[CMake] FetchContent/ExternalProject and URL_HASH

Dustyn Blasig dustyn at blasig.us
Sun Jul 21 20:37:01 EDT 2019 

Thanks for the info, Craig.

I'm not very familiar with the intricacies of network downloads. If the
download itself guarantees the file was transferred correctly and the
checksum is only be used to verify its authenticity, then we probably don't
need it as we're only downloading these artifacts from trusted internal
sources. However, if the checksums need to be used in some cases to verify
the download was actually received and is in one correct piece then pulling
the checksum file and basically failing if either is corrupted is fine for
our use case. Can we assume the former, that CMake (and the underlying
tools) will guarantee the file is downloaded successfully even in the event
of a CTRL-C interruption or other signals?


On Sun, Jul 21, 2019 at 3:49 AM Craig Scott <craig.scott at crascit.com> wrote:

>
>
> On Wed, Jul 17, 2019 at 12:59 PM Dustyn Blasig <dustyn at blasig.us> wrote:
>
>> Hi All,
>>
>> We are pulling some artifacts from Artifactory which provides a checksum
>> file along with the artifacts at <artifact-url>.md5 or .sha256. If I do not
>> include URL_HASH, does CMake automatically check to see if such a checksum
>> file exists and use it's value for the hash check? Or is there a way to
>> provide a URL for the checksum file rather than having to do file(DOWNLOAD
>> <checksum>), file(STRING <checksum-file>), URL_HASH=<checksum-var>?
>>
>
> The point of the checksum file is to verify the file downloaded. It
> doesn't make a whole lot of sense to then download another file to provide
> that checksum, you'd just be moving the problem along one level of
> indirection. The assumption is when you provide the URL to be downloaded,
> if you want to use a checksum then you should also be able to provide that
> along with the URL. When the URL is being constructed on-the-fly though,
> this isn't typically true. In that case, you can't typically provide a
> checksum that isn't itself downloaded and therefore needs to be verified
> itself.
>
> To more directly answer your question, CMake doesn't offer any feature to
> automatically download a checksum file (that I'm aware of). The file
> command expects that actual checksum, not a location for where to retrieve
> it from for the reasons mentioned above.
>
> --
> Craig Scott
> Melbourne, Australia
> https://crascit.com
>
> Get the hand-book for every CMake user: Professional CMake: A Practical
> Guide <https://crascit.com/professional-cmake/>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://cmake.org/pipermail/cmake/attachments/20190721/ca6d4a6a/attachment.html>

More information about the CMake mailing list