23

I am looking to get the MD5 hash for a tar.gz GitHub release from here: https://github.com/jbeder/yaml-cpp/releases

Would like to use it in my CMake. Does anyone know where I can get it? I could not find much of a solution through Google.

jlcv
  • 1,688
  • 5
  • 21
  • 50
  • 1
    Any reason for not just downloading the file and calculating it yourself? Mind that the primary purpose of the MD5 check in CMake is so that you can ensure that the file on the server is still the same file you expect it to be (ie. it wasn't changed on the server or in transfer to your machine). Given that you probably won't update external dependencies like this very often, this seems a perfectly fine solution to me. – ComicSansMS Apr 16 '15 at 10:43
  • 2
    @ComicSansMS You're right, that is the primary purpose. So how is calculating it yourself after download going to ensure that it "wasn't changed ... in transfer to your machine"? – VertigoRay Mar 30 '16 at 05:20
  • @VertigoRay Depends on what you are trying to guard against here. Downloading via https should eliminate any man-in-the-middle-scenarios, while data corruption is something that is rather unlikely to happen these days (and even less likely to pass unnoticed). If you are really paranoid, you can always compare the downloaded sources against the corresponding git revision (which is SHA-1 secured by git). But imho you would need a pretty good reason to justify this level of paranoia. – ComicSansMS Mar 30 '16 at 08:17
  • @ComicSansMS I completely agree. If you want to protect from mitm, https *should* protect you [1]. If it doesn't then pulling the MD5 hash from the same location is not going to help. ;) As for your second solution, I'm not sure how you would calculate the hash of multiple files without using git ... interesting ... /shrug *(**[1]:** If you have auto-detect proxy settings enabled, it's very easy to get mitm and be provided with a valid https cert.)* *(**Note:** I just felt that your original comment was lacking the detail you provided in the latter comment. :beers:)* – VertigoRay Apr 03 '16 at 04:32

2 Answers2

16

As VertigoRay suggests in his answer, I emailed GitHub at support@github.com.

Subject: Suggestion: Show the checksum of each release

For example, I want to download a release from https://github.com/vim/vim/releases.

Shouldn't there be a sha256 checksum displayed next to each release?

See also: Where to get MD5 hashes from a GitHub release?

They replied within 40 minutes thanking me for my feedback and informing me that they had added my +1 to their internal Feature Request List.

Feel free to send GitHub my email if you'd also like to add your +1.

ma11hew28
  • 121,420
  • 116
  • 450
  • 651
15

If GitHub wanted to provide this information, I would expect it to be provided in the API. The GitHub API doesn't currently provide this information. If they did, I would expect it to be here: https://api.github.com/repos/jbeder/yaml-cpp/releases/latest

More info: https://developer.github.com/v3/repos/releases/#list-assets-for-a-release

If you'd like the feature added, you could get in contact with @github. You could send them an email.

VertigoRay
  • 5,935
  • 6
  • 39
  • 48