What is asfald?

Asfald is our open source command line tool allowing you to download more securely from the internet.

It is developed on Github at https://github.com/asfaload/asfald and is available for most platforms (Linux, Windows, Mac, FreeBSD, ARM and x86_64).

How does it work?

It enhances security by checking that the checksum of the downloaded file corresponds to the checksum that the publisher announces. We currently only support Github Releases, but our approach is generic and will be expanded to other hosting means, including self-hosting.

Currently, the validation occurs by using a mirror of the checksums file. Using a mirror increases security as in that case 2 locations have to be compromised to make you unknowingly download compromised files. The mirror is an append only git repository, the integrity of which can be validated by anyone thanks to a small script that can easily be audited.

The next step will further improve our approach by introducing a multi-signature scheme, which will also transparently be validated by asfald.

Installation

It is important to validate the version of asfald you download before installation. This is easily done thanks to the checksums mirror, actually replicating what asfald does. First download asfald from its Github release. In this case we download version 0.5.1 for linux on x86_64. The file is named asfald-x86_64-unknown-linux-musl. We download it with curl but it can be downloaded by other means. If you need asfald on another platform, download the file named accordingly.

curl -L -O https://github.com/asfaload/asfald/releases/download/v0.5.1/asfald-x86_64-unknown-linux-musl

We then need to validate the downloaded file. This is easily done with this command, which uses sha256sum and curl. Use this same command, even if you downloaded asfald for another platform. The validation will still be effective as the checksums file covers files for all platforms.

sha256sum --ignore-missing -c <(curl --silent  https://gh.checksums.asfaload.com/github.com/asfaload/asfald/releases/download/v0.5.1/checksums.txt)

If validation is successful, you can move the file in your path and make it executable. In this example we make it available system-wide and use sudo:

sudo mv asfald-x86_64-unknown-linux-musl /usr/local/bin
sudo chmod +x /usr/local/bin/asfald

For the reference, here’s the excution of these commands with their output:

$ curl -L -O https://github.com/asfaload/asfald/releases/download/v0.5.1/asfald-x86_64-unknown-linux-musl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 4034k  100 4034k    0     0  3803k      0  0:00:01  0:00:01 --:--:-- 35.4M
$ sha256sum --ignore-missing -c <(curl --silent  https://gh.checksums.asfaload.com/github.com/asfaload/asfald/releases/download/v0.5.1/checksums.txt)
asfald-x86_64-unknown-linux-musl: OK

Usage

To download with asfald, you simply pass the URL of the file you want to download. For example, for downloading the latest asfald release with asfald, you do:

$ asfald https://github.com/asfaload/asfald/releases/download/v0.5.1/asfald-x86_64-unknown-linux-musl
INFO ℹ️ Using asfaload index on mirror
INFO ℹ️ Same checksum found in release
INFO 🗑️ Create temporary file...
INFO 🚚 Downloading file...
  [00:00:00] [###########################################################] 3.94 MiB/3.94 MiB (00:00:00)INFO ✅ File's checksum is valid !
INFO ✅ File's checksum is valid !

Similarly, all files published by projects hosted on Github and publishing a checksums file can be validated.

Attacks not covered

The current approach of only using the mirrored checksums file does not protect downloaders if the publishing account gets compromised or publishes malevolent files. Our signature scheme will protect against compromised publisher accounts.