[keycloak-dev] SHA1 for checking Keycloak file integrity

Stian Thorgersen sthorger at redhat.com
Fri Jan 27 03:13:04 EST 2017


Checksums are already generated and Maven central already have checksums
for all files:

http://search.maven.org/remotecontent?filepath=org/keycloak/keycloak-server-dist/2.5.1.Final/keycloak-server-dist-2.5.1.Final.zip
http://search.maven.org/remotecontent?filepath=org/keycloak/keycloak-server-dist/2.5.1.Final/keycloak-server-dist-2.5.1.Final.zip.sha1

The wrapper script should download from there and not from
downloads.jboss.org as it's slower.

We will add checksums to downloads.jboss.org and the website as well at
some point.

On 27 January 2017 at 02:04, Bruno Oliveira <bruno at abstractj.org> wrote:

> Ahoy, for the quickstarts we have to provide a wrapper, which will be
> responsible to download a specific version of Keycloak and other
> tasks[1].
>
> For this wrapper we have some scenarios:
>
> Scenario #1: User execute the script and manage to download Keycloak
> Scenario #2: User execute the script and download is interrupted. Which
> means that next time the script will resume that download
> Scenario #3: User already downloaded Keycloak and of course she does not
> want to do it again.
>
> For scenario 3, I was thinking about generate a SHA1[2] file for each
> Keycloak distribution to check the integrity of that file, not only for
> security, but for consistency. If we just check if file exists, thinking
> about scenario 2 and 3, we can't tell if that file was corrupted or not.
>
> Thoughts?
>
>
>
> [1] - https://issues.jboss.org/browse/KEYCLOAK-4321
> [2] - http://maven.apache.org/plugins/maven-install-plugin/
> examples/installing-checksums.html
>
> --
>
> abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list