Downloaded zip size from a Github release using curl is only 9 bytes

Question

Github public repo has release v1.0.

The following curl command downloads only 9 bytes output of 42KB.

curl -O -L -J --ssl-no-revoke https://github.com/marmayogi/TTF2PostscriptCID-Win/releases/v1.0/TTF2PostscriptCID-Win-1.0.zip

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
100     9  100     9    0     0      9      0  0:00:01 --:--:--  0:00:01     9

Based on comments received, the response of curl command only withL flag is added up in the post:

curl -L https://github.com/marmayogi/TTF2PostscriptCID-Win/releases/v1.0/TTF2PostscriptCID-Win-1.0.zip

curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Added with post based on the comments received.

My desktop was expecting --ssl-no-revoke along with curl command. This problem was resolved with flag k. Here is the evidence.

"C:\Program Files\Neovim\bin\curl.exe" -o TTF2PostscriptCID-Win-1.0.zip -L https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Can anyone throw some light on this issue?

Thanks in advance.

That is a very strange selection of parameters for curl, especially for downloading from GitHub, which famously would make sure not to ever use revoked sal certificates. So, maybe just don't use any of these flags? I'm also surprised there's a DOS version of curl... So maybe whoever prepared the release page was not the foremost expert on any of this, and you should really just ignore their specific download recommendations — Marcus Müller, Oct 24 '22 at 00:28
Strange Selection of Parameters? If flag `-L` is only used, then `curl` throws some other error: `curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate`. I have updated the post. — Marmayogi, Oct 24 '22 at 00:43
That should not happen. Are you sure your traffic isn't forced through somewhere that tries to strip its encryption? — Marcus Müller, Oct 24 '22 at 00:45
@Marcus thanks for the comment. How should I verify that something strips encryption? Please know that I just followed the Github documentaion to make the release. — Marmayogi, Oct 24 '22 at 01:51
Ah that was you! Sorry, I didn't mean to be rude. It's just that the download instructions you've posted on the releases page are fundamentally broken, including an incorrect URL, so that I assumed that these instructions were copied from somewhere without sense. I personally wouldn't even put download instructions on the download page. Let people download just how they want, just tell them where to put the files. — Marcus Müller, Oct 24 '22 at 01:54
The `git clone` works perfectly but only the release is troubling. I already tried all the combination with `curl` and `wget`, but nothing works. @Marcus, can you please correct the `curl` command? — Marmayogi, Oct 24 '22 at 02:03
If you need `-k` for GitHub, something is tampering with your connection and you should fix that (or remove it). Sometimes that's a third-patty antivirus or firewall, or a proxy or MITM device or software. Using `-k` turns off all security and essentially is little better than using an unencrypted connection. — bk2204, Oct 24 '22 at 22:10
@bk2204 thanks for your comments. I verified from **Ubuntu** and `curl` command is alright and does not need `k`. Only from `DOS` and `Cygwin` this problem persists. However I am looking into this. — Marmayogi, Oct 25 '22 at 02:00

leomeinel · Accepted Answer · 2022-10-24T03:05:18.340

4

I'd recommend using

curl -sL https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip >filename.zip

or

curl -sLO https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip

Optionally you can also use (loosens SSL security)

curl -sL --ssl-no-revoke https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip >filename.zip

or

curl -sLO --ssl-no-revoke https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip

-s, --silent Silent or quiet mode. Do not show progress meter or error messages. Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect it. Use --show-error in addition to this option to disable progress meter but still show error messages.

-L, --location (HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request on the new place.

-O, --remote-name Write output to a local file named like the remote file we get. (Only the file part of the remote file is used, the path is cut off.) The file will be saved in the current working directory.

--ssl-no-revoke (Schannel) This option tells curl to disable certificate revocation checks. WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

The curl then gets redirected to whatever filename you want (filename.zip) or with the -sLO it selects the filename automatically.

