diff --git a/.gitignore b/.gitignore
index f2b18ed..cb3cdef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,6 +31,7 @@ result-*
 .project
 .cproject
 .settings/
+.cache/
 
 # System files
 .DS_Store
diff --git a/include/apg/package.h b/include/apg/package.h
index 1335962..e9a07e4 100644
--- a/include/apg/package.h
+++ b/include/apg/package.h
@@ -50,7 +50,7 @@ bool install_package(const struct package *pkg);
 
 bool install_package_in_root(const struct package *pkg, const char *root_path);
 
-struct package *parse_package(const char *path);
+struct package *parse_package(const char *path, const char *root_path);
 
 
 #endif
diff --git a/include/apg/sign.h b/include/apg/sign.h
index f34c068..5c50af5 100644
--- a/include/apg/sign.h
+++ b/include/apg/sign.h
@@ -4,7 +4,7 @@
 #pragma once
 
 #include <stdbool.h>
-#include <stdio.h>
 
-bool sign_file(FILE *); 
+bool sign_file(const char *pkg_path);
+bool sign_file_by_key(const char *path, const char *sig_path, const unsigned char *public_key);
 
diff --git a/meson.build b/meson.build
index 610aa15..38c5c62 100644
--- a/meson.build
+++ b/meson.build
@@ -65,3 +65,5 @@ libapg_dep = declare_dependency(
   link_with: libapg,
   include_directories: libapg_inc,
 )
+
+subdir('test')
diff --git a/src/archive.c b/src/archive.c
index e8ea33b..48113a4 100644
--- a/src/archive.c
+++ b/src/archive.c
@@ -17,7 +17,7 @@ extract_to_dir(const char *archive_path, const char *path_dest)
 {
     struct archive_entry *entry;
     char full_path[PATH_MAX];
-    const FILE *log_file = fopen(log_file_path, "a");
+    FILE *log_file = fopen(log_file_path, "a");
 
     struct archive *a = archive_read_new();
     archive_read_support_filter_xz(a);
@@ -26,8 +26,10 @@ extract_to_dir(const char *archive_path, const char *path_dest)
     struct archive *ext = archive_write_disk_new();
     archive_write_disk_set_options(ext, ARCHIVE_EXTRACT_TIME | ARCHIVE_EXTRACT_PERM);
 
-    if (archive_read_open_filename(a, archive_path, 10240) != ARCHIVE_OK)
+    if (archive_read_open_filename(a, archive_path, 10240) != ARCHIVE_OK) {
+        if (log_file) fclose(log_file);
         return false;
+    }
 
     while (archive_read_next_header(a, &entry) == ARCHIVE_OK) {
         snprintf(full_path, sizeof(full_path), "%s/%s", path_dest, archive_entry_pathname(entry));
@@ -55,17 +57,24 @@ extract_to_dir(const char *archive_path, const char *path_dest)
     archive_write_close(ext);
     archive_write_free(ext);
 
+    if (log_file) fclose(log_file);
     return true;
 }
 
 bool
-unarchive_package(const struct package *pkg, const char *path)
+unarchive_package_in_root(const struct package *pkg, const char *root)
 {
-    if (!extract_to_dir(pkg->pkg_path, path)) {
-        log_two(ERR, "Failed to extract package into: ", (char*)path, stdout);
+    if (!extract_to_dir(pkg->pkg_path, root)) {
+        log_two(ERR, "Failed to extract package into: ", root, stdout);
         return false;
     }
-    log_two(WRN, "Package extracted successfully into: ", (char*)path, stdout);
+    log_two(INF, "Package extracted successfully into: ", root, stdout);
     return true;
 }
 
+bool
+unarchive_package(const struct package *pkg)
+{
+    return unarchive_package_in_root(pkg, "/tmp/apg/");
+}
+
diff --git a/src/json.c b/src/json.c
index fea2298..ac0ded3 100644
--- a/src/json.c
+++ b/src/json.c
@@ -9,8 +9,14 @@ yyjson_val
   return NULL; // is a stub, type actually incorrect
 }
 
-char 
+char
 *json_to_string(yyjson_val *)
 {
   return NULL;
 }
+
+struct package_metadata *
+package_metadata_from_file(const char *path)
+{
+  return NULL; // stub
+}
diff --git a/src/package.c b/src/package.c
index e05758f..72663e7 100644
--- a/src/package.c
+++ b/src/package.c
@@ -96,18 +96,42 @@ install_package_in_root(const struct package *pkg, const char *root_path)
 struct package *
 parse_package(const char *path, const char *root_path)
 {
-    // ReSharper disable once CppDFAMemoryLeak
     struct package *pkg = package_new();
+    if (!pkg) return NULL;
 
     pkg->pkg_path = realpath(path, NULL);
+    if (!pkg->pkg_path) {
+        package_free(pkg);
+        return NULL;
+    }
 
