[Pharo-dev] [ANN] sha256 checksum for Pharo6 downloads

Sven Van Caekenberghe sven at stfx.eu
Wed Oct 25 04:38:19 EDT 2017



> On 25 Oct 2017, at 10:33, Marcus Denker <marcus.denker at inria.fr> wrote:
> 
> 
> 
>> On 25 Oct 2017, at 10:23, Sven Van Caekenberghe <sven at stfx.eu> wrote:
>> 
>> Great!
>> 
>> And here is how to do it in Pharo:
>> 
>> signature := 'https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt' asUrl retrieveContents findTokens: Character separators.
>> hash := signature first.
>> signedFile := signature second.
>> url := 'http://files.pharo.org/platform/Pharo6.1-mac.zip' asUrl.
>> ZnClient new url: url; downloadTo: FileLocator temp. "somewhat slow"
>> file := FileLocator temp / url file.
>> self assert: file exists.
>> self assert: (signedFile match: url file).
>> file readStreamDo: [ :in | sha256 := SHA256 hashStream: in ]. "very slow"
>> self assert: (hash sameAs: sha256 hex).
>> 
> Nice!
> 
>> Would it not be cleaner if the signature was next to the resource ? Like 
>> 
>> http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt
>> 
>> Or is that the next step ?
>> 
> 
> Already there. But a signature like that is not a guarantee if it is downloaded from the same server… especially of that server does not
> use SSL… 
> 
> The “stack vector” that a checksum protects against is the compromise of a download server, especially untrusted mirrors. For that, 
> the checksum needs to come from some other (trusted) source. E.g. normally it is inlined on the download website.
> 
> But of course these things are never 100% guarantees, they just make it harder to do bad things.

Ah, OK, I understand, I just think that a shorter/simpler/easier-to-remember URL for the signature would be better.

> 	Marcus





More information about the Pharo-dev mailing list