Reproducible curl/libcurl (and OpenSSL) binaries for Windows
Switch branches/tags
Clone or download
Latest commit d352f95 Dec 12, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.appveyor.yml c-ares 1.15.0 [ci skip] Oct 23, 2018
.gitlab-ci.yml switch to clang-7 on debian:unstable [ci skip] Sep 20, 2018
.travis.yml .travis.yml: bump xcode version [ci skip] Nov 4, 2018
LICENSE.md minor updates [ci skip] Apr 20, 2017
README.md README.md: casing [ci skip] Nov 12, 2018
_build.sh finishing touches to recent signing updates [ci skip] Oct 27, 2018
_ci_linux_debian.sh switch to clang-7 on debian:unstable [ci skip] Sep 20, 2018
_ci_mac_homebrew.sh stop installing default osslsigncode [ci skip] Sep 11, 2018
_ci_win_msys2.sh stop installing default osslsigncode [ci skip] Sep 11, 2018
_dl.sh curl 7.63.0 Dec 12, 2018
_pack.sh tweak filelist assembly Aug 25, 2018
_peclean.py replace personal homepage links [ci skip] Jun 3, 2018
_sign.sh more signing fixes Oct 27, 2018
_ul.sh generate sha512 checksums too Aug 26, 2018
brotli.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
c-ares.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
codesign.p12.asc test code signing Aug 31, 2018
curl.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
curl_for_win_root_ca.crt test code signing Aug 31, 2018
deploy.key.asc test deploy to official upload area Aug 24, 2018
libhsts.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
libidn2.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
libssh2.patch libssh2: patch to fix openssl 1.1 detection with cmake [ci skip] Mar 14, 2018
libssh2.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
libssh2.test.patch libssh2: patch to fix openssl 1.1 detection with cmake [ci skip] Mar 14, 2018
libssh2_cmake.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
nghttp2.sh nghttp2: fix cross-environment reproducibility by disabling assert() Aug 25, 2018
openssl.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018
osslsigncode.patch use reference timestamp in code signature (and related fixes) Oct 26, 2018
osslsigncode.sh one more signing fix Oct 27, 2018
zlib.sh use reference timestamp in code signature (and related fixes) Oct 26, 2018

README.md

License Build status Build Status

Automated, reproducible, transparent, Windows builds for curl, nghttp2, brotli, libssh2 and OpenSSL 1.1

  • Packaging aims to follow popular binary releases found on the internet.
  • Both x64 and x86 packages are built using the same process.
  • Binary packages are downloadable in .zip and .tar.xz formats.
    Note that the .7z format was discontinued. Update your download links accordingly.
    .xz files and the resulting .tar archive can also be extracted using 7-Zip on Windows.
  • Standalone curl.exe (only msvcrt.dll is required).
  • curl/libcurl are built with HTTP/2 support enabled.
  • curl/libcurl features enabled by default:
    dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz brotli TLS-SRP HTTP2 HTTPS-proxy MultiSSL
  • The build process is fully transparent by using publicly available open source code, C compiler, build scripts and running the build in public, with open, auditable build logs.
  • C compiler toolchain is latest MinGW-w64 (non-multilib, x64 and x86) either via Homebrew (on macOS), APT (on Debian via Docker) or MSYS2 (on Windows). C compiler is GCC or LLVM/Clang for projects supporting it.
  • Binaries are cross-built and published from Linux (via AppVeyor CI), using LLVM/Clang for curl, libssh2, nghttp2, c-ares, brotli and zlib, and GCC for OpenSSL.
    Exact OS image used for the builds is debian:unstable (a reproducible image) via Docker.
  • Binaries are built with supported hardening options enabled.
  • Binaries are using DWARF in x86 and SEH in x64 builds.
  • Components are verified using SHA-256 hashes and also GPG signatures where available.
  • Generated binaries are reproducible, meaning they will have the same hash given the same input sources and C compiler.
  • Because the build environment is updated before each build, subsequent builds may use different versions/builds of the compiler toolchain. This may result in different generated binaries given otherwise unchanged source code and configuration, sometimes thus breaking reproducibility. This trade-off was decided to be tolerable for more ideal binaries and allowing this project to automatically benefit from continuous C compiler updates.
  • Patching policy: No locally maintained patches. Patches are only applied locally if already merged upstream or — in case it's necessary for a successful build — had them submitted upstream with fair confidence of getting accepted.
  • curl/libcurl are built in MultiSSL mode, with both OpenSSL and WinSSL available as SSL backends.
  • Optional support for C-ares.
  • Generated binaries are uploaded to VirusTotal.
  • If you need a download with a stable checksum, link to the penultimate version (or the revisioned binaries on the official download page). Only the current latest versions are kept updated with newer dependencies.
  • To verify the correct checksum for the latest build, you can look up the correct ones in the build log as they are generated. Watch for master branch job Image: Ubuntu, log lines starting with SHA256( or SHA512(: https://ci.appveyor.com/project/curlorg/curl-for-win/branch/master
  • The build process is multi-platform and able to cross-build Windows executables from *nix hosts (Linux and macOS tested.)
  • Packages created across different host platforms won't currently have identical hashes. The reason for this is the slightly different build options and versions of the mingw-w64 and binutils tools.
  • Binaries distributed via Bintray are GPG signed with Bintray's key pair: 8756 C4F7 65C9 AC3C B6B8 5D62 379C E192 D401 AB61
  • Code signing is implemented and enabled with a self-signed certificate. The signature intentionally omits a trusted timestamp to retain reproducibility. Signing is done using a custom patched osslsigncode build to enforce a stable non-trusted timestamp for reproducibility.

Binary package downloads

Live build logs

Guarantees and Liability

THIS SOFTWARE (INCLUDING RESULTING BINARIES) IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Information in this document is subject to change without notice and does not represent or imply any future commitment by the participants of the project.


This document © 2014–present Viktor Szakats
Creative Commons Attribution-ShareAlike 4.0