> On 25 Oct 2017, at 10:33, Marcus Denker <[email protected]> wrote: > > > >> On 25 Oct 2017, at 10:23, Sven Van Caekenberghe <[email protected]> wrote: >> >> Great! >> >> And here is how to do it in Pharo: >> >> signature := >> 'https://ci.inria.fr/pharo/job/Pharo-6.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/Pharo6.1-mac.zip.sha256.txt' >> asUrl retrieveContents findTokens: Character separators. >> hash := signature first. >> signedFile := signature second. >> url := 'http://files.pharo.org/platform/Pharo6.1-mac.zip' asUrl. >> ZnClient new url: url; downloadTo: FileLocator temp. "somewhat slow" >> file := FileLocator temp / url file. >> self assert: file exists. >> self assert: (signedFile match: url file). >> file readStreamDo: [ :in | sha256 := SHA256 hashStream: in ]. "very slow" >> self assert: (hash sameAs: sha256 hex). >> > Nice! > >> Would it not be cleaner if the signature was next to the resource ? Like >> >> http://files.pharo.org/platform/Pharo6.1-mac.zip.sha256.txt >> >> Or is that the next step ? >> > > Already there. But a signature like that is not a guarantee if it is > downloaded from the same server… especially of that server does not > use SSL… > > The “stack vector” that a checksum protects against is the compromise of a > download server, especially untrusted mirrors. For that, > the checksum needs to come from some other (trusted) source. E.g. normally it > is inlined on the download website. > > But of course these things are never 100% guarantees, they just make it > harder to do bad things.
Ah, OK, I understand, I just think that a shorter/simpler/easier-to-remember URL for the signature would be better. > Marcus
