v0.9.1: add deep checksum verification

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 This changelog is maintained from git history plus the published Gitea release series. Future releases should update this file and publish matching release notes on the release page.
 
+## v0.9.1
+
+Deep checksum verification release.
+
+- Add `verify --deep` to recompute SHA-256 checksums for manifest entries that have checksum metadata.
+- Report `checksum-mismatch` when disk contents differ from the manifest checksum.
+- Keep normal `verify` unchanged unless `--deep` is selected.
+
+## v0.9.0
+
+Manifest checksum release.
+
+- Add opt-in `--checksum sha256` to store SHA-256 file checksums in JSONL and SQLite manifests.
+- Add SQLite migration support for the manifest `checksum` column.
+- Keep checksum collection disabled by default with `--checksum none`.
+
+## v0.8.7
+
+JSON sidecar release.
+
+- Add `--sidecar json` for structured JSON metadata sidecars.
+- Add `--sidecar xmp,json` to write both XMP and JSON sidecars from the same metadata.
+- Keep `--sidecar none` as the default.
+
 ## v0.8.6
 
 XMP keyword and rating controls release.

Makefile

@@ -1,6 +1,6 @@
 BINARY     := ./bin/photoscli
 MODULE     := gitea.k3s.k0.nu/tools/photocli
-VERSION    := 0.8.6
+VERSION    := 0.9.1
 RELEASE_ZIP := ./bin/photoscli-$(VERSION)-macos-arm64.zip
 RELEASE_NOTES := RELEASE_NOTES.md
 BRIDGE_DIR := bridge

README.md

@@ -21,6 +21,7 @@ For a practical step-by-step manual with recommended backup workflows, recovery
 - Deduplicated failure management with `failures list`, `failures clear`, and `retry-failed --clear-on-success`.
 - Verification, reporting, and diff commands for backup integrity.
 - Optional XMP sidecar verification with `verify --sidecar`.
+- Optional SHA-256 manifest checksums with `--checksum sha256`.
 - Metadata-only XMP refresh for manifest-backed exports with `--metadata-only`.
 - Status command for quick backup summaries.
 - Opt-in rich XMP sidecar metadata with `--sidecar xmp`.
@@ -116,6 +117,7 @@ Verify a backup later:
 
 ```bash
 ./bin/photoscli verify --out ./photos-backup --manifest sqlite
+./bin/photoscli verify --out ./photos-backup --deep
 ```
 
 ## Commands
@@ -186,6 +188,7 @@ Useful examples:
 
 ```bash
 photoscli backup-all --out ./backup --manifest sqlite --log
+photoscli backup-all --out ./backup --checksum sha256
 photoscli backup-all --out ./backup --exclude-album "Recently Deleted" --exclude-album "Temp*"
 photoscli backup-all --out ./backup --since 2024-01-01 --sort newest
 photoscli backup-all --out ./backup --concurrency 8 --retry 3
@@ -344,6 +347,8 @@ Write archival metadata sidecars with:
 
 ```bash
 photoscli export --album-id "Vacation" --out ./Vacation --sidecar xmp
+photoscli export --album-id "Vacation" --out ./Vacation --sidecar json
+photoscli export --album-id "Vacation" --out ./Vacation --sidecar xmp,json
 ```
 
 Sidecars are opt-in and use the exported file basename:
@@ -351,6 +356,7 @@ Sidecars are opt-in and use the exported file basename:
 ```text
 IMG_0001.jpg -> IMG_0001.xmp
 IMG_0001.HEIC -> IMG_0001.xmp
+IMG_0001.jpg -> IMG_0001.json
 ```
 
 The XMP contains photoscli metadata such as asset ID, filenames, album, manifest path, media type, dimensions, favorite state, cloud state, export mode, version, exported timestamp, size, and creation date when available. If `--sidecar xmp` is explicitly selected and the sidecar cannot be written, that asset is treated as failed.

RELEASE_NOTES.md

@@ -1,18 +1,18 @@
-# v0.8.6
+# v0.9.1
 
-This release adds keyword and rating controls for generated XMP sidecars.
+This release adds deep checksum verification for manifest-backed backups.
 
 ## Highlights
 
-- Add `--xmp-keywords album-path|album|none`.
-- Add `--xmp-rating favorite|none`.
-- Keep existing behavior by default with album-path keywords and favorite-to-rating mapping.
-- Use these flags when another DAM or metadata tool should own keywords or ratings.
+- Add `verify --deep` to recompute SHA-256 checksums when manifest entries include checksums.
+- Report `checksum-mismatch` when file contents differ from the manifest checksum.
+- Keep normal `verify` unchanged unless `--deep` is selected.
+- `--deep` works with JSONL and SQLite manifests.
 
 ## Assets
 
 - `photoscli`: Apple Silicon macOS binary (`darwin/arm64`).
-- `photoscli-0.8.6-macos-arm64.zip`: Apple Silicon binary plus README, USERGUIDE, and CHANGELOG.
+- `photoscli-0.9.1-macos-arm64.zip`: Apple Silicon binary plus README, USERGUIDE, and CHANGELOG.
 - `USERGUIDE.md`: standalone user guide.
 
 Intel Macs are not currently a supported release target.

USERGUIDE.md

@@ -21,6 +21,7 @@ It is especially useful when you want to:
 - Retry transient iCloud failures.
 - Verify that files referenced by a manifest exist on disk.
 - Detect missing, zero-byte, and size-mismatched manifest files.
+- Store optional SHA-256 checksums in manifests.
 - Inspect or clear deduplicated failure records.
 - Write optional XMP sidecar metadata for archival workflows.
 - Add optional reverse-geocoded address metadata to XMP sidecars for GPS assets.
@@ -546,6 +547,8 @@ Use XMP sidecars when you want portable metadata next to exported files:
 
