Daaniel,

What you describe is very similar to how we verify a trusted product (i.e. 
X.509 self-signed public key certificate) today using this powershell 
sagverify.ps1 script

MIT License, free to use.

param(
    [string]$LOC
)

Write-Host "LOC: $LOC"
curl $LOC -o "keyfile.cer"
$DNAID = (Get-FileHash .\keyfile.cer).Hash
$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID
Start-Process $URL


Execute this using:
powershell -c "& { ./sagverify.ps1 -Loc 
'https://github.com/rjb4standards/REA-Products/raw/refs/heads/master/DigitalCertificates/BCG-SIGNING-KEY-2030.cer'
 }"

Thanks,

Dick Brooks
   
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership
Lifetime IEEE Member, #SBOM SIG member 
https://businesscyberguardian.com/ 


-----Original Message-----
From: curl-users <[email protected]> On Behalf Of Daniel 
Stenberg via curl-users
Sent: Friday, June 12, 2026 7:16 AM
To: Ian Norton via curl-users <[email protected]>
Cc: Daniel Stenberg <[email protected]>
Subject: Re: Curl feature idea, download hash checking

On Fri, 12 Jun 2026, Ian Norton via curl-users wrote:

> curl -O URL —-hash sha256:HASH_VALUE​
>
> Does this sound like a good idea?

It is an idea that is often brought up but has never been materialized. Is it 
good? I think it depends on how it is done so that in the end people would use 
it.

One additional idea is adding the hash into the URL itself somehow so that copy 
and pasting a single URL is enough and you can't forget the hash:

   curl -O URL https://host.com/HASHMARKER-HASH/the/path/file.tar.gz

It also makes the URL not work at all if the download tool doesn't support the 
hash, which I think is a bonus.

Doing the hash embedded in the URL is of course a side-track, can be worked on 
independently and is for sure hard to do with buy-in from others as well.

Others have suggested a similar thing before but instead of just doing a hash 
it would verify the *signature* provided.

Challenges involved include:

What if you download to stdout and yet want it verified? Like in the classic: 
"curl https://installer.example.com | sh" case. It seems like that case is 
still a decent amount of current use cases this could help strengthen.

Then curl needs to download to a temporary location, check the hash and *then* 
pass it on. This can lead to challenges if you instead for example pipe a 
petabyte stream: "curl https://never-ending.example.com | videoplayer"

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to