- Packaging aims to follow popular binary releases found on the internet.
- Both x64 and x86 packages are built using the same process.
- Binary packages are downloadable in
.xzfiles and the resulting
.tararchive can be extracted using 7-Zip.
- Binary packages are signed with PGP key [EXPERIMENTAL]:
002C 1689 65BA C220 2118 408B 4ED8 5DF9 BB3D 0DE8
- curl/libcurl are built with HTTP/2 support enabled.
- curl/libcurl features enabled by default (
dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP Unicode UnixSockets zstd
- The build process is fully transparent by using publicly available open source code, C compiler, build scripts and running the build in public, with open, auditable build logs.
- C compiler toolchain is latest MinGW-w64 (non-multilib, x64 and x86) either via Homebrew (on macOS), APT (on Debian via Docker) or MSYS2. C compiler is GCC or LLVM/Clang for projects supporting it.
- Binaries are cross-built and published from Linux
(via AppVeyor CI), using LLVM/Clang for
and GCC for OpenSSL.
Exact OS image used for the builds is
debian:testing(a reproducible image) via Docker.
- Binaries are built with supported hardening options enabled.
- Binaries are using DWARF in x86 and SEH in x64 builds.
- Components are verified using SHA-256 hashes and also GPG signatures where available.
- Generated binaries are reproducible, meaning they will have the same hash given the same input sources and C compiler.
- Because the build environment is updated before each build, subsequent builds may use different versions/builds of the compiler toolchain. This may result in different generated binaries given otherwise unchanged source code and configuration, sometimes thus breaking reproducibility. This trade-off was decided to be tolerable for more ideal binaries and allowing this project to automatically benefit from continuous C compiler updates.
- Patching policy: No locally maintained patches. Patches are only applied locally if already merged upstream or — in case it is necessary for a successful build — had them submitted upstream with fair confidence of getting accepted.
- curl/libcurl are built in MultiSSL mode, with both OpenSSL and Schannel available as SSL backends.
- Optional support for c-ares.
- Generated binaries are uploaded to VirusTotal.
- To verify the correct checksum for the latest build, you can look up the
correct ones in the build log as they are generated. Watch for
Image: Ubuntu, log lines starting with
- The build process is multi-platform and able to cross-build Windows executables from *nix hosts (Linux and macOS tested.)
- Packages created across different host platforms will not currently have
identical hashes. The reason for this is the slightly different build
options and versions of the
- Code signing is implemented and enabled with a self-signed certificate.
The signature intentionally omits a trusted timestamp to retain
reproducibility. Signing is done using a custom patched
osslsigncodebuild to enforce a stable non-trusted timestamp for reproducibility.
Binary package download
- Official page, latest version:
- Official page, specific versions (back to 7.66.0):
Guarantees and Liability
THIS SOFTWARE (INCLUDING RESULTING BINARIES) IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Information in this document is subject to change without notice and does not represent or imply any future commitment by the participants of the project.
This document © 2014–present Viktor Szakats