Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
RE: Curl feature idea, download hash checking
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dick Brooks via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 18 Jun 2026 08:40:48 -0400
I've implemented something similar in a powershell script that checks a downloaded file sha256 hash to verify it is listed in a PTI Trust Registry (SAG-CTR).
This script is similar to what Google is doing with their new Transparency Ledger lookup tools to verify trust in Android apps.
------------------
param(
[string]$LOC,
[string]$OFILE
)
curl $LOC -o $OFILE
$DNAID = (Get-FileHash .\$OFILE).Hash
$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID+"&html=1"
Start-Process $URL
---------------------------------------------
Here is an example to check that a self-signed digital certificate is listed as trusted:
powershell -c "& { ./sagverify.ps1 -Loc 'https://github.com/rjb4standards/REA-Products/raw/refs/heads/master/DigitalCertificates/BCG-SIGNING-KEY-2030.cer' -OFile test.fil}"
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member, #SBOM SIG member
https://businesscyberguardian.com/
-----Original Message-----
From: curl-users <curl-users-bounces_at_lists.haxx.se> On Behalf Of Ian Norton via curl-users
Sent: Thursday, June 18, 2026 4:49 AM
To: curl-users_at_lists.haxx.se
Cc: Ian Norton <inorton_at_gmail.com>
Subject: Re: Curl feature idea, download hash checking
On Thu, 18 Jun 2026 at 09:38, Ian Norton <inorton_at_gmail.com> wrote:
> > On Fri, 12 Jun 2026, Daniel Stenberg via curl-users wrote:
> > > On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> > > > curl -O URL —-hash sha256:HASH_VALUE
> > > Does this sound like a good idea?
<snip>
> I'm coming from a place where in my org I've already "solved" this
> use-case with a python app that will exit non-zero if it can't
> download, or if the thing it downloaded didn't have a matching digest.
> But of course, this is a python tool and requires all the associated
> deps (and isn't especially fast)
>
> I'll try to make a curl PR and also try out the different input/arg
> variations and see if I can find one that feels right.
I've just seen Bruce's PR. That's given me some more things to think about. Perhaps what I/we actually want is a pipe/filter app that refuses to output if the digest doesn't match
Ian
Date: Thu, 18 Jun 2026 08:40:48 -0400
I've implemented something similar in a powershell script that checks a downloaded file sha256 hash to verify it is listed in a PTI Trust Registry (SAG-CTR).
This script is similar to what Google is doing with their new Transparency Ledger lookup tools to verify trust in Android apps.
------------------
param(
[string]$LOC,
[string]$OFILE
)
curl $LOC -o $OFILE
$DNAID = (Get-FileHash .\$OFILE).Hash
$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID+"&html=1"
Start-Process $URL
---------------------------------------------
Here is an example to check that a self-signed digital certificate is listed as trusted:
powershell -c "& { ./sagverify.ps1 -Loc 'https://github.com/rjb4standards/REA-Products/raw/refs/heads/master/DigitalCertificates/BCG-SIGNING-KEY-2030.cer' -OFile test.fil}"
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member, #SBOM SIG member
https://businesscyberguardian.com/
-----Original Message-----
From: curl-users <curl-users-bounces_at_lists.haxx.se> On Behalf Of Ian Norton via curl-users
Sent: Thursday, June 18, 2026 4:49 AM
To: curl-users_at_lists.haxx.se
Cc: Ian Norton <inorton_at_gmail.com>
Subject: Re: Curl feature idea, download hash checking
On Thu, 18 Jun 2026 at 09:38, Ian Norton <inorton_at_gmail.com> wrote:
> > On Fri, 12 Jun 2026, Daniel Stenberg via curl-users wrote:
> > > On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> > > > curl -O URL —-hash sha256:HASH_VALUE
> > > Does this sound like a good idea?
<snip>
> I'm coming from a place where in my org I've already "solved" this
> use-case with a python app that will exit non-zero if it can't
> download, or if the thing it downloaded didn't have a matching digest.
> But of course, this is a python tool and requires all the associated
> deps (and isn't especially fast)
>
> I'll try to make a curl PR and also try out the different input/arg
> variations and see if I can find one that feels right.
I've just seen Bruce's PR. That's given me some more things to think about. Perhaps what I/we actually want is a pipe/filter app that refuses to output if the digest doesn't match
Ian
-- -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-06-18