The on-device client: .pkg & .pkg-inst
ZXPkg’s client runs on the Spectrum as two standard dot commands, each under 7 KB so they work on classic esxDOS machines as well as the Next:
.pkg— the query half: what’s installed, what’s in the registry, what’s outdated..pkg-inst— the trust half: installs and updates, gated by signature verification (Rabin-Williams over SHA-256, checked on the Z80 itself).
Install in one line (ZX Spectrum Next)
On a Next with WiFi, the built-in .http command can fetch the installer, which then sets everything up — downloads both dots, creates the folders, fetches and verifies the package index, and scans your /dot:
.http get -h pkg.zx.in.net -u /install.bas -f install.bas LOAD "install.bas": RUN
Manual setup (classic machines, or no WiFi)
- Copy the two command files
PKGandPKG-INSTinto/doton your SD card (PKG, PKG-INST). - Run
.pkg-inst setup— it creates the/PKG(local registry index) and/CACHE(download staging) folders for you.
.pkg — query commands
.pkg scan | CRC every file in /DOT, identify each against the registry, and build the installed-package database (/INSTALL.DAT). Run this first, and again after changes. |
.pkg / .pkg status | Instant report from that database: each managed package as name vVER ok or update (a newer version exists), plus a tally of unmanaged files. |
.pkg list | The registry catalogue (packages compatible with your machine). |
.pkg search <term> | Search the registry by name. |
.pkg info <name> | Full details for one package: version, command, machine, size, description. |
.pkg remove <name> | Delete /DOT/<name> (refuses to remove the client itself). |
.pkg help | Usage summary. |
.pkg-inst — install & update
.pkg-inst update | Verify the staged registry index (/CACHE/INDEX.DAT + .SIG) and, only if the signature is valid, store it as the trusted /PKG/INDEX.DAT. |
.pkg-inst install <CMD> | Verify the staged package (/CACHE/<CMD> + .SIG) and, only if valid, install it to /DOT/<CMD>. A tampered or corrupt file is refused. |
Both read from /CACHE. Getting files there: on the Next, fetch them over WiFi — e.g. with the built-in .http command — or copy them onto the SD card from any machine. A native fetch built into the client is in development, so this staging step will disappear.
.http get -h pkg.zx.in.net -u /index/v1.dat -f /CACHE/INDEX.DAT .http get -h pkg.zx.in.net -u /index/v1.dat.sig -f /CACHE/INDEX.SIG .pkg-inst update
The trust model
The transport is never trusted — the signature is. Every artifact and the index itself are signed by the registry; .pkg-inst verifies the signature on-device against its embedded public key before anything is installed or believed. Identification (scan) uses fast CRC-32C; acceptance always requires the signature. That’s why downloads can travel over plain HTTP, Gopher, or sneakernet: a modified file simply fails verification and is refused.