search

merklecounty / rget

download URLs and verify the contents against a publicly recorded cryptographic log
https://merklecounty.com
Apache License 2.0
205 stars 17 forks source link

zip integration #21

Open zwykl3 opened 5 years ago

zwykl3 commented 5 years ago

Is possible integration zip,tgz,rar etc.? for example I download only header, unpacke and check sign for whole files inside zip/tgz

philips commented 5 years ago

I don't understand the question fully. Can you reply to my thoughts below?

In general though it is a bad idea for a cryptographic tool to be manipulating and interpreting binary data because it opens up potential vulnerability paths. I would like to keep this tool treating the download objects as a binary string that is pushed directly into a cryptographic digest algorithm. Does that make sense?

What is your use case?

brianredbeard commented 5 years ago

@zwykl3 to ask another question, from the statement:

I download only header

It sounds like you would be looking for some type of metadata which is packaged either in the payload or is served directly by the content server (e.g. as you said, delivered via a header).

Part of the benefit of using the model prescribed by rget is the out of band nature of the metadata used for validation.

Presently there are no limitations on the types of files which can be used with rget. As long as the files can be referenced in the SHA256SUMS file (or via some related mechanism after the resolution of #1) with a valid digest, it should be agnostic of the content.