Security in Drauger OS Mods is handled by 3, mandatory, in-mod files. There are several out of mod systems as well, but those will not be covered here.

The hashes.list file, stored in the root directory of the mod, contains a SHA256 hash of every file, except the public.key file, hashes.list.sig file, and itself. This file must follow the following format:

<SHA256 HASH>  <FILE NAME 1>
<SHA256 HASH>  <FILE NAME 2>
...

These files can be listed in any arbitrary order. If ANY files do not match the hash listed in this file, the mod will not be installed.

The hashes.list.sig file is a detatched GPG signiture file, containing the signiture for the hashes.list file. If this signiture cannot be verified, then the mod will not be installed.

The public.key file is the public key associated with the private key used to generate the hash.list.sig file. This file may be changed, within the following limits:

1. The public key in the key file must be valid. If the key is expired, the mod will not be allowed to be installed. a. For this reason, it is advised that public keys used be set to not expire, or expire very infrequently.
2. The public key may not be changed at any arbitrary time. They may only be changed once every 6 months. a. This is to say, if a key was created on 2026-01-01, then it cannot be changed till 2026-07-01 b. If a key is changed prematurely, it will be assumed the mod file was compromised in some way, and the mod will not be installed.