PKG
application/octet-stream
High Risk Format
This file type can contain executable code. Always validate source and scan with antivirus before opening.
Magic Bytes
Offset: 10
23 20 54 68 69 73 20 69 73 20 61 20 73 68 65 6C 6C 20 61 72 63 68 69 76 65
The PKG shell archive is a legacy container format originally developed by the Unix community to distribute sets of files as executable scripts. It is primarily utilized for software distribution, source code sharing, and automated installation processes across early POSIX-compliant environments. Because these archives function as executable shell scripts, they present a significant security risk by potentially executing malicious commands upon extraction; consequently, modern systems have largely replaced them with more secure compressed archive formats.
Validation Code
How to validate .pkg files in Python
def is_pkg(file_path: str) -> bool:
"""
Check if file is a valid PKG by magic bytes.
Signature offset: 10 bytes
"""
signature = bytes([0x23, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x73, 0x68, 0x65, 0x6C, 0x6C, 0x20, 0x61, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65])
with open(file_path, "rb") as f:
f.seek(10)
return f.read(25) == signatureHow to validate .pkg files in Node.js
function isPKG(buffer: Buffer): boolean {
// Signature offset: 10 bytes
const signature = Buffer.from([0x23, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x73, 0x68, 0x65, 0x6C, 0x6C, 0x20, 0x61, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65]);
if (buffer.length < 35) return false;
return buffer.subarray(10, 35).equals(signature);
}func IsPKG(data []byte) bool {
// Signature offset: 10 bytes
signature := []byte{0x23, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x73, 0x68, 0x65, 0x6C, 0x6C, 0x20, 0x61, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65}
if len(data) < 35 {
return false
}
return bytes.Equal(data[10:35], signature)
}API Endpoint
/api/v1/pkg
curl https://filesignature.org/api/v1/pkg