 ```bash
 ./bin/photoscli export --album-id "Vacation" --out ./Vacation --sidecar xmp
+./bin/photoscli export --album-id "Vacation" --out ./Vacation --sidecar json
+./bin/photoscli export --album-id "Vacation" --out ./Vacation --sidecar xmp,json
 ```
 
 Sidecars are disabled by default. When enabled, they use the exported file basename:
@@ -553,8 +556,11 @@ Sidecars are disabled by default. When enabled, they use the exported file basen
 ```text
 IMG_0001.jpg -> IMG_0001.xmp
 IMG_0001.HEIC -> IMG_0001.xmp
+IMG_0001.jpg -> IMG_0001.json
 ```
 
+Use XMP for standards-oriented metadata workflows and JSON when you want structured photoscli metadata for scripts or audits.
+
 The XMP includes photoscli archive metadata such as asset ID, original filename, exported filename, album, manifest path, media type, dimensions, favorite state, hidden state, cloud state, export mode, version, exported time, size, creation date, modification date, duration, adjustment state, media subtypes, source type, playback style, burst data, GPS coordinates, adjustment info, structured asset resources, standard XMP date fields, EXIF GPS fields, favorite rating, and album/folder keywords when PhotoKit exposes them.
 
 Control location privacy in generated sidecars:
@@ -816,6 +822,22 @@ Use structured logs:
 ./bin/photoscli backup-all --out ./PhotosBackup --manifest sqlite --log
 ```
 
+Store SHA-256 checksums in the manifest when exporting:
+
+```bash
+./bin/photoscli backup-all --out ./PhotosBackup --checksum sha256
+```
+
+Checksums are opt-in and stored in JSONL or SQLite manifests. The default is `--checksum none`.
+
+Deep-verify checksum-backed manifests:
+
+```bash
+./bin/photoscli verify --out ./PhotosBackup --deep
+```
+
+`--deep` recomputes SHA-256 only for manifest entries that already have checksum metadata.
+
 ## Safe Operating Practices
 
 - Run `--dry-run` before the first large backup.

cmd/photoscli/main.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
@@ -42,6 +44,7 @@ type exportOptions struct {
 	verify         bool
 	format         string
 	sidecar        string
+	checksum       string
 	xmpPrivacy     string
 	xmpKeywords    string
 	xmpRating      string
@@ -177,6 +180,7 @@ COMMANDS
       files are printed as <asset-id><TAB><filename>. Exits 2 on missing files.
       Add --sidecar to verify expected XMP sidecars too. Add --strict with
       --sidecar to require photoscli schema/generator and exported filename metadata.
+      Add --deep to verify manifest SHA-256 checksums when present.
 
   retry-failed --out <dir>
       Retry assets previously written to failures.jsonl.
@@ -228,9 +232,12 @@ COMMON EXPORT FLAGS
   --verify
       Run manifest/file verification after export or backup-all.
 
-  --sidecar none|xmp
-      Write opt-in XMP sidecar metadata next to each exported file. Default:
-      none. If XMP writing fails, the asset is counted as failed.
+  --checksum none|sha256
+      Store optional file checksum metadata in the manifest. Default: none.
+
+  --sidecar none|xmp|json|xmp,json
+      Write opt-in metadata sidecars next to each exported file. Default: none.
+      If sidecar writing fails, the asset is counted as failed.
 
   --xmp-privacy keep|strip-location|strip-address
       Control location/address metadata in generated XMP sidecars. Default: keep.
@@ -789,7 +796,7 @@ func logEntry(event, level, assetID, album, filename, cloud string, size int64,
 	}
 }
 
-func addManifestEntry(m manifest.Manifest, pa pendingAsset, result photos.ExportResult) {
+func addManifestEntry(m manifest.Manifest, pa pendingAsset, result photos.ExportResult, checksum string) {
 	if m == nil {
 		return
 	}
@@ -802,7 +809,33 @@ func addManifestEntry(m manifest.Manifest, pa pendingAsset, result photos.Export
 	if err != nil || strings.HasPrefix(relPath, "..") {
 		relPath = result.Filename
 	}
-	m.AddEntry(manifest.NewEntry(pa.asset.ID, result.Filename, relPath, result.Size, result.Cloud))
+	m.AddEntry(manifest.NewEntryWithChecksum(pa.asset.ID, result.Filename, relPath, result.Size, result.Cloud, checksum))
+}
+
+func addManifestEntryForResult(m manifest.Manifest, pa pendingAsset, result photos.ExportResult, opts exportOptions) error {
+	checksum := ""
+	if opts.checksum == "sha256" && !result.Skipped {
+		var err error
+		checksum, err = fileSHA256(filepath.Join(pa.path, result.Filename))
+		if err != nil {
+			return err
+		}
+	}
+	addManifestEntry(m, pa, result, checksum)
+	return nil
+}
+
+func fileSHA256(path string) (string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(h.Sum(nil)), nil
 }
 
 type xmpSidecarData struct {
@@ -901,6 +934,20 @@ func sidecarPath(exportedPath string) string {
 	return strings.TrimSuffix(exportedPath, ext) + ".xmp"
 }
 
