Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download verification #14

Open
tschf opened this issue Jan 25, 2017 · 6 comments
Open

Download verification #14

tschf opened this issue Jan 25, 2017 · 6 comments

Comments

@tschf
Copy link
Owner

tschf commented Jan 25, 2017
edited

There is no checksum that I could see to verify the downloads, but if you enter incorrect password, the file is returned as a HTML document, with the error inside.

Edit, some do provide checksums:

Component Provides checksum? Type
Instant Client yes cksum
Java yes sha256,md5sum
SQL Developer no
APEX no
ORDS no
@tschf
Copy link
Owner Author

tschf commented Jan 30, 2017

Interestingly, the instant client downloads do provide a cksum:

image

Not sure why that's the only one that does

@tschf
Copy link
Owner Author

tschf commented Jan 30, 2017

Java download page for e.g. 8u121, provides a link JDK 8u121 checksum

@tschf
Copy link
Owner Author

tschf commented Jan 30, 2017

Oracle XE - not officially (on OTN downloads pages), but on the docker repository: https://github.com/oracle/docker-images/blob/master/OracleDatabase/dockerfiles/11.2.0.2/Checksum.xe

@tschf
Copy link
Owner Author

tschf commented Feb 11, 2017
edited

Checking status codes, invalid file URL is good, as it ends with a 404. But invalid authentication doesn't end with 403.

go run main.go --component apex --version 5.1 --os na --arch na --lang en --accept-license
Beginning download process for apex 5.1
Request:  https://edelivery.oracle.com/akam/otn/java/appexpress/apex_5.1_en.zip
Response:  200 200 OK
X-Oracle-Dms-Ecid: [005I3uMmD9N9xWw70Fq2UF0000Tj00039k]
X-Powered-By: [Servlet/2.5 JSP/2.1]
Content-Type: [text/html;charset=UTF-8]
Content-Language: [en]
Date: [Sat, 11 Feb 2017 10:22:18 GMT]
Content-Length: [4025]
Set-Cookie: --

Response2:  200 200 OK
Set-Cookie: --
X-Oracle-Dms-Ecid: [005I3uMnC_V9xWw70Fq2UF0000Tj00039o]
X-Powered-By: [Servlet/2.5 JSP/2.1]
Content-Type: [text/html;charset=UTF-8]
Content-Language: [en]
Date: [Sat, 11 Feb 2017 10:22:18 GMT]
Content-Length: [3690]
apex_5.1_en.zip: 3.60 KB / 3.60 KB [==========================================================] 100.00% 0
Download complete.

edit. With invalid creds, invalid file URL doesn't result in a 404, anywhere.

@gsauthof
Copy link

Since Oracle just provides cryptographically insecure checksums for their Instant-Client downloads (cksum does CRC), it would be great if you could include independent sha256 checksums in this repository. For example, a bunch of configuration files for the different products that provide filename/sha256 dictionaries and are then built into the downloader binary.

The sha256 checksum could be provided by any contributor, thus it would be a trust-on-first-use workflow - which is still better than relying on cksum CRC.

@tschf
Copy link
Owner Author

tschf commented Jan 15, 2018

it would be great if you could include independent sha256 checksums in this repository

Not a bad idea. One issue is the way some products are released. For example, APEX The filename remains the same no matter which patch set is current. So it would be a matter of updating the expected checksum as updates are rolled out. Others include the full version in the filename - I was attempting to scrape the download page e.g. for sqlcl to grab the latest available version. I suppose only apply the checksum check if it exists in the submitted checksums could be a path forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gsauthof @tschf