Re: [Pharo-dev] [ANN] sha256 checksum for Pharo6 downloads

Wed, 25 Oct 2017 01:24:13 -0700 

Great!

And here is how to do it in Pharo:

signature := 
'https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt'
 asUrl retrieveContents findTokens: Character separators.
hash := signature first.
signedFile := signature second.
url := 'http://files.pharo.org/platform/Pharo6.1-mac.zip' asUrl.
ZnClient new url: url; downloadTo: FileLocator temp. "somewhat slow"
file := FileLocator temp / url file.
self assert: file exists.
self assert: (signedFile match: url file).
file readStreamDo: [ :in | sha256 := SHA256 hashStream: in ]. "very slow"
self assert: (hash sameAs: sha256 hex).

Would it not be cleaner if the signature was next to the resource ? Like 

http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt

Or is that the next step ?

> On 25 Oct 2017, at 09:53, Marcus Denker <[email protected]> wrote:
> 
> How to validate a Pharo6 download with the example of the mac download:
> 
> 1) get the checksum file (note: uses SSL):
>       
> https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt
> 
> 2) download Pharo:
>       http://files.pharo.org/platform/Pharo6.1-mac.zip
> 
> with sha256sum installed, you can do:
> 
>       sha256sum -c Pharo6.1-mac.zip.sha256.txt
> 
> and it prints:
> 
> Pharo6.1-mac.zip: OK
> 
>       Marcus
> 
> 
>> On 24 Oct 2017, at 17:34, Marcus Denker <[email protected]> wrote:
>> 
>> Hi,
>> 
>> A tiny first step: I added sha256 chechsums for all downloads created by the 
>> Pharo6 build process
>> 
>>      https://ci.inria.fr/pharo/
>> 
>> This step:
>> 
>>      https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/
>> 
>> now creates .sha256.txt files, e.g for the mac:
>> 
>>      
>> https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt
>> 
>> This allows to check that downloads from the file server are indeed the same 
>> files that the build server created.
>>      http://files.pharo.org/platform/
>>      http://files.pharo.org/image/60/
>> 
>> 
>> As I said, just a very first step.
>> 
>> TODO:
>>      - pgp signatures 
>>      - insert into website
>>      - SSL for files.pharo.org
>>      - do it Pharo7  
>>      - ….
>> 
>> So: more to come!
>> 
>>      Marcus
> 
>

Reply via email to