Skip to content

moovy2/curl-for-win

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,705 Commits
.appveyor.yml
.appveyor.yml
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
LICENSE.md
LICENSE.md
 
 
MIT.svg
MIT.svg
 
 
README.md
README.md
 
 
_build.sh
_build.sh
 
 
_bumper.sh
_bumper.sh
 
 
_ci-linux-debian.sh
_ci-linux-debian.sh
 
 
_ci-mac-homebrew.sh
_ci-mac-homebrew.sh
 
 
_ci-win-msys2.sh
_ci-win-msys2.sh
 
 
_dl.sh
_dl.sh
 
 
_peclean.py
_peclean.py
 
 
_pkg.sh
_pkg.sh
 
 
_sign-code.sh
_sign-code.sh
 
 
_sign-pkg.sh
_sign-pkg.sh
 
 
_ul-askpass.sh
_ul-askpass.sh
 
 
_ul.sh
_ul.sh
 
 
_versions.sh
_versions.sh
 
 
brotli.sh
brotli.sh
 
 
cc-by-sa.svg
cc-by-sa.svg
 
 
curl-for-win-ca-cert.pem
curl-for-win-ca-cert.pem
 
 
curl.sh
curl.sh
 
 
deploy.key.asc
deploy.key.asc
 
 
libgsasl.sh
libgsasl.sh
 
 
libidn2.sh
libidn2.sh
 
 
libressl.sh
libressl.sh
 
 
libssh2.patch
libssh2.patch
 
 
libssh2.sh
libssh2.sh
 
 
libssh2.test.patch
libssh2.test.patch
 
 
nghttp2.sh
nghttp2.sh
 
 
nghttp3.sh
nghttp3.sh
 
 
ngtcp2.sh
ngtcp2.sh
 
 
openssl.sh
openssl.sh
 
 
osslsigncode.sh
osslsigncode.sh
 
 
sign-code.p12.asc
sign-code.p12.asc
 
 
sign-pkg-public.asc
sign-pkg-public.asc
 
 
sign-pkg.gpg.asc
sign-pkg.gpg.asc
 
 
zlib.sh
zlib.sh
 
 

Repository files navigation

License Build status

Automated, reproducible, transparent, Windows builds for curl

  • Packaging aims to follow popular binary releases found on the internet.
  • Both x64 and x86 packages are built using the same process.
  • Binary packages are downloadable in .zip and .tar.xz formats.
    .xz files and the resulting .tar archive can be extracted using 7-Zip.
  • Binary packages are signed with PGP key [EXPERIMENTAL]:
    https://raw.githubusercontent.com/curl/curl-for-win/main/sign-pkg-public.asc
    002C 1689 65BA C220 2118 408B 4ED8 5DF9 BB3D 0DE8
  • Standalone curl.exe and libcurl.dll (only msvcrt.dll is required).
  • curl/libcurl are built with HTTP/2 support enabled.
  • default builds, with the default TLS backend OpenSSL and Schannel as runtime-selectable option:
    • Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    • Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSockets
    • Libraries: -lcurl -lwldap32 -lcrypt32 -lz -lnghttp2 -lssh2 -lgsasl -lbcrypt -lssl -lcrypto -lidn2 -lbrotlidec-static -lbrotlicommon-static
  • "quic" builds:
    • Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    • Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSockets
    • Libraries: -lcurl -lwldap32 -lcrypt32 -lz -lnghttp2 -lssh2 -lgsasl -lbcrypt -lssl -lcrypto -lidn2 -lbrotlidec-static -lbrotlicommon-static -lnghttp3 -lngtcp2
  • "mini" builds, with the single TLS backend Schannel, and system IDN backend:
    • Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    • Features: alt-svc AsynchDNS gsasl HSTS HTTP2 IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI UnixSockets
    • Libraries: -lcurl -lwldap32 -lcrypt32 -lz -lnghttp2 -lssh2 -lgsasl -lbcrypt
  • "micro" builds, without libssh2 and libgsasl:
    • Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
    • Features: alt-svc AsynchDNS HSTS HTTP2 IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI UnixSockets
    • Libraries: -lcurl -lwldap32 -lcrypt32 -lz -lnghttp2
  • "nano" builds, HTTP/1.1-only:
    • Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
    • Features: alt-svc AsynchDNS HSTS IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI UnixSockets
    • Libraries: -lcurl -lwldap32 -lcrypt32 -lz
  • The build process is fully transparent by using publicly available open source code, C compiler, build scripts and running the build in public, with open, auditable build logs.
  • C compiler toolchain is latest MinGW-w64 (non-multilib, x64 and x86) either via Homebrew (on macOS), APT (on Debian via Docker) or MSYS2. C compiler is LLVM/Clang.
  • Binaries are cross-built and published from Linux (via AppVeyor CI).
    OS image used for the builds is debian:testing-slim (a reproducible image) via Docker.
  • Binaries are built with supported hardening options enabled.
  • Binaries are using DWARF in x86 and SEH in x64 builds.
  • Components are verified using SHA-256 hashes and also GPG signatures where available.
  • Generated binaries are reproducible, meaning they will have the same hash given the same input sources and C compiler.
  • Because the build environment is updated before each build, builds may use different versions/builds of the compiler toolchain. This may result in different generated binaries given otherwise unchanged source code and configuration, sometimes thus breaking reproducibility. This is a trade-off for more optimal binaries and to automatically make use of continuous C compiler updates.
  • Patching policy: No locally maintained patches. Patches are applied locally if already merged upstream or — if necessary for a successful build — had them submitted upstream with fair confidence of getting accepted.
    NOTE: As of 2021, there is a small local patch applied to the OpenSSL configure script, which fixes a bug which in turn is necessary to better mitigate a high-severity vulnerability (CVE-2019-5443), which still has an incomplete fix in the default OpenSSL builds for Windows. The OpenSSL team rejected both patches. Even though the patch is minor, there is no promise that it will be maintained here for an indefinite time. Another option under consideration is to migrate to an OpenSSL alternative (e.g. LibreSSL, rustls or Schannel).
  • Generated binaries are uploaded to VirusTotal.
  • To verify the correct checksum for the latest build, you can look up the correct ones in the build log as they are generated. Watch for main branch job Image: Ubuntu, log lines starting with SHA256( or SHA512(: https://ci.appveyor.com/project/curlorg/curl-for-win/branch/main
  • The build process is multi-platform and able to cross-build Windows executables from *nix hosts (Linux and macOS tested.)
  • Packages created across different host platforms will not have identical hashes. The reason for this is the slightly different build options and versions of the mingw-w64 and binutils tools.
  • Code signing is implemented and enabled with a self-signed certificate. The signature intentionally omits a trusted timestamp for reproducibility.

Official binary downloads

Build logs

https://ci.appveyor.com/project/curlorg/curl-for-win/history

Guarantees and Liability

THIS SOFTWARE (INCLUDING RESULTING BINARIES) IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Information in this document is subject to change without notice and does not represent or imply any future commitment by the participants of the project.

This document © 2014–present Viktor Szakats
Creative Commons Attribution-ShareAlike 4.0

About

Reproducible curl binaries for Windows

curl.se/windows/

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 99.1%
  • Python 0.9%