[Pharo-dev] [ANN] sha256 checksum for Pharo6 downloads

Marcus Denker marcus.denker at inria.fr
Wed Oct 25 04:33:10 EDT 2017



> On 25 Oct 2017, at 10:23, Sven Van Caekenberghe <sven at stfx.eu> wrote:
> 
> Great!
> 
> And here is how to do it in Pharo:
> 
> signature := 'https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt' asUrl retrieveContents findTokens: Character separators.
> hash := signature first.
> signedFile := signature second.
> url := 'http://files.pharo.org/platform/Pharo6.1-mac.zip' asUrl.
> ZnClient new url: url; downloadTo: FileLocator temp. "somewhat slow"
> file := FileLocator temp / url file.
> self assert: file exists.
> self assert: (signedFile match: url file).
> file readStreamDo: [ :in | sha256 := SHA256 hashStream: in ]. "very slow"
> self assert: (hash sameAs: sha256 hex).
> 
Nice!

> Would it not be cleaner if the signature was next to the resource ? Like 
> 
> http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt
> 
> Or is that the next step ?
> 

Already there. But a signature like that is not a guarantee if it is downloaded from the same server… especially of that server does not
use SSL… 

The “stack vector” that a checksum protects against is the compromise of a download server, especially untrusted mirrors. For that, 
the checksum needs to come from some other (trusted) source. E.g. normally it is inlined on the download website.

But of course these things are never 100% guarantees, they just make it harder to do bad things.

	Marcus





More information about the Pharo-dev mailing list