What is asfald?
Asfald is our open source command line tool allowing you to download more securely from the internet.
It is developed on Github at https://github.com/asfaload/asfald and is available for most platforms (Linux, Windows, Mac, FreeBSD, ARM and x86_64).
How does it work?
It enhances security by checking that the checksum of the downloaded file corresponds to the checksum that the publisher announces. We currently only support Github Releases, but our approach is generic and will be expanded to other hosting means, including self-hosting.
Currently, the validation occurs by using a mirror of the checksums file. Using a mirror increases security as in that case 2 locations have to be compromised to make you unknowingly download compromised files. The mirror is an append only git repository, the integrity of which can be validated by anyone thanks to a small script that can easily be audited.
The next step will further improve our approach by introducing a multi-signature scheme, which will also transparently be validated by asfald.
Installation
It is important to validate the version of asfald you download before installation. This is easily done thanks to the checksums mirror, actually replicating what asfald does.
First download asfald from its Github release. In this case we download version 0.5.1 for linux on x86_64. The file is named asfald-x86_64-unknown-linux-musl. We download it with curl but it can be downloaded by other means.
If you need asfald on another platform, download the file named accordingly.
curl -L -O https://github.com/asfaload/asfald/releases/download/v0.5.1/asfald-x86_64-unknown-linux-musl
We then need to validate the downloaded file. This is easily done with this command, which uses sha256sum and curl.
Use this same command, even if you downloaded asfald for another platform. The validation will still be effective as the checksums file covers
files for all platforms.
sha256sum --ignore-missing -c <(curl --silent https://gh.checksums.asfaload.com/github.com/asfaload/asfald/releases/download/v0.5.1/checksums.txt)
If validation is successful, you can move the file in your path and make it executable. In this example we make it available system-wide and use sudo:
sudo mv asfald-x86_64-unknown-linux-musl /usr/local/bin
sudo chmod +x /usr/local/bin/asfald
For the reference, here’s the excution of these commands with their output:
$ curl -L -O https://github.com/asfaload/asfald/releases/download/v0.5.1/asfald-x86_64-unknown-linux-musl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 4034k 100 4034k 0 0 3803k 0 0:00:01 0:00:01 --:--:-- 35.4M
$ sha256sum --ignore-missing -c <(curl --silent https://gh.checksums.asfaload.com/github.com/asfaload/asfald/releases/download/v0.5.1/checksums.txt)
asfald-x86_64-unknown-linux-musl: OK
Usage
To download with asfald, you simply pass the URL of the file you want to download.
For example, for downloading the latest asfald release with asfald, you do:
$ asfald https://github.com/asfaload/asfald/releases/download/v0.5.1/asfald-x86_64-unknown-linux-musl
INFO ℹ️ Using asfaload index on mirror
INFO ℹ️ Same checksum found in release
INFO 🗑️ Create temporary file...
INFO 🚚 Downloading file...
[00:00:00] [###########################################################] 3.94 MiB/3.94 MiB (00:00:00)INFO ✅ File's checksum is valid !
INFO ✅ File's checksum is valid !
Similarly, all files published by projects hosted on Github and publishing a checksums file can be validated.
Attacks not covered
The current approach of only using the mirrored checksums file does not protect downloaders if the publishing account gets compromised or publishes malevolent files. Our signature scheme will protect against compromised publisher accounts.