+func jsonSidecarPath(exportedPath string) string {
+	ext := filepath.Ext(exportedPath)
+	return strings.TrimSuffix(exportedPath, ext) + ".json"
+}
+
+func sidecarEnabled(sidecar, format string) bool {
+	for _, part := range strings.Split(sidecar, ",") {
+		if strings.TrimSpace(part) == format {
+			return true
+		}
+	}
+	return false
+}
+
 func renderXMP(d xmpSidecarData) []byte {
 	attrs := []struct{ key, val string }{
 		{"photoscli:xmpSchemaVersion", "2"},
@@ -1074,8 +1121,31 @@ func writeXMPSidecar(path string, data xmpSidecarData) error {
 	return nil
 }
 
+func writeJSONSidecar(path string, data xmpSidecarData) error {
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		return err
+	}
+	f, err := createTempFunc(filepath.Dir(path), ".*.json.tmp")
+	if err != nil {
+		return err
+	}
+	tmp := f.Name()
+	_ = f.Close()
+	payload, _ := json.MarshalIndent(data, "", "  ")
+	payload = append(payload, '\n')
+	if err := writeFileFunc(tmp, payload, 0644); err != nil {
+		os.Remove(tmp)
+		return err
+	}
+	if err := renameFunc(tmp, path); err != nil {
+		os.Remove(tmp)
+		return err
+	}
+	return nil
+}
+
 func writeSidecarIfNeeded(pa pendingAsset, result photos.ExportResult, originals bool, opts exportOptions, cache *geocodeCache, bridge photos.Bridge) error {
-	if opts.sidecar != "xmp" {
+	if opts.sidecar == "none" || opts.sidecar == "" {
 		return nil
 	}
 	mode := "preview"
@@ -1138,7 +1208,7 @@ func writeSidecarIfNeeded(pa pendingAsset, result photos.ExportResult, originals
 	if xmpRating == "none" {
 		isFavorite = false
 	}
-	return writeXMPSidecar(sidecarPath(fullPath), xmpSidecarData{
+	data := xmpSidecarData{
 		AssetID:             pa.asset.ID,
 		OriginalFilename:    pa.asset.Filename,
 		ExportedFilename:    result.Filename,
@@ -1170,7 +1240,18 @@ func writeSidecarIfNeeded(pa pendingAsset, result photos.ExportResult, originals
 		BurstSelectionTypes: pa.asset.BurstSelectionTypes,
 		AdjustmentInfo:      pa.asset.AdjustmentInfo,
 		Resources:           pa.asset.Resources,
-	})
+	}
+	if sidecarEnabled(opts.sidecar, "xmp") {
+		if err := writeXMPSidecar(sidecarPath(fullPath), data); err != nil {
+			return err
+		}
+	}
+	if sidecarEnabled(opts.sidecar, "json") {
+		if err := writeJSONSidecar(jsonSidecarPath(fullPath), data); err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func writeMetadataOnlySidecar(pa pendingAsset, entry manifest.Entry, originals bool, opts exportOptions, cache *geocodeCache, bridge photos.Bridge) error {
@@ -1420,16 +1501,20 @@ func exportPendingSerial(pending []pendingAsset, targetSize, quality int, origin
 			failed++
 			appendFailure(pa.path, pa, exportErr)
 		} else if isSkipped {
-			addManifestEntry(m, pa, result)
+			_ = addManifestEntryForResult(m, pa, result, opts)
 		} else {
 			if sidecarErr := writeSidecarIfNeeded(pa, result, originals, opts, geo, bridge); sidecarErr != nil {
 				failed++
 				exportErr = sidecarErr
 				isErr = true
 				appendFailure(pa.path, pa, sidecarErr)
+			} else if checksumErr := addManifestEntryForResult(m, pa, result, opts); checksumErr != nil {
+				failed++
+				exportErr = checksumErr
+				isErr = true
+				appendFailure(pa.path, pa, checksumErr)
 			} else {
 				done++
-				addManifestEntry(m, pa, result)
 			}
 		}
 		avgSpeed := float64(0)
@@ -1560,16 +1645,20 @@ func exportPendingParallel(pending []pendingAsset, targetSize, quality int, orig
 			failed++
 			appendFailure(entry.pa.path, entry.pa, entry.err)
 		} else if isSkipped {
-			addManifestEntry(m, entry.pa, entry.result)
+			_ = addManifestEntryForResult(m, entry.pa, entry.result, opts)
 		} else {
 			if sidecarErr := writeSidecarIfNeeded(entry.pa, entry.result, originals, opts, geo, bridge); sidecarErr != nil {
 				failed++
 				entry.err = sidecarErr
 				isErr = true
 				appendFailure(entry.pa.path, entry.pa, sidecarErr)
+			} else if checksumErr := addManifestEntryForResult(m, entry.pa, entry.result, opts); checksumErr != nil {
+				failed++
+				entry.err = checksumErr
+				isErr = true
+				appendFailure(entry.pa.path, entry.pa, checksumErr)
 			} else {
 				done++
-				addManifestEntry(m, entry.pa, entry.result)
 			}
 		}
 		avgSpeed := float64(0)
@@ -1918,6 +2007,7 @@ func parseExportOptions(args []string, stderr io.Writer) (exportOptions, bool) {
 		verify:         hasFlag(args, "--verify"),
 		format:         flagValWithDefault(args, "--format", "jpeg"),
 		sidecar:        flagValWithDefault(args, "--sidecar", "none"),
+		checksum:       flagValWithDefault(args, "--checksum", "none"),
 		xmpPrivacy:     flagValWithDefault(args, "--xmp-privacy", "keep"),
 		xmpKeywords:    flagValWithDefault(args, "--xmp-keywords", "album-path"),
 		xmpRating:      flagValWithDefault(args, "--xmp-rating", "favorite"),
@@ -1933,8 +2023,21 @@ func parseExportOptions(args []string, stderr io.Writer) (exportOptions, bool) {
 		fmt.Fprintf(stderr, "error: --format must be jpeg, heic, or png, got %q\n", opts.format)
 		return opts, false
 	}
-	if opts.sidecar != "none" && opts.sidecar != "xmp" {
-		fmt.Fprintf(stderr, "error: --sidecar must be none or xmp, got %q\n", opts.sidecar)
+	if opts.sidecar != "none" && !sidecarEnabled(opts.sidecar, "xmp") && !sidecarEnabled(opts.sidecar, "json") {
+		fmt.Fprintf(stderr, "error: --sidecar must be none, xmp, json, or xmp,json, got %q\n", opts.sidecar)
+		return opts, false
+	}
+	if opts.sidecar != "none" {
+		for _, part := range strings.Split(opts.sidecar, ",") {
+			part = strings.TrimSpace(part)
+			if part != "xmp" && part != "json" {
+				fmt.Fprintf(stderr, "error: --sidecar must be none, xmp, json, or xmp,json, got %q\n", opts.sidecar)
+				return opts, false
+			}
+		}
+	}
+	if opts.checksum != "none" && opts.checksum != "sha256" {
+		fmt.Fprintf(stderr, "error: --checksum must be none or sha256, got %q\n", opts.checksum)
 		return opts, false
 	}
 	if opts.xmpPrivacy != "keep" && opts.xmpPrivacy != "strip-location" && opts.xmpPrivacy != "strip-address" {
@@ -1949,8 +2052,8 @@ func parseExportOptions(args []string, stderr io.Writer) (exportOptions, bool) {
 		fmt.Fprintf(stderr, "error: --xmp-rating must be favorite or none, got %q\n", opts.xmpRating)
 		return opts, false
 	}
-	if opts.metadataOnly && opts.sidecar != "xmp" {
-		fmt.Fprintln(stderr, "error: --metadata-only requires --sidecar xmp")
+	if opts.metadataOnly && opts.sidecar == "none" {
+		fmt.Fprintln(stderr, "error: --metadata-only requires --sidecar xmp, json, or xmp,json")
 		return opts, false
 	}
 	if v := flagVal(args, "--retry"); v != "" {
@@ -2177,6 +2280,7 @@ func cmdVerify(args []string, stdout, stderr io.Writer) int {
 	outDir := flagVal(args, "--out")
 	checkSidecar := hasFlag(args, "--sidecar")
 	strictSidecar := hasFlag(args, "--strict")
+	deep := hasFlag(args, "--deep")
 	if outDir == "" {
 		fmt.Fprintln(stderr, "error: --out is required")
 		return exitErr
@@ -2215,6 +2319,16 @@ func cmdVerify(args []string, stdout, stderr io.Writer) int {
 			bad++
 			fmt.Fprintf(stdout, "%s\t%s\tsize-mismatch\tmanifest=%d\tdisk=%d\n", id, checkPath, e.Size, info.Size())
 		}
+		if deep && e.Checksum != "" {
+			checksum, err := fileSHA256(filepath.Join(outDir, checkPath))
+			if err != nil {
+				bad++
+				fmt.Fprintf(stdout, "%s\t%s\tchecksum-unreadable\n", id, checkPath)
+			} else if checksum != e.Checksum {
+				bad++
+				fmt.Fprintf(stdout, "%s\t%s\tchecksum-mismatch\tmanifest=%s\tdisk=%s\n", id, checkPath, e.Checksum, checksum)
+			}
+		}
 		if checkSidecar {
 			bad += verifySidecar(stdout, outDir, id, checkPath, strictSidecar)
 		}

