Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Curl feature idea, download hash checking
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 12 Jun 2026 13:16:23 +0200 (CEST)
On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> curl -O URL —-hash sha256:HASH_VALUE
>
> Does this sound like a good idea?
It is an idea that is often brought up but has never been materialized. Is it
good? I think it depends on how it is done so that in the end people would use
it.
One additional idea is adding the hash into the URL itself somehow so that
copy and pasting a single URL is enough and you can't forget the hash:
curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
It also makes the URL not work at all if the download tool doesn't support the
hash, which I think is a bonus.
Doing the hash embedded in the URL is of course a side-track, can be worked on
independently and is for sure hard to do with buy-in from others as well.
Others have suggested a similar thing before but instead of just doing a hash
it would verify the *signature* provided.
Challenges involved include:
What if you download to stdout and yet want it verified? Like in the classic:
"curl https://installer.example.com | sh" case. It seems like that case is
still a decent amount of current use cases this could help strengthen.
Then curl needs to download to a temporary location, check the hash and *then*
pass it on. This can lead to challenges if you instead for example pipe a
petabyte stream: "curl https://never-ending.example.com | videoplayer"
Date: Fri, 12 Jun 2026 13:16:23 +0200 (CEST)
On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> curl -O URL —-hash sha256:HASH_VALUE
>
> Does this sound like a good idea?
It is an idea that is often brought up but has never been materialized. Is it
good? I think it depends on how it is done so that in the end people would use
it.
One additional idea is adding the hash into the URL itself somehow so that
copy and pasting a single URL is enough and you can't forget the hash:
curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
It also makes the URL not work at all if the download tool doesn't support the
hash, which I think is a bonus.
Doing the hash embedded in the URL is of course a side-track, can be worked on
independently and is for sure hard to do with buy-in from others as well.
Others have suggested a similar thing before but instead of just doing a hash
it would verify the *signature* provided.
Challenges involved include:
What if you download to stdout and yet want it verified? Like in the classic:
"curl https://installer.example.com | sh" case. It seems like that case is
still a decent amount of current use cases this could help strengthen.
Then curl needs to download to a temporary location, check the hash and *then*
pass it on. This can lead to challenges if you instead for example pipe a
petabyte stream: "curl https://never-ending.example.com | videoplayer"
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-06-12