odl icon indicating copy to clipboard operation
odl copied to clipboard

Published 20 hours ago verified publisher icon tschf

Download verification

Open tschf opened this issue 8 years ago • 6 comments

There is no checksum that I could see to verify the downloads, but if you enter incorrect password, the file is returned as a HTML document, with the error inside.

Edit, some do provide checksums:

Component Provides checksum? Type
Instant Client yes cksum
Java yes sha256,md5sum
SQL Developer no
APEX no
ORDS no

tschf avatar Jan 25 '17 22:01 tschf

Interestingly, the instant client downloads do provide a cksum:

image

Not sure why that's the only one that does

tschf avatar Jan 30 '17 20:01 tschf

Java download page for e.g. 8u121, provides a link JDK 8u121 checksum

tschf avatar Jan 30 '17 21:01 tschf

Oracle XE - not officially (on OTN downloads pages), but on the docker repository: https://github.com/oracle/docker-images/blob/master/OracleDatabase/dockerfiles/11.2.0.2/Checksum.xe

tschf avatar Jan 30 '17 21:01 tschf

Checking status codes, invalid file URL is good, as it ends with a 404. But invalid authentication doesn't end with 403.

go run main.go --component apex --version 5.1 --os na --arch na --lang en --accept-license
Beginning download process for apex 5.1
Request:  https://edelivery.oracle.com/akam/otn/java/appexpress/apex_5.1_en.zip
Response:  200 200 OK
X-Oracle-Dms-Ecid: [005I3uMmD9N9xWw70Fq2UF0000Tj00039k]
X-Powered-By: [Servlet/2.5 JSP/2.1]
Content-Type: [text/html;charset=UTF-8]
Content-Language: [en]
Date: [Sat, 11 Feb 2017 10:22:18 GMT]
Content-Length: [4025]
Set-Cookie: --

Response2:  200 200 OK
Set-Cookie: --
X-Oracle-Dms-Ecid: [005I3uMnC_V9xWw70Fq2UF0000Tj00039o]
X-Powered-By: [Servlet/2.5 JSP/2.1]
Content-Type: [text/html;charset=UTF-8]
Content-Language: [en]
Date: [Sat, 11 Feb 2017 10:22:18 GMT]
Content-Length: [3690]
apex_5.1_en.zip: 3.60 KB / 3.60 KB [==========================================================] 100.00% 0
Download complete.

edit. With invalid creds, invalid file URL doesn't result in a 404, anywhere.

tschf avatar Feb 11 '17 10:02 tschf

Since Oracle just provides cryptographically insecure checksums for their Instant-Client downloads (cksum does CRC), it would be great if you could include independent sha256 checksums in this repository. For example, a bunch of configuration files for the different products that provide filename/sha256 dictionaries and are then built into the downloader binary.

The sha256 checksum could be provided by any contributor, thus it would be a trust-on-first-use workflow - which is still better than relying on cksum CRC.

gsauthof avatar Jan 14 '18 19:01 gsauthof

it would be great if you could include independent sha256 checksums in this repository

Not a bad idea. One issue is the way some products are released. For example, APEX The filename remains the same no matter which patch set is current. So it would be a matter of updating the expected checksum as updates are rolled out. Others include the full version in the filename - I was attempting to scrape the download page e.g. for sqlcl to grab the latest available version. I suppose only apply the checksum check if it exists in the submitted checksums could be a path forward.

tschf avatar Jan 15 '18 02:01 tschf