My company uses a powershell scipt to verify trust, using a SHA256 hash of a 
digital object:

 

param(

    [string]$LOC,

    [string]$OFILE

)

 

curl $LOC -o $OFILE

$DNAID = (Get-FileHash .\$OFILE).Hash

$URL="https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?ProductID="+$DNAID+"&html=1";

Start-Process $URL

 

Usage instructions for this script are here to verify trust in a self-signed 
X.509 public key digital certificate : 

 

https://github.com/rjb4standards/REA-Products/blob/master/DigitalCertificates/README.md

 

 

 

 

 

Thanks,

 

Dick Brooks

   

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

Lifetime IEEE Member, #SBOM SIG member 

https://businesscyberguardian.com/ 

 

 

From: curl-users <[email protected]> On Behalf Of bruce via 
curl-users
Sent: Saturday, June 13, 2026 2:57 PM
To: curl-users - the curl tool <[email protected]>
Cc: bruce <[email protected]>
Subject: Re: Curl feature idea, download hash checking

 

as i recall  decade ago.  that was the mantra!.  so maybe a few example of how 
to accomplish this kind of process would be enough!!

 

 

 

On Sat, Jun 13, 2026, 9:25 AM Ray Satiro via curl-users 
<[email protected] <mailto:[email protected]> > wrote:

On 6/12/2026 7:16 AM, Daniel Stenberg via curl-users wrote:

On Fri, 12 Jun 2026, Ian Norton via curl-users wrote: 




curl -O URL —-hash sha256:HASH_VALUE​ 

Does this sound like a good idea? 


It is an idea that is often brought up but has never been materialized. Is it 
good? I think it depends on how it is done so that in the end people would use 
it. 

 

Many years ago I wrote CURLOPT_SHA256 / CURLINFO_SHA256 to calculate the hash 
of the transfer body as received but there wasn't any interest so it wasn't 
adopted see https://github.com/curl/curl/issues/1399

These days sha256 is more common and we have sha256 calculation code already in 
libcurl. So that part would be easier. But to handle partially downloaded data, 
resumed data, etc, is still a complication. You can already pipe curl to sha256 
for verification, and ghedo gives an example in that issue of how to do it.

Basically if you can do the unix pipe style to an existing tool that can handle 
it then is it worth putting that tool's functionality in curl, I guess is the 
question. What I mean is like grep should be grep, curl should be curl etc

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to