Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
[Feature Request] Use checksum to verify download
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Falk via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 17 Jan 2025 15:10:53 +0000
Hello,
I would like to propose a feature, where one can specify a checksum (e.g. md5 or sha256) on command line which is checked by curl during download.
Example:
curl -sha256 $SHA256_HASH -o- https://fnm.vercel.app/install | bash
I'm aware that this topic is not new. There is a feature request on github (https://github.com/curl/curl/issues/1399) which was closed due to lack of interest and I've seen some posts which suggest to verify the checksum afterwards which can be done easily.
I'm proposing this feature because I believe it can help to increase security. Many popular tools like rustup (https://rustup.rs/), node.js (https://nodejs.org/en/download) and many others suggest installing their software using a single line that can be copied and pasted to the command line, e.g.
Rustup:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Node.js:
curl -o- https://fnm.vercel.app/install | bash
There are many more tools that are using this approach. If curl allows to specify a checksum on command line and curl checks it before printing out the contents of the downloaded artifact, this would improve security. I believe, those tools will quickly adopt this option, since their are aware of security considerations. Note that in case of rustup there are already some security-related options present.
Kind regards
Falk
Date: Fri, 17 Jan 2025 15:10:53 +0000
Hello,
I would like to propose a feature, where one can specify a checksum (e.g. md5 or sha256) on command line which is checked by curl during download.
Example:
curl -sha256 $SHA256_HASH -o- https://fnm.vercel.app/install | bash
I'm aware that this topic is not new. There is a feature request on github (https://github.com/curl/curl/issues/1399) which was closed due to lack of interest and I've seen some posts which suggest to verify the checksum afterwards which can be done easily.
I'm proposing this feature because I believe it can help to increase security. Many popular tools like rustup (https://rustup.rs/), node.js (https://nodejs.org/en/download) and many others suggest installing their software using a single line that can be copied and pasted to the command line, e.g.
Rustup:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Node.js:
curl -o- https://fnm.vercel.app/install | bash
There are many more tools that are using this approach. If curl allows to specify a checksum on command line and curl checks it before printing out the contents of the downloaded artifact, this would improve security. I believe, those tools will quickly adopt this option, since their are aware of security considerations. Note that in case of rustup there are already some security-related options present.
Kind regards
Falk
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-17