edited Oct 24 '22 at 03:05

answered Oct 24 '22 at 00:40

leomeinel

66
8

`curl -s https://github.com/marmayogi/TTF2PostscriptCID-Win/releases/v1.0/TTF2PostscriptCID-Win-1.0.zip >filename.zip` command produces `filename.zip` with zero bytes. – Marmayogi Oct 24 '22 at 00:52
Maybe also add --ssl-no-revoke. I think your system might not trust githubs SSL certs. There is a security risk involved when using the flag tho: https://man.archlinux.org/man/curl.1.en#ssl-no-revoke – leomeinel Oct 24 '22 at 00:53
`curl -s --ssl-no-revoke https://github.com/marmayogi/TTF2PostscriptCID-Win/releases/v1.0/TTF2PostscriptCID-Win-1.0.zip >filename.zip` command produces `filename.zip` with 9 bytes. – Marmayogi Oct 24 '22 at 00:56
Sorry, you also have to add the `-L` flag. The correct command should be: `curl -sL https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip >filename.zip` At least that worked fine for me and I tried 3 times. Seems like curl needs to follow a redirect to download. https://stackoverflow.com/questions/46060010/download-github-release-with-curl – leomeinel Oct 24 '22 at 01:09
`curl -sL https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip >filename.zip` command produces `filename.zip` with 0 bytes. Please let me know the response of `curl` if you try from your desktop. Since the Github repo and release are public, so anybody can try. – Marmayogi Oct 24 '22 at 01:45
I really don't understand why this doesn't work for you. Both options listed in my answer worked flawlessly (at least for me). You should note that the link I supplied is also different. The file you linked to in the question doesn't exist, which is why the file was only 9 bytes after downloading. – leomeinel Oct 24 '22 at 01:58
Maybe try the second curl request from my answer: `curl -sLO https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip` Optionally add a `--ssl-no-revoke` after the `-sLO` if there are any errors with the certs. – leomeinel Oct 24 '22 at 02:00
@leomeinel I like your tenacity. – Misunderstood Oct 24 '22 at 02:03
The complete response I get when running `curl -IL https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip` `HTTP/2 302 (redirect) ...location: https://codeload.github.com/marmayogi/TTF2PostscriptCID-Win/zip/refs/tags/v1.0 ...` `HTTP/2 200 ... content-disposition: attachment; filename=TTF2PostscriptCID-Win-1.0.zip ... content-type: application/zip etag: "..." ... vary: Authorization,Accept-Encoding,Origin ...` Sorry for the weird formatting. I can't put codeblocks and had to leave out a lot. – leomeinel Oct 24 '22 at 02:04
@leomeinel are you getting zip size 42KB at your desktop after downloading through `curl`? – Marmayogi Oct 24 '22 at 02:17
@Marmayogi Yes, 42KB exactly. – leomeinel Oct 24 '22 at 02:18
@leomeinel can you please produce the entire `curl` command that worked for you? – Marmayogi Oct 24 '22 at 02:29
@Marmayogi `curl -sL --ssl-no-revoke https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip >filename.zip`; `curl -sLO --ssl-no-revoke https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip` both worked. The issue might be with DOS. Maybe curl under DOS doesn't support the https://... or curl works differently on DOS. I think I can't help you with that tho. (I just read that you might be using DOS on your releases page) – leomeinel Oct 24 '22 at 02:33
@Marmayogi The same commands without the `--ssl-no-revoke` also worked (for me). – leomeinel Oct 24 '22 at 02:34
1

Your both commands (only with `--ssl-no-revoke`) worked and my desktop received the correct zip file size. But `curl` command ending with `TTF2PostscriptCID-Win/releases/v1.0/TTF2PostscriptCID-Win-1.0.zip` does not work. @leomeinel, I thank you for your continuous support in resolving this issue and I approve your answer! – Marmayogi Oct 24 '22 at 02:55
Perfect, I'm glad that I was able to help you! Thanks for approving my answer :) – leomeinel Oct 24 '22 at 02:59

score 0 · Answer 2 · answered Oct 24 '22 at 07:44

0

seems your URL is bad? try

curl 'https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip' -LO

answered Oct 24 '22 at 07:44

hanshenrik

19,904
4
43
89

Your command `curl 'https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip' -LO` commands throws error `curl: (3) URL using bad/illegal format or missing URL`. – Marmayogi Oct 24 '22 at 08:00
At the same time, your command without single quotes along with `--ssl-no-revoke` works on my desktop perfectly. This is what @leomeinel answered. – Marmayogi Oct 24 '22 at 08:03
@Marmayogi what terminal are you using? windows's cmd.exe perhaps? the above invocation is for linux/MacOS/bsd/unix shells; winows shells should use `"` instead of `'` – hanshenrik Oct 24 '22 at 08:05
I tried your commands with `double quotes` at DOS prompt and `single quotes` on Cygwin. Both threw the error `curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.`. If `--ssl-no-revoke` is added, then both works perfectly. However I still don't understand why should my desktop expects`--ssl-no-revoke` in the command? – Marmayogi Oct 24 '22 at 08:13
my best guess is that your curl installation is semi-broken somehow. what do you get if you run in Cygwin `wget 'https://curl.se/ca/cacert-2022-10-11.pem' -O /etc/pki/tls/certs/ca-bundle.crt` ? – hanshenrik Oct 24 '22 at 08:20
Command `wget https://curl.se/ca/cacert-2022-10-11.pem -O /etc/pki/tls/certs/ca-bundle.crt` throws message `/etc/pki/tls/certs/ca-bundle.crt: Permission denied`. Command was supplied with singles quotes. – Marmayogi Oct 24 '22 at 08:23
@Marmayogi what about ```chmod 0777 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem; wget 'https://curl.se/ca/cacert-2022-10-11.pem' -O /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem; chmod 0444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem; type curl;``` – hanshenrik Oct 24 '22 at 08:25
The final output for these series of commands is `curl is hashed (/cygdrive/c/Windows/system32/curl)` – Marmayogi Oct 24 '22 at 08:28
best guess: Windows's built-in curl is probably garbage. download a fresh curl from https://curl.se/windows/ and put it in C:\windows\system32\curl.exe – hanshenrik Oct 24 '22 at 08:30
I thank you @hanshenrik for your support in resolving `--ssl-no-revoke` issue. The Command `curl.exe -k -o TTF2PostscriptCID-Win-1.0.zip -L https://github.com/marmayogi/TTF2PostscriptCID-Win/archive/refs/tags/v1.0.zip` with flag `k` solved the problem. I have updated the post to benefit others. – Marmayogi Oct 24 '22 at 13:04

Downloaded zip size from a Github release using curl is only 9 bytes

2 Answers2