Daaniel,
What you describe is very similar to how we verify a trusted product (i.e.
X.509 self-signed public key certificate) today using this powershell
sagverify.ps1 script
MIT License, free to use.
param(
[string]$LOC
)
Write-Host "LOC: $LOC"
curl $LOC -o "keyfile.cer"
$DNAID = (Get-FileHash .\keyfile.cer).Hash
$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID
Start-Process $URL
Execute this using:
powershell -c "& { ./sagverify.ps1 -Loc
'https://github.com/rjb4standards/REA-Products/raw/refs/heads/master/DigitalCertificates/BCG-SIGNING-KEY-2030.cer'
}"
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member, #SBOM SIG member
https://businesscyberguardian.com/
-----Original Message-----
From: curl-users <[email protected]> On Behalf Of Daniel
Stenberg via curl-users
Sent: Friday, June 12, 2026 7:16 AM
To: Ian Norton via curl-users <[email protected]>
Cc: Daniel Stenberg <[email protected]>
Subject: Re: Curl feature idea, download hash checking
On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:
> curl -O URL —-hash sha256:HASH_VALUE
>
> Does this sound like a good idea?
It is an idea that is often brought up but has never been materialized. Is it
good? I think it depends on how it is done so that in the end people would use
it.
One additional idea is adding the hash into the URL itself somehow so that copy
and pasting a single URL is enough and you can't forget the hash:
curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz
It also makes the URL not work at all if the download tool doesn't support the
hash, which I think is a bonus.
Doing the hash embedded in the URL is of course a side-track, can be worked on
independently and is for sure hard to do with buy-in from others as well.
Others have suggested a similar thing before but instead of just doing a hash
it would verify the *signature* provided.
Challenges involved include:
What if you download to stdout and yet want it verified? Like in the classic:
"curl https://installer.example.com | sh" case. It seems like that case is
still a decent amount of current use cases this could help strengthen.
Then curl needs to download to a temporary location, check the hash and *then*
pass it on. This can lead to challenges if you instead for example pipe a
petabyte stream: "curl https://never-ending.example.com | videoplayer"
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette: https://curl.se/mail/etiquette.html