Warning: Signature file $MANIFEST_SIG not found, cannot verify signature"
    exit 1
fi

# Check if public key exists
if [ ! -f "$PUBLIC_KEY_PATH" ]; then
    echo "❌ Error: Public key file not found at $PUBLIC_KEY_PATH"
    echo "Download it with: curl -o publickey.pem https://api.satellogic.com/.well-known/publickey.pem"
    exit 1
fi

echo "🔍 Starting verification process..."
echo "📁 Package: $([ -n "$FOLDER_NAME" ] && echo "$FOLDER_NAME" || echo "current directory")"
echo "📄 Manifest: $MANIFEST_FILENAME"
echo ""

# Verify the signature using public key
echo "🔐 Verifying digital signature..."
if openssl dgst -sha256 -verify "$PUBLIC_KEY_PATH" -signature "$MANIFEST_SIG" "$MANIFEST_FILENAME" >/dev/null 2>&1; then
    echo "✅ Digital signature verification successful"
else
    echo "❌ Digital signature verification failed"
    exit 1
fi

# Verify file integrity using sha256sum -c
echo "🔍 Verifying file integrity..."
if sha256sum -c "$MANIFEST_FILENAME" >/dev/null 2>&1; then
    echo "✅ File integrity verification successful - no files have been modified"
else
    echo "❌ File integrity verification failed - Current package content does not match the original content"
    sha256sum -c "$MANIFEST_FILENAME"  # Show detailed output on failure
    exit 1
fi

# Return to original directory if we changed directories
if [ -n "$FOLDER_NAME" ]; then
    cd ..
fi

echo ""
echo "🎉 Verification complete! Your imagery package is authentic and unmodified."

Verification Results

What Verification Can Detect

🔒 Digital Signature Issues

  • Invalid or tampered signature files
  • Package authenticity concerns

📁 File Integrity Problems

  • Modified files: Files that have been partially downloaded, or may have been altered or damaged after delivery
  • Missing files: Files listed in the manifest but not present in the package

What Verification Doesn't Detect

📋 Additional Files: The verification process will not check for or report additional files that may have been added to the package folder after delivery. Only files listed in the original manifest are verified.

Successful Verification

When using the Automated verification script, a passed verification output looks like: 

🔍 Starting verification process...
📁 Package: 20240826_072740_SN26_L1B_MS_TARGET123
📄 Manifest: 20240826_072740_SN26_L1B_MS_TARGET123_manifest.txt

🔐 Verifying digital signature...
✅ Digital signature verification successful
🔍 Verifying file integrity...
✅ File integrity verification successful - no files have been modified

🎉 Verification complete! Your imagery package is authentic and unmodified.

Failed Verification Examples and troubleshooting

Digital Signature Failure

When using the Automated verification script, a failed signature verification output looks like: 

❌ Digital signature verification failed

  • The package may have been tampered with or corrupted during transfer
  • Verify you're using the correct and current public key from Satellogic
  • Contact Satellogic support if the issue persists

File Integrity Failure

When using the Automated verification script, a failed content verification output looks like: 

❌ File integrity verification failed - Current package content does not match the original content
20240826_072740_SN26_L1B_MS_preview.png: FAILED
20240826_072740_SN26_L1B_MS_TARGET123_manifest.txt: OK
rasters/20240826_072740_SN26_L1B_MS_VISUAL_0.tif: FAILED open or read

  • One or more files in the package have been modified
  • Re-download the package if files were accidentally modified
  • Check for file corruption during transfer

Other Issues

When using the Automated verification script, other error messages may be raised.

"No manifest file found"

  • Ensure you're in the correct directory containing the imagery package
  • Check that the package includes the *_manifest.txt file

"Public key file not found"

  • Download the public key: curl -o publickey.pem https://api.satellogic.com/.well-known/publickey.pem
  • Ensure the key file is in the correct location relative to your verification script