cmd/photoscli/main_test.go

@@ -2662,6 +2662,23 @@ func TestExportPendingParallelManifestAdd(t *testing.T) {
 	}
 }
 
+func TestExportPendingParallelChecksumError(t *testing.T) {
+	dir := t.TempDir()
+	mf := manifest.LoadJSONL(dir)
+	if err := mf.OpenAppend(); err != nil {
+		t.Fatal(err)
+	}
+	b := &mockBridge{assets: []photos.Asset{{ID: "x1", Filename: "img.jpg"}}}
+	b.exportPreviewFn = func(assetID, out string, targetSize, quality, index int) (photos.ExportResult, error) {
+		return photos.ExportResult{Filename: "missing.jpg", Size: 3}, nil
+	}
+	bar := newProgressBar(io.Discard, 1)
+	done, failed := exportPendingParallel([]pendingAsset{{asset: b.assets[0], path: dir}}, 1024, 85, false, 1, bar, b, 1, mf, manifest.NoopLogWriter, exportOptions{checksum: "sha256"})
+	if done != 0 || failed != 1 {
+		t.Fatalf("done=%d failed=%d", done, failed)
+	}
+}
+
 func TestExportPendingParallelCancel(t *testing.T) {
 	b := &mockBridge{assets: []photos.Asset{{ID: "x1", Filename: "img.jpg"}}}
 	b.Cancel()
@@ -2804,6 +2821,58 @@ func TestExportAssetsManifestWrite(t *testing.T) {
 	}
 }
 