-    char *real_tmp = concat_dirs(root_path, path);
-    if (!unarchive_package_in_root(pkg, real_tmp)) return NULL;
-    free(real_tmp);
+    char *real_tmp = concat_dirs(root_path, tmp_path);
+    if (!real_tmp) {
+        package_free(pkg);
+        return NULL;
+    }
+    create_dir(real_tmp);
 
-    package_metadata_from_file()
+    if (!unarchive_package_in_root(pkg, real_tmp)) {
+        free(real_tmp);
+        package_free(pkg);
+        return NULL;
+    }
 
+    char *meta_path = concat_dirs(real_tmp, "metadata.json");
+    free(real_tmp);
+    if (!meta_path) {
+        package_free(pkg);
+        return NULL;
+    }
 
+    package_metadata_free(pkg->meta);
+    pkg->meta = package_metadata_from_file(meta_path);
+    free(meta_path);
+    if (!pkg->meta) {
+        package_free(pkg);
+        return NULL;
+    }
 
     return pkg;
 }
diff --git a/src/sign.c b/src/sign.c
index 2a1c67e..5bbfa3b 100644
--- a/src/sign.c
+++ b/src/sign.c
@@ -1,36 +1,37 @@
 // NurOS Ruzen42 2026 apg/sign.c
 // Last change: Feb 2 
 
-#include <soduim.h>
+#include <sodium.h>
 #include <stdbool.h>
 #include <stdio.h>
+#include <stdlib.h>
+
+#include "../include/util.h"
 
 const char *key_path = "/etc/apg/keys/";
 
-bool 
-sign_file_by_key(const char *path, const char *sig_path, const unsigned char *public_key[crypto_sign_PUBLICKEYBYTES])
+bool
+sign_file_by_key(const char *path, const char *sig_path, const unsigned char *public_key)
 {
   if (sodium_init() < 0) return false;
 
   unsigned char signature[crypto_sign_BYTES];
 
-  FILE *sig_f = fopen(sig_path, "rb"); // open file
-
+  FILE *sig_f = fopen(sig_path, "rb");
   if (!sig_f) return false;
 
-  int sig_read = fread(signature, 1, crypto_sign_BYTES, sig_f);
+  size_t sig_read = fread(signature, 1, crypto_sign_BYTES, sig_f);
+  fclose(sig_f);
+  if (sig_read != crypto_sign_BYTES) return false;
 
-  fclose(sig_f); 
-  
-  crypto_sign_state state; // Sodium signature state now 
+  crypto_sign_state state;
   crypto_sign_init(&state);
 
   FILE *pkg_f = fopen(path, "rb");
-
   if (!pkg_f) return false;
 
-  unsigned char buffer[4096]; // 4KB magic number
-  int bytes_read;
+  unsigned char buffer[4096];
+  size_t bytes_read;
 
   while ((bytes_read = fread(buffer, 1, sizeof(buffer), pkg_f)) > 0) {
     crypto_sign_update(&state, buffer, bytes_read);
@@ -47,8 +48,31 @@ sign_file_by_key(const char *path, const char *sig_path, const unsigned char *pu
 bool
 sign_file(const char *pkg_path)
 {
-     
+  char *sig_path = concat(pkg_path, ".sig");
+  if (!sig_path) return false;
+
+  char *key_file = concat(key_path, "trusted.pub");
+  if (!key_file) {
+    free(sig_path);
+    return false;
+  }
+
+  unsigned char public_key[crypto_sign_PUBLICKEYBYTES];
+  FILE *key_f = fopen(key_file, "rb");
+  free(key_file);
+  if (!key_f) {
+    free(sig_path);
+    return false;
+  }
+
+  size_t key_read = fread(public_key, 1, crypto_sign_PUBLICKEYBYTES, key_f);
+  fclose(key_f);
+  if (key_read != crypto_sign_PUBLICKEYBYTES) {
+    free(sig_path);
+    return false;
+  }
 
-  return sign_file_by_key(pkg_path
-  
+  bool result = sign_file_by_key(pkg_path, sig_path, public_key);
+  free(sig_path);
+  return result;
 }
diff --git a/test/Makefile b/test/Makefile
deleted file mode 100644
index 8e9abfe..0000000
--- a/test/Makefile
+++ /dev/null
@@ -1,10 +0,0 @@
-SRC=src/main.c
-CC=cc
-OUT=apg-test
-CFLAGS=-lapg -O0 -o $(OUT)
-
-all:
-	$(CC) $(CFLAGS) $(SRC)
-
-clean:
-	rm $(OUT)
\ No newline at end of file
diff --git a/test/meson.build b/test/meson.build
new file mode 100644
index 0000000..5057a75
--- /dev/null
+++ b/test/meson.build
@@ -0,0 +1,6 @@
+apg_test = executable('apg-test',
+  files('src/main.c'),
+  dependencies: [libapg_dep],
+)
+
+test('apg-test', apg_test)