Asfaload downloader alpha published

Asfaload develops a solution to help secure and authenticate downloads from the internet, aiming to check the integrity and authenticity of downloaded files.

Even though checking authenticity is our end goal, and as we are publishing the tool under and Free and Open Source License, we decided not to wait and already release a tool named asfd only checking integrity of a downloaded file. This already increases security in numerous scenarios and at the same time helps us understand how the tool is really used.

How does it work?

For integrity validation to be possible, the publishing project needs to publish a checksums file alongside the file to be downloaded. Even though this is not yet a standard practice, it is not rare either (see for example Lazygit, mise, watchexec, Github’s CLI, act(run Github Actions locally), neovim, …) . The tool by default recognises different naming conventions (CHECKSUM.txt, checksums.txt,….) but also lets you specify the name of the checksums file which can also be on another server. This gives you the possibility to host checksums files internally, allowing integrity checking even for projects not publishing checksums files. Hosting a checksums file on another server also increases security as malevolent actors now have 2 locations to compromise before they trick you in downloading erroneous software without you noticing.

We also support different hashing schemes, most notably sha256 and sha512.

When downloading a file, asfd will look for a checksums file. The default behaviour is to not download the file if its checksum file is not found, but this can be overriden with the flag --force-absent. If the checksums file is found, it is downloaded as well as the requested file. When both are downloaded, the checkum of the requested file is computed and compared to its expected value found in the checksums file. If they differ, the file is not kept on disk. If there are the same, the download is successful and the file is stored on disk.

Why is it useful?

A good example of its usefulness is its use in Dockerfiles when downloading resources from the internet. Checking the file’s checksum ensures your image is using valid resources. You can replace calls to wget or curl, and get an additional integrity check. And if you host the checksum file yourself, you will even detect if the source modifies the resource (eg in case of deleted package hijack).

Looking for feedback

We’re only at the beginning of our journey with asfd and the Asfaload project, and are looking for feedback to improve our solutions. Don’t hesitate to contact us via our form, the comments below, Github issues. And if you like the project, don’t forget to give us a star!