+func TestExportAssetsChecksum(t *testing.T) {
+	b := &mockBridge{assets: []photos.Asset{{ID: "x1", Filename: "img.jpg"}}}
+	dir := t.TempDir()
+	b.exportPreviewFn = func(assetID, out string, targetSize, quality, index int) (photos.ExportResult, error) {
+		if err := os.WriteFile(filepath.Join(out, "img.jpg"), []byte("abc"), 0644); err != nil {
+			return photos.ExportResult{}, err
+		}
+		return photos.ExportResult{Filename: "img.jpg", Size: 3, Cloud: "local"}, nil
+	}
+	done, failed := exportAssets(b.assets, dir, 1024, 85, 1, false, 1, io.Discard, b, "", false, manifest.FormatJSONL, false, exportOptions{checksum: "sha256"})
+	if done != 1 || failed != 0 {
+		t.Fatalf("done=%d failed=%d", done, failed)
+	}
+	entry := manifest.LoadJSONL(dir).Entries()["x1"]
+	if entry.Checksum != "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" {
+		t.Fatalf("checksum=%q", entry.Checksum)
+	}
+	got, err := fileSHA256(filepath.Join(dir, "img.jpg"))
+	if err != nil || got != entry.Checksum {
+		t.Fatalf("fileSHA256 got=%q err=%v", got, err)
+	}
+	if _, err := fileSHA256(filepath.Join(dir, "missing.jpg")); err == nil {
+		t.Fatal("expected missing checksum error")
+	}
+	if _, err := fileSHA256(dir); err == nil {
+		t.Fatal("expected directory checksum error")
+	}
+	if err := addManifestEntryForResult(nil, pendingAsset{}, photos.ExportResult{}, exportOptions{}); err != nil {
+		t.Fatalf("nil manifest add error: %v", err)
+	}
+	if err := addManifestEntryForResult(manifest.LoadJSONL(dir), pendingAsset{asset: photos.Asset{ID: "skip"}, path: dir}, photos.ExportResult{Filename: "missing.jpg", Skipped: true}, exportOptions{checksum: "sha256"}); err != nil {
+		t.Fatalf("skipped checksum add error: %v", err)
+	}
+}
+
+func TestExportAssetsChecksumErrors(t *testing.T) {
+	dir := t.TempDir()
+	b := &mockBridge{assets: []photos.Asset{{ID: "x1", Filename: "img.jpg"}}}
+	b.exportPreviewFn = func(assetID, out string, targetSize, quality, index int) (photos.ExportResult, error) {
+		return photos.ExportResult{Filename: "missing.jpg", Size: 3}, nil
+	}
+	done, failed := exportAssets(b.assets, dir, 1024, 85, 1, false, 1, io.Discard, b, "", false, manifest.FormatJSONL, false, exportOptions{checksum: "sha256"})
+	if done != 0 || failed != 1 {
+		t.Fatalf("serial checksum error done=%d failed=%d", done, failed)
+	}
+	dir = t.TempDir()
+	done, failed = exportAssets(b.assets, dir, 1024, 85, 2, false, 2, io.Discard, b, "", false, manifest.FormatJSONL, false, exportOptions{checksum: "sha256"})
+	if done != 0 || failed != 1 {
+		t.Fatalf("parallel checksum error done=%d failed=%d", done, failed)
+	}
+}
+
 func TestBackupTreeManifestOpenErr(t *testing.T) {
 	b := &mockBridge{
 		tree: []photos.CollectionNode{
@@ -4204,6 +4273,39 @@ func TestMoreIntegrityBranches(t *testing.T) {
 	}
 }
 
+func TestVerifyDeepChecksums(t *testing.T) {
+	dir := t.TempDir()
+	if err := os.WriteFile(filepath.Join(dir, "good.jpg"), []byte("abc"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "bad.jpg"), []byte("bad"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "nocheck.jpg"), []byte("data"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(filepath.Join(dir, "adir"), 0755); err != nil {
+		t.Fatal(err)
+	}
+	m := manifest.LoadJSONL(dir)
+	if err := m.OpenAppend(); err != nil {
+		t.Fatal(err)
+	}
+	m.AddEntry(manifest.Entry{ID: "good", Filename: "good.jpg", Path: "good.jpg", Size: 3, Cloud: "local", Checksum: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", Exported: time.Now().Unix()})
+	m.AddEntry(manifest.Entry{ID: "bad", Filename: "bad.jpg", Path: "bad.jpg", Size: 3, Cloud: "local", Checksum: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", Exported: time.Now().Unix()})
+	m.AddEntry(manifest.Entry{ID: "nocheck", Filename: "nocheck.jpg", Path: "nocheck.jpg", Size: 4, Cloud: "local", Exported: time.Now().Unix()})
+	m.AddEntry(manifest.Entry{ID: "unreadable", Filename: "adir", Path: "adir", Cloud: "local", Checksum: "abc", Exported: time.Now().Unix()})
+	m.Close()
+	out, stderr, rc := runWith([]string{"verify", "--out", dir, "--deep"}, &mockBridge{})
+	if rc != exitPartial || stderr != "" || !strings.Contains(out, "checksum-mismatch") || !strings.Contains(out, "checksum-unreadable") || strings.Contains(out, "good.jpg") || strings.Contains(out, "nocheck") {
+		t.Fatalf("deep verify rc=%d out=%q stderr=%q", rc, out, stderr)
+	}
+	out, stderr, rc = runWith([]string{"verify", "--out", dir}, &mockBridge{})
+	if rc != exitOK || stderr != "" || strings.Contains(out, "checksum") {
+		t.Fatalf("plain verify rc=%d out=%q stderr=%q", rc, out, stderr)
+	}
+}
+
 func TestVerifySidecarBranches(t *testing.T) {
 	dir := t.TempDir()
 	subdir := filepath.Join(dir, "sub")
@@ -4385,6 +4487,52 @@ func TestWriteXMPSidecar(t *testing.T) {
 	}
 }
 
