1

I am a newbie in CMake and trying to understand the following CMake command

FetchContent_Declare(curl
URL                    https://github.com/curl/curl/releases/download/curl-7_75_0/curl-7.75.0.tar.xz
URL_HASH               SHA256=fe0c49d8468249000bda75bcfdf9e30ff7e9a86d35f1a21f428d79c389d55675
USES_TERMINAL_DOWNLOAD TRUE)

When I open a browser and put in https://github.com/curl/curl/releases/download/curl-7_75_0/curl-7.75.0.tar.xz, the file curl-7.75.0.tar.xz will start downloading without the need for the URL_HASH. I am sure it is not redundant. I wanted to know what the purpose of the URL_HASH is?

Also how can SHA256 be found? Because when I visit https://github.com/curl/curl/releases/download/curl-7_75_0 to find out more, the link is broken.

afp_2008
  • 1,940
  • 1
  • 19
  • 46
  • It is good that you asked this question, rather than assume the hash was somehow useless or redundant! This is a common question that I will never tire of answering. – Alex Reinking Jul 01 '22 at 05:51

1 Answers1

1

I am sure it is not redundant. I wanted to know what the purpose of the URL_HASH is?

Secure hash functions like SHA256 are designed to be one-way; it is (in practice) impossible to craft a malicious version of a file with the same SHA256 hash as the original. It is even impossible to find two arbitrary files that have the same hash. Such a pair is called a "collision" and finding even one would constitute a major breakthrough in cryptanalysis.

The purpose of this hash in a CMakeLists.txt, then, is as an integrity check. If a bad actor has intercepted your connection somehow, then checking the hash of the file you actually downloaded against this hard-coded expected hash will detect whether or not the file changed in transit. This will even catch less nefarious data corruptions, like those caused by a faulty hard drive.

Including such a hash (a "checksum") is absolutely necessary when downloading code or other binary artifacts.

Also how can SHA256 be found?

Often, these will be published alongside the binaries. Use a published value if available.

If you have to compute it yourself, you have a few options. On the Linux command line, you can use the sha256sum command. As a hack, you can write a deliberately wrong SHA256=0 value or something and fish the observed value from the error message.

Note that if you compute the hash yourself, you should either (a) download the file from an absolutely trusted connection and device or (b) download it from multiple independent devices (free CI systems like GitHub Actions are useful for this) and ensure the hash is the same across all of them.

Alex Reinking
  • 16,724
  • 5
  • 52
  • 86
  • Great answer! Thanks! I am on a Windows system, is this hash not provided by GitHub and only retrievable by a Linux system? – afp_2008 Jul 01 '22 at 05:52
  • 1
    @afp_2008 - I think the incantation on Windows is like `certUtil -hashfile C:\path\to\file SHA256`. If not, you can try Googling "windows compute sha256 for file" or something like that. – Alex Reinking Jul 01 '22 at 05:53