Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Curl feature idea, download hash checking
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Stefan Eissing via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 12 Jun 2026 13:26:34 +0200
> Am 12.06.2026 um 13:16 schrieb Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>:
>
> On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
>
>> curl -O URL —-hash sha256:HASH_VALUE
>>
>> Does this sound like a good idea?
>
> It is an idea that is often brought up but has never been materialized. Is it good? I think it depends on how it is done so that in the end people would use it.
>
> One additional idea is adding the hash into the URL itself somehow so that copy and pasting a single URL is enough and you can't forget the hash:
>
> curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
>
> It also makes the URL not work at all if the download tool doesn't support the hash, which I think is a bonus.
One could use the url fragment to make curl do additional things, as in https://host.com/the/path/file.tar.gz#sha256:HASH_VALUE. This is invisible to the server, which might be an advantage.
> Doing the hash embedded in the URL is of course a side-track, can be worked on independently and is for sure hard to do with buy-in from others as well.
>
> Others have suggested a similar thing before but instead of just doing a hash it would verify the *signature* provided.
>
> Challenges involved include:
>
> What if you download to stdout and yet want it verified? Like in the classic: "curl https://installer.example.com | sh" case. It seems like that case is still a decent amount of current use cases this could help strengthen.
This would indeed require buffering to a tmp file. Which has problems with the streaming example you mentioned.
- Stefan
Date: Fri, 12 Jun 2026 13:26:34 +0200
> Am 12.06.2026 um 13:16 schrieb Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>:
>
> On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
>
>> curl -O URL —-hash sha256:HASH_VALUE
>>
>> Does this sound like a good idea?
>
> It is an idea that is often brought up but has never been materialized. Is it good? I think it depends on how it is done so that in the end people would use it.
>
> One additional idea is adding the hash into the URL itself somehow so that copy and pasting a single URL is enough and you can't forget the hash:
>
> curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
>
> It also makes the URL not work at all if the download tool doesn't support the hash, which I think is a bonus.
One could use the url fragment to make curl do additional things, as in https://host.com/the/path/file.tar.gz#sha256:HASH_VALUE. This is invisible to the server, which might be an advantage.
> Doing the hash embedded in the URL is of course a side-track, can be worked on independently and is for sure hard to do with buy-in from others as well.
>
> Others have suggested a similar thing before but instead of just doing a hash it would verify the *signature* provided.
>
> Challenges involved include:
>
> What if you download to stdout and yet want it verified? Like in the classic: "curl https://installer.example.com | sh" case. It seems like that case is still a decent amount of current use cases this could help strengthen.
This would indeed require buffering to a tmp file. Which has problems with the streaming example you mentioned.
- Stefan
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-06-12