+func TestWriteJSONSidecar(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "photo.json")
+	if got := jsonSidecarPath(filepath.Join(dir, "photo.jpg")); got != path {
+		t.Fatalf("json sidecar path=%q", got)
+	}
+	if !sidecarEnabled("xmp,json", "json") || sidecarEnabled("xmp", "json") {
+		t.Fatal("sidecarEnabled mismatch")
+	}
+	if err := writeJSONSidecar(path, xmpSidecarData{AssetID: "x1", ExportedFilename: "photo.jpg"}); err != nil {
+		t.Fatal(err)
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(string(data), `"AssetID": "x1"`) {
+		t.Fatalf("unexpected json sidecar: %s", string(data))
+	}
+	badParent := filepath.Join(t.TempDir(), "file")
+	if err := os.WriteFile(badParent, []byte("x"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := writeJSONSidecar(filepath.Join(badParent, "bad.json"), xmpSidecarData{}); err == nil {
+		t.Fatal("expected mkdir error")
+	}
+	oldCreate := createTempFunc
+	createTempFunc = func(string, string) (*os.File, error) { return nil, fmt.Errorf("create") }
+	if err := writeJSONSidecar(path, xmpSidecarData{}); err == nil {
+		t.Fatal("expected create temp error")
+	}
+	createTempFunc = oldCreate
+	oldWrite := writeFileFunc
+	writeFileFunc = func(string, []byte, os.FileMode) error { return fmt.Errorf("write") }
+	if err := writeJSONSidecar(path, xmpSidecarData{}); err == nil {
+		t.Fatal("expected write error")
+	}
+	writeFileFunc = oldWrite
+	oldRename := renameFunc
+	renameFunc = func(string, string) error { return fmt.Errorf("rename") }
+	if err := writeJSONSidecar(path, xmpSidecarData{}); err == nil {
+		t.Fatal("expected rename error")
+	}
+	renameFunc = oldRename
+}
+
 func TestSidecarExportIntegration(t *testing.T) {
 	dir := t.TempDir()
 	date := "2024-01-02T03:04:05Z"
@@ -4395,7 +4543,7 @@ func TestSidecarExportIntegration(t *testing.T) {
 		}
 		return photos.ExportResult{Filename: "photo.jpg", Size: 4, Cloud: "local"}, nil
 	}
-	exported, failed := exportAssets(b.assets, dir, 1024, 85, 3, false, 1, io.Discard, b, "Album", false, manifest.FormatJSONL, false, exportOptions{sidecar: "xmp"})
+	exported, failed := exportAssets(b.assets, dir, 1024, 85, 3, false, 1, io.Discard, b, "Album", false, manifest.FormatJSONL, false, exportOptions{sidecar: "xmp,json"})
 	if exported != 1 || failed != 0 {
 		t.Fatalf("exported=%d failed=%d", exported, failed)
 	}
@@ -4412,6 +4560,13 @@ func TestSidecarExportIntegration(t *testing.T) {
 	if _, err := os.Stat(filepath.Join(dir, "photo.jpg.xmp")); !os.IsNotExist(err) {
 		t.Fatal("sidecar should use basename, not double extension")
 	}
+	jsonData, err := os.ReadFile(filepath.Join(dir, "photo.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(string(jsonData), `"AssetID": "x1"`) {
+		t.Fatalf("json sidecar missing asset ID: %s", string(jsonData))
+	}
 }
 
 func TestSidecarReverseGeocodeCache(t *testing.T) {
@@ -4585,6 +4740,14 @@ func TestSidecarConfigAndErrors(t *testing.T) {
 		t.Fatalf("expected sidecar validation error, stderr=%q", stderr.String())
 	}
 	stderr.Reset()
+	if opts, ok := parseExportOptions([]string{"--sidecar", "json"}, &stderr); !ok || opts.sidecar != "json" || stderr.Len() != 0 {
+		t.Fatalf("expected json sidecar option, opts=%+v ok=%v stderr=%q", opts, ok, stderr.String())
+	}
+	stderr.Reset()
+	if _, ok := parseExportOptions([]string{"--sidecar", "xmp,bad"}, &stderr); ok || !strings.Contains(stderr.String(), "--sidecar") {
+		t.Fatalf("expected mixed sidecar validation error, stderr=%q", stderr.String())
+	}
+	stderr.Reset()
 	if _, ok := parseExportOptions([]string{"--xmp-privacy", "bad"}, &stderr); ok || !strings.Contains(stderr.String(), "--xmp-privacy") {
 		t.Fatalf("expected xmp privacy validation error, stderr=%q", stderr.String())
 	}
@@ -4596,6 +4759,10 @@ func TestSidecarConfigAndErrors(t *testing.T) {
 	if _, ok := parseExportOptions([]string{"--xmp-rating", "bad"}, &stderr); ok || !strings.Contains(stderr.String(), "--xmp-rating") {
 		t.Fatalf("expected xmp rating validation error, stderr=%q", stderr.String())
 	}
+	stderr.Reset()
+	if _, ok := parseExportOptions([]string{"--checksum", "bad"}, &stderr); ok || !strings.Contains(stderr.String(), "--checksum") {
+		t.Fatalf("expected checksum validation error, stderr=%q", stderr.String())
+	}
 
