Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
RE: Curl feature idea, download hash checking
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dick Brooks via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 12 Jun 2026 07:57:55 -0400
Daaniel,
What you describe is very similar to how we verify a trusted product (i.e. X.509 self-signed public key certificate) today using this powershell sagverify.ps1 script
MIT License, free to use.
param(
[string]$LOC
)
Write-Host "LOC: $LOC"
curl $LOC -o "keyfile.cer"
$DNAID = (Get-FileHash .\keyfile.cer).Hash
$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID
Start-Process $URL
Execute this using:
powershell -c "& { ./sagverify.ps1 -Loc 'https://github.com/rjb4standards/REA-Products/raw/refs/heads/master/DigitalCertificates/BCG-SIGNING-KEY-2030.cer' }"
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member, #SBOM SIG member
https://businesscyberguardian.com/
-----Original Message-----
From: curl-users <curl-users-bounces_at_lists.haxx.se> On Behalf Of Daniel Stenberg via curl-users
Sent: Friday, June 12, 2026 7:16 AM
To: Ian Norton via curl-users <curl-users_at_lists.haxx.se>
Cc: Daniel Stenberg <daniel_at_haxx.se>
Subject: Re: Curl feature idea, download hash checking
On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> curl -O URL —-hash sha256:HASH_VALUE
>
> Does this sound like a good idea?
It is an idea that is often brought up but has never been materialized. Is it good? I think it depends on how it is done so that in the end people would use it.
One additional idea is adding the hash into the URL itself somehow so that copy and pasting a single URL is enough and you can't forget the hash:
curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
It also makes the URL not work at all if the download tool doesn't support the hash, which I think is a bonus.
Doing the hash embedded in the URL is of course a side-track, can be worked on independently and is for sure hard to do with buy-in from others as well.
Others have suggested a similar thing before but instead of just doing a hash it would verify the *signature* provided.
Challenges involved include:
What if you download to stdout and yet want it verified? Like in the classic:
"curl https://installer.example.com | sh" case. It seems like that case is still a decent amount of current use cases this could help strengthen.
Then curl needs to download to a temporary location, check the hash and *then* pass it on. This can lead to challenges if you instead for example pipe a petabyte stream: "curl https://never-ending.example.com | videoplayer"
Date: Fri, 12 Jun 2026 07:57:55 -0400
Daaniel,
What you describe is very similar to how we verify a trusted product (i.e. X.509 self-signed public key certificate) today using this powershell sagverify.ps1 script
MIT License, free to use.
param(
[string]$LOC
)
Write-Host "LOC: $LOC"
curl $LOC -o "keyfile.cer"
$DNAID = (Get-FileHash .\keyfile.cer).Hash
$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID
Start-Process $URL
Execute this using:
powershell -c "& { ./sagverify.ps1 -Loc 'https://github.com/rjb4standards/REA-Products/raw/refs/heads/master/DigitalCertificates/BCG-SIGNING-KEY-2030.cer' }"
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member, #SBOM SIG member
https://businesscyberguardian.com/
-----Original Message-----
From: curl-users <curl-users-bounces_at_lists.haxx.se> On Behalf Of Daniel Stenberg via curl-users
Sent: Friday, June 12, 2026 7:16 AM
To: Ian Norton via curl-users <curl-users_at_lists.haxx.se>
Cc: Daniel Stenberg <daniel_at_haxx.se>
Subject: Re: Curl feature idea, download hash checking
On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> curl -O URL —-hash sha256:HASH_VALUE
>
> Does this sound like a good idea?
It is an idea that is often brought up but has never been materialized. Is it good? I think it depends on how it is done so that in the end people would use it.
One additional idea is adding the hash into the URL itself somehow so that copy and pasting a single URL is enough and you can't forget the hash:
curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
It also makes the URL not work at all if the download tool doesn't support the hash, which I think is a bonus.
Doing the hash embedded in the URL is of course a side-track, can be worked on independently and is for sure hard to do with buy-in from others as well.
Others have suggested a similar thing before but instead of just doing a hash it would verify the *signature* provided.
Challenges involved include:
What if you download to stdout and yet want it verified? Like in the classic:
"curl https://installer.example.com | sh" case. It seems like that case is still a decent amount of current use cases this could help strengthen.
Then curl needs to download to a temporary location, check the hash and *then* pass it on. This can lead to challenges if you instead for example pipe a petabyte stream: "curl https://never-ending.example.com | videoplayer"
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-06-12