> On 25 Oct 2017, at 10:33, Marcus Denker <[email protected]> wrote:
>
>
>
>> On 25 Oct 2017, at 10:23, Sven Van Caekenberghe <[email protected]> wrote:
>>
>> Great!
>>
>> And here is how to do it in Pharo:
>>
>> signature :=
>> 'https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt'
>> asUrl retrieveContents findTokens: Character separators.
>> hash := signature first.
>> signedFile := signature second.
>> url := 'http://files.pharo.org/platform/Pharo6.1-mac.zip' asUrl.
>> ZnClient new url: url; downloadTo: FileLocator temp. "somewhat slow"
>> file := FileLocator temp / url file.
>> self assert: file exists.
>> self assert: (signedFile match: url file).
>> file readStreamDo: [ :in | sha256 := SHA256 hashStream: in ]. "very slow"
>> self assert: (hash sameAs: sha256 hex).
>>
> Nice!
>
>> Would it not be cleaner if the signature was next to the resource ? Like
>>
>> http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt
>>
>> Or is that the next step ?
>>
>
> Already there. But a signature like that is not a guarantee if it is
> downloaded from the same server… especially of that server does not
> use SSL…
>
> The “stack vector”
^^^^ Attack vector