 	b := &mockBridge{assets: []photos.Asset{{ID: "x1", Filename: "photo.jpg"}}}
 	b.exportPreviewFn = func(assetID, out string, targetSize, quality, index int) (photos.ExportResult, error) {
@@ -4603,10 +4770,14 @@ func TestSidecarConfigAndErrors(t *testing.T) {
 	}
 	oldRename := renameFunc
 	renameFunc = func(string, string) error { return fmt.Errorf("sidecar rename") }
-	exported, failed := exportAssets(b.assets, dir, 1024, 85, 3, false, 1, io.Discard, b, "", false, manifest.FormatJSONL, false, exportOptions{sidecar: "xmp"})
+	exported, failed := exportAssets(b.assets, dir, 1024, 85, 3, false, 1, io.Discard, b, "", false, manifest.FormatJSONL, false, exportOptions{sidecar: "json"})
+	if exported != 0 || failed != 1 {
+		t.Fatalf("expected json sidecar failure, exported=%d failed=%d", exported, failed)
+	}
+	exported, failed = exportAssets(b.assets, dir, 1024, 85, 3, false, 1, io.Discard, b, "", false, manifest.FormatJSONL, false, exportOptions{sidecar: "xmp"})
 	renameFunc = oldRename
 	if exported != 0 || failed != 1 {
-		t.Fatalf("expected sidecar failure, exported=%d failed=%d", exported, failed)
+		t.Fatalf("expected xmp sidecar failure, exported=%d failed=%d", exported, failed)
 	}
 }
 
@@ -4725,7 +4896,7 @@ func TestMetadataOnlyExportErrors(t *testing.T) {
 	dir := t.TempDir()
 	b := &mockBridge{assets: []photos.Asset{{ID: "x1", Filename: "photo.jpg"}}}
 	_, stderr, rc := runWith([]string{"export", "--album-id", "x", "--out", dir, "--metadata-only"}, b)
-	if rc != exitErr || !strings.Contains(stderr, "--metadata-only requires --sidecar xmp") {
+	if rc != exitErr || !strings.Contains(stderr, "--metadata-only requires --sidecar") {
 		t.Fatalf("expected sidecar requirement rc=%d stderr=%q", rc, stderr)
 	}
 	_, stderr, rc = runWith([]string{"export", "--album-id", "x", "--out", dir, "--sidecar", "xmp", "--metadata-only", "--no-manifest"}, b)
@@ -4953,7 +5124,7 @@ func TestInjectedErrorBranchesForCoverage(t *testing.T) {
 	removeFunc = oldRemove
 
 	mf := &mockManifest{}
-	addManifestEntry(mf, pendingAsset{asset: photos.Asset{ID: "x"}, root: filepath.Join(dir, "other"), path: dir}, photos.ExportResult{Filename: "file.jpg", Size: 1})
+	addManifestEntry(mf, pendingAsset{asset: photos.Asset{ID: "x"}, root: filepath.Join(dir, "other"), path: dir}, photos.ExportResult{Filename: "file.jpg", Size: 1}, "")
 	if mf.last.Path != "file.jpg" {
 		t.Fatalf("expected fallback rel path, got %+v", mf.last)
 	}

internal/manifest/entry_test.go

@@ -11,6 +11,10 @@ func TestNewEntryPath(t *testing.T) {
 	if e.Path != "Album/file2.jpg" || e.Filename != "file2.jpg" || e.Size != 456 || e.Cloud != "cloud" {
 		t.Fatalf("unexpected entry with path: %+v", e)
 	}
+	e = NewEntryWithChecksum("id3", "file3.jpg", "Album/file3.jpg", 789, "local", "sha256:abc")
+	if e.Checksum != "sha256:abc" || e.Path != "Album/file3.jpg" {
+		t.Fatalf("unexpected checksum entry: %+v", e)
+	}
 }
 
 func TestAddEntryDefaultsPath(t *testing.T) {
@@ -19,11 +23,15 @@ func TestAddEntryDefaultsPath(t *testing.T) {
 	if err := jm.OpenAppend(); err != nil {
 		t.Fatal(err)
 	}
-	jm.AddEntry(Entry{ID: "x1", Filename: "file.jpg", Size: 3, Cloud: "local"})
+	jm.AddEntry(Entry{ID: "x1", Filename: "file.jpg", Size: 3, Cloud: "local", Checksum: "sha256:abc"})
 	jm.Close()
-	if got := LoadJSONL(dir).Entries()["x1"].Path; got != "file.jpg" {
+	loaded := LoadJSONL(dir).Entries()["x1"]
+	if got := loaded.Path; got != "file.jpg" {
 		t.Fatalf("jsonl path = %q", got)
 	}
+	if loaded.Checksum != "sha256:abc" {
+		t.Fatalf("jsonl checksum = %q", loaded.Checksum)
+	}
 
