Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Re: [Feature Request] Use checksum to verify download
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Falk via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 20 Jan 2025 16:22:09 +0000
I understand that the way checksums must be handled during the download is not compatible with curl's implementation. I've created a prototype to check the API and behavior (https://github.com/falk-werner/fetch) and I've encountered all the things you mentioned: the download must be buffered in a separate file, the checksum must be computed during download, all data must be printed to stdout after successful check and the temporary file must finally be removed.
Regarding problem two, you have a point that it wouldn't add any security when the site is breached. In fact, one might have a false sense of security because the checksum is verified correctly. But I don't think that TLS alone is enough to solve the problem. There are cases where you can't rely on TLS. One might be in case of redirects. Another one is the use of so called "interception certificates", which are very popular by some IT departments.
Date: Mon, 20 Jan 2025 16:22:09 +0000
I understand that the way checksums must be handled during the download is not compatible with curl's implementation. I've created a prototype to check the API and behavior (https://github.com/falk-werner/fetch) and I've encountered all the things you mentioned: the download must be buffered in a separate file, the checksum must be computed during download, all data must be printed to stdout after successful check and the temporary file must finally be removed.
Regarding problem two, you have a point that it wouldn't add any security when the site is breached. In fact, one might have a false sense of security because the checksum is verified correctly. But I don't think that TLS alone is enough to solve the problem. There are cases where you can't rely on TLS. One might be in case of redirects. Another one is the use of so called "interception certificates", which are very popular by some IT departments.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-20