Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: [Feature Request] Use checksum to verify download
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 20 Jan 2025 08:39:55 +0100 (CET)
On Fri, 17 Jan 2025, Falk via curl-users wrote:
> I would like to propose a feature, where one can specify a checksum (e.g. md5 or sha256) on command line which is checked by curl during download.
>
> Example:
> curl -sha256 $SHA256_HASH -o- https://fnm.vercel.app/install | bash
Problem one:
Imagine that the file you download in that command line is several gigabytes -
because it might be and we need to make it work even when it is enormous. The
hash is only valid for the entire thing, so it would need to download every
single byte before it can check the hash.
That's not how that curl command line works today and would mean a significant
difference to implement it that way: it would have to download the entire
thing in a temporary place and after having validated the hash, send the
entire thing to stdout and then delete the file again.
Problem two:
Where would users get the hash to use in the command line? In most cases users
would download their stuff from https://example.com and the hash would be
mentioned on https://example.com - meaning that since the download is already
protected with TLS, checking the data with a hash from the same site adds
extremely little. If the site is breached and the download is replaced with
malware without breaking the server TLS certificate, then surely the attacker
can also update the hash mentioned on the site?
Date: Mon, 20 Jan 2025 08:39:55 +0100 (CET)
On Fri, 17 Jan 2025, Falk via curl-users wrote:
> I would like to propose a feature, where one can specify a checksum (e.g. md5 or sha256) on command line which is checked by curl during download.
>
> Example:
> curl -sha256 $SHA256_HASH -o- https://fnm.vercel.app/install | bash
Problem one:
Imagine that the file you download in that command line is several gigabytes -
because it might be and we need to make it work even when it is enormous. The
hash is only valid for the entire thing, so it would need to download every
single byte before it can check the hash.
That's not how that curl command line works today and would mean a significant
difference to implement it that way: it would have to download the entire
thing in a temporary place and after having validated the hash, send the
entire thing to stdout and then delete the file again.
Problem two:
Where would users get the hash to use in the command line? In most cases users
would download their stuff from https://example.com and the hash would be
mentioned on https://example.com - meaning that since the download is already
protected with TLS, checking the data with a hash from the same site adds
extremely little. If the site is breached and the download is replaced with
malware without breaking the server TLS certificate, then surely the attacker
can also update the hash mentioned on the site?
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-20