Keystone

keystone file is located in sce_sys folder of apps/patches/addcont/savedatas/trophies. It is PFS encrypted.

It embeds a key called keystone that is used to verify that :

1) somebody who wants to extract/verify PKG is the owner of the product

2) a patch data is published by the creator of the app data

Keystone is generated from Passcode.

Generation
SCE provides in official SDK a tool called pc2ks that converts passcode to keystone.

Decryption
The first step is to check the HMAC of the file. The process is to use the HMAC key from the Keys page to check the HMAC at position 0x40 in the file. If it is correct, it proceeds to use another key to decrypt the value at 0x30 using the value at 0x20 as the IV.