Implement authenticity and integrity checking for packages that follows the SOL004 item 5.1/5.2 option 1:

Item 5.1

Option 1: The VNF package shall contain a Digest (a.k.a. hash) for each of the components of the VNF package. The table of hashes is included in the manifest file, which is signed with the VNF provider private key. In addition, the VNF provider shall include a signing certificate that includes the VNF provider public key, following a pre-defined naming convention and located either at the root of the archive or in a predefined location (e.g. directory). The certificate may also be included in the signature container, if the signature format allows that. For example, the CMS format allows to include the certificate in the same container as the signature.

Item 5.2

In option 1 (see clause 5.1) the manifest file provides the VNF package integrity assurance. In this option the manifest contains the digests (hashes) for each individual file locally stored within the VNF package or referenced from it. Each file related entry of the manifest file includes the path or URI of the individual file, the hash algorithm and the generated digest. A consumer of the VNF package shall verify the digests in the manifest file by computing the actual digests and comparing them with the digests listed in the manifest file. In option1 the VNF package authenticity is ensured by signing the manifest file with the VNF provider private key. The digital signature is stored in the manifest file itself (see clause 5.3). The VNF provider shall include an X.509 certificate [8] in the VNF Package. The certificate shall be either placed in a certificate file with extension .cert or, if the chosen signature format allows it, the certificate may be included in the signature container itself. The certificate provides the VNF provider public key. In a CSAR file without metadata directory the .cert file shall have the same name as the TOSCA definitions YAML file and be located at the root of the archive (archive without TOSCA-Metadata directory). In a CSAR file with a metadata directory, the .cert file shall be placed or in the location specified by the TOSCA.meta file (archive with a TOSCA-Metadata directory). In the latter case, the corresponding entry shall be named "ETSI-Entry-Certificate".

 Extracted from: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.06.01_60/gs_nfv-sol004v020601p.pdf