 	sdir := t.TempDir()
 	sm, err := LoadSQLite(sdir)
@@ -33,12 +41,16 @@ func TestAddEntryDefaultsPath(t *testing.T) {
 	if err := sm.OpenAppend(); err != nil {
 		t.Fatal(err)
 	}
-	sm.AddEntry(Entry{ID: "x1", Filename: "file.jpg", Size: 3, Cloud: "local"})
+	sm.AddEntry(Entry{ID: "x1", Filename: "file.jpg", Size: 3, Cloud: "local", Checksum: "sha256:def"})
 	if _, err := sm.db.Exec(`UPDATE downloads SET path = '' WHERE id = 'x1'`); err != nil {
 		t.Fatal(err)
 	}
-	if got := sm.Entries()["x1"].Path; got != "file.jpg" {
+	sloaded := sm.Entries()["x1"]
+	if got := sloaded.Path; got != "file.jpg" {
 		t.Fatalf("sqlite path = %q", got)
 	}
+	if sloaded.Checksum != "sha256:def" {
+		t.Fatalf("sqlite checksum = %q", sloaded.Checksum)
+	}
 	sm.Close()
 }

internal/manifest/jsonl.go

@@ -43,6 +43,7 @@ func LoadJSONL(dir string) *jsonlManifest {
 		Path     string `json:"path,omitempty"`
 		Size     int64  `json:"size"`
 		Cloud    string `json:"cloud"`
+		Checksum string `json:"checksum,omitempty"`
 		Exported int64  `json:"exported"`
 	}
 	for _, line := range strings.Split(string(data), "\n") {
@@ -61,6 +62,7 @@ func LoadJSONL(dir string) *jsonlManifest {
 				Path:     raw.Path,
 				Size:     raw.Size,
 				Cloud:    raw.Cloud,
+				Checksum: raw.Checksum,
 				Exported: raw.Exported,
 			}
 		}
@@ -93,8 +95,9 @@ func (m *jsonlManifest) AddEntry(entry Entry) {
 			Path     string `json:"path,omitempty"`
 			Size     int64  `json:"size"`
 			Cloud    string `json:"cloud"`
+			Checksum string `json:"checksum,omitempty"`
 			Exported int64  `json:"exported"`
-		}{ID: entry.ID, Filename: entry.Filename, Path: entry.Path, Size: entry.Size, Cloud: entry.Cloud, Exported: entry.Exported})
+		}{ID: entry.ID, Filename: entry.Filename, Path: entry.Path, Size: entry.Size, Cloud: entry.Cloud, Checksum: entry.Checksum, Exported: entry.Exported})
 		m.file.Write(data)
 		m.file.Write([]byte("\n"))
 	}

internal/manifest/manifest.go

@@ -8,6 +8,7 @@ type Entry struct {
 	Path     string
 	Size     int64
 	Cloud    string
+	Checksum string
 	Exported int64
 }
 
@@ -42,3 +43,9 @@ func NewEntry(id, filename, path string, size int64, cloud string) Entry {
 	}
 	return e
 }
+
+func NewEntryWithChecksum(id, filename, path string, size int64, cloud, checksum string) Entry {
+	e := NewEntry(id, filename, path, size, cloud)
+	e.Checksum = checksum
+	return e
+}

internal/manifest/sqlite.go

@@ -64,6 +64,7 @@ func (m *sqliteManifest) OpenAppend() error {
 		path TEXT NOT NULL DEFAULT '',
 		size INTEGER NOT NULL DEFAULT 0,
 		cloud TEXT NOT NULL DEFAULT '',
+		checksum TEXT NOT NULL DEFAULT '',
 		exported INTEGER NOT NULL DEFAULT 0
 	)`)
 	if err != nil {
@@ -71,6 +72,7 @@ func (m *sqliteManifest) OpenAppend() error {
 		return fmt.Errorf("create table: %w", err)
 	}
 	_, _ = execFn(`ALTER TABLE downloads ADD COLUMN path TEXT NOT NULL DEFAULT ''`)
+	_, _ = execFn(`ALTER TABLE downloads ADD COLUMN checksum TEXT NOT NULL DEFAULT ''`)
 	_, err = execFn(`CREATE INDEX IF NOT EXISTS idx_downloads_id ON downloads(id)`)
 	if err != nil {
 		db.Close()
@@ -103,8 +105,8 @@ func (m *sqliteManifest) AddEntry(entry Entry) {
 	if entry.Path == "" {
 		entry.Path = entry.Filename
 	}
-	m.db.Exec(`INSERT OR REPLACE INTO downloads (id, filename, path, size, cloud, exported) VALUES (?, ?, ?, ?, ?, ?)`,
-		entry.ID, entry.Filename, entry.Path, entry.Size, entry.Cloud, entry.Exported)
+	m.db.Exec(`INSERT OR REPLACE INTO downloads (id, filename, path, size, cloud, checksum, exported) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		entry.ID, entry.Filename, entry.Path, entry.Size, entry.Cloud, entry.Checksum, entry.Exported)
 }
 
 func (m *sqliteManifest) Save() error {
@@ -127,14 +129,14 @@ func (m *sqliteManifest) Entries() map[string]Entry {
 		return nil
 	}
 	out := make(map[string]Entry)
-	rows, err := m.db.Query(`SELECT id, filename, path, size, cloud, exported FROM downloads`)
+	rows, err := m.db.Query(`SELECT id, filename, path, size, cloud, checksum, exported FROM downloads`)
 	if err != nil {
 		return out
 	}
 	defer rows.Close()
 	for rows.Next() {
 		var e Entry
-		if err := rows.Scan(&e.ID, &e.Filename, &e.Path, &e.Size, &e.Cloud, &e.Exported); err == nil {
+		if err := rows.Scan(&e.ID, &e.Filename, &e.Path, &e.Size, &e.Cloud, &e.Checksum, &e.Exported); err == nil {
 			if e.Path == "" {
 				e.Path = e.Filename
 			}