Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
RE: curl verification
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dick Brooks via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 25 May 2026 16:34:30 -0400
Daniel,
Thanks for the quick reply.
The approach you describe works fine for developers that incorporate curl,
but what about all the "curl users" that don't have the tarball,
how do they verify that the curl release installed and running on their
system is trusted?
For example, many of my customers have curl installed n their system and
they want to know
"Is the curl release I'm using trusted?"
For example,
I'm running a Windows system which comes with curl installed. It's signed by
Microsoft:
Microsoft Code Signing PCA 2011
Here is a method that a curl customer might use to see if their curl product
is trusted.
1. where curl
2. powershell -c "Get-FileHash C:\Windows\System32\curl.exe"
3. Check if the curl product I'm using is trusted:
https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?Produ
ctID=642A07EEEA4D3132426E673FB3C88BE8CEAD3D03CA1F019C7E7D0000ED2122BE&html=1
I also have another version of curl installed on my system in
C:\Users\dick\anaconda3\Library\bin\curl.exe
That one is not signed. But I could check if this other curl release is
trusted using the same technique:
powershell -c "Get-FileHash C:\Users\dick\anaconda3\Library\bin\curl.exe "
This one can be checked using
https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?Produ
ctID=C5941FBBC30EA5AABBD2B81EB4FBCDD89A1B5A25C688684821D97BA27E819D4B&html=1
The approach I'm suggesting to verify curl, within the running consumer
environment, can be performed by anyone using curl.
I hope this makes the proposal clearer - it's designed for everyone to
verify that their version of curl, in their system is indeed trusted.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Lifetime IEEE Member
Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T
https://businesscyberguardian.com/
Email: dick_at_businesscyberguardian.com
Tel: +1 978-696-1788
-----Original Message-----
From: Daniel Stenberg <daniel_at_haxx.se>
Sent: Monday, May 25, 2026 4:06 PM
To: Dick Brooks <dick_at_businesscyberguardian.com>; curl-users - the curl tool
<curl-users_at_lists.haxx.se>
Subject: Re: curl verification
On Mon, 25 May 2026, Dick Brooks via curl-users wrote:
> https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/
>
> I believe there may be a more efficient way to verify trust in curl,
> without needing to download or install any software, by using a
> "Public Trust Infrastructure" (PTI) Trust Registry, as shown in this
> trust verification lookup.
You cannot verify the contents without having it downloaded where the
verification is done. The point with that check is to detect if I have gone
rogue (and planted something in the tarball) or if my dev-tools have been
tampered with and inserts bad stuff somewhere that ends up in the curl
release etc.
I sign the releases so you can use my key to verify that the release was
done by me, but to know that the tarball only contains data that originates
from git contents and proper autotools etc, you need to check
reproducibility.
Date: Mon, 25 May 2026 16:34:30 -0400
Daniel,
Thanks for the quick reply.
The approach you describe works fine for developers that incorporate curl,
but what about all the "curl users" that don't have the tarball,
how do they verify that the curl release installed and running on their
system is trusted?
For example, many of my customers have curl installed n their system and
they want to know
"Is the curl release I'm using trusted?"
For example,
I'm running a Windows system which comes with curl installed. It's signed by
Microsoft:
Microsoft Code Signing PCA 2011
Here is a method that a curl customer might use to see if their curl product
is trusted.
1. where curl
2. powershell -c "Get-FileHash C:\Windows\System32\curl.exe"
3. Check if the curl product I'm using is trusted:
https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?Produ
ctID=642A07EEEA4D3132426E673FB3C88BE8CEAD3D03CA1F019C7E7D0000ED2122BE&html=1
I also have another version of curl installed on my system in
C:\Users\dick\anaconda3\Library\bin\curl.exe
That one is not signed. But I could check if this other curl release is
trusted using the same technique:
powershell -c "Get-FileHash C:\Users\dick\anaconda3\Library\bin\curl.exe "
This one can be checked using
https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?Produ
ctID=C5941FBBC30EA5AABBD2B81EB4FBCDD89A1B5A25C688684821D97BA27E819D4B&html=1
The approach I'm suggesting to verify curl, within the running consumer
environment, can be performed by anyone using curl.
I hope this makes the proposal clearer - it's designed for everyone to
verify that their version of curl, in their system is indeed trusted.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Lifetime IEEE Member
Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T
https://businesscyberguardian.com/
Email: dick_at_businesscyberguardian.com
Tel: +1 978-696-1788
-----Original Message-----
From: Daniel Stenberg <daniel_at_haxx.se>
Sent: Monday, May 25, 2026 4:06 PM
To: Dick Brooks <dick_at_businesscyberguardian.com>; curl-users - the curl tool
<curl-users_at_lists.haxx.se>
Subject: Re: curl verification
On Mon, 25 May 2026, Dick Brooks via curl-users wrote:
> https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/
>
> I believe there may be a more efficient way to verify trust in curl,
> without needing to download or install any software, by using a
> "Public Trust Infrastructure" (PTI) Trust Registry, as shown in this
> trust verification lookup.
You cannot verify the contents without having it downloaded where the
verification is done. The point with that check is to detect if I have gone
rogue (and planted something in the tarball) or if my dev-tools have been
tampered with and inserts bad stuff somewhere that ends up in the curl
release etc.
I sign the releases so you can use my key to verify that the release was
done by me, but to know that the tarball only contains data that originates
from git contents and proper autotools etc, you need to check
reproducibility.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-05-25