- Frontend calls Modrinth API to retrieve information about current modpack versions
- User selects version and other install parameters
- Frontend sends modpack bundle URL alongside verification material to backend
- Backend downloads modpack bundle and verifies it
- Backend removes any previously installed files
- Backend downloads mods as specified by manifest and verifies their SHA512 hashes
- Backend installs misc. files contained in bundle
- Backend queries Fabric Meta to install Fabric version requested by manifest
- Backend creates launcher profile and writes install metadata to file
- Modpack bundle is built from source and signed by Github Actions using cosign
- Source and modpack bundle includes hashes for all their required external files
- Backend restricts download URLs for modpack manifest and external mods
- Backend calls Verifier to verify modpack signature
- Verifier verifies modpack was built from source using Github Actions, as part of a release pipeline