[Pharo-dev] [ANN] sha256 checksum for Pharo6 downloads

Sven Van Caekenberghe sven at stfx.eu
Wed Oct 25 04:23:06 EDT 2017


Great!

And here is how to do it in Pharo:

signature := 'https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt' asUrl retrieveContents findTokens: Character separators.
hash := signature first.
signedFile := signature second.
url := 'http://files.pharo.org/platform/Pharo6.1-mac.zip' asUrl.
ZnClient new url: url; downloadTo: FileLocator temp. "somewhat slow"
file := FileLocator temp / url file.
self assert: file exists.
self assert: (signedFile match: url file).
file readStreamDo: [ :in | sha256 := SHA256 hashStream: in ]. "very slow"
self assert: (hash sameAs: sha256 hex).

Would it not be cleaner if the signature was next to the resource ? Like 

http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt

Or is that the next step ?

> On 25 Oct 2017, at 09:53, Marcus Denker <marcus.denker at inria.fr> wrote:
> 
> How to validate a Pharo6 download with the example of the mac download:
> 
> 1) get the checksum file (note: uses SSL):
> 	https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt
> 
> 2) download Pharo:
> 	http://files.pharo.org/platform/Pharo6.1-mac.zip
> 
> with sha256sum installed, you can do:
> 
> 	sha256sum -c Pharo6.1-mac.zip.sha256.txt
> 
> and it prints:
> 
> Pharo6.1-mac.zip: OK
> 
> 	Marcus
> 
> 
>> On 24 Oct 2017, at 17:34, Marcus Denker <marcus.denker at inria.fr> wrote:
>> 
>> Hi,
>> 
>> A tiny first step: I added sha256 chechsums for all downloads created by the Pharo6 build process
>> 
>> 	https://ci.inria.fr/pharo/
>> 
>> This step:
>> 
>> 	https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/
>> 
>> now creates .sha256.txt files, e.g for the mac:
>> 
>> 	https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt
>> 
>> This allows to check that downloads from the file server are indeed the same files that the build server created.
>> 	http://files.pharo.org/platform/
>> 	http://files.pharo.org/image/60/
>> 
>> 
>> As I said, just a very first step.
>> 
>> TODO:
>> 	- pgp signatures 
>> 	- insert into website
>> 	- SSL for files.pharo.org
>> 	- do it Pharo7	
>> 	- ….
>> 
>> So: more to come!
>> 
>> 	Marcus
> 
> 





More information about the Pharo-dev mailing list