Download the Latest Release from GitHub and Verify their integrity using Checksums

Table of Contents

About

GitHub hosts millions of open-source projects, many of which provide compiled binaries for various platforms as part of their releases. When you’re looking to download the latest version of a project, you might wonder how to do it efficiently from the command line, without manually navigating the GitHub website. Fortunately, GitHub provides an API that allows you to access release information programmatically. In this post, we’ll explore how to download the latest release of any GitHub project from the command line, using curl and utilizing the GitHub API.

Additionally, we’ll cover how to verify the integrity of the downloaded artifact using checksum files, ensuring that the file has not been tampered with or corrupted during the download process.

Prerequisites

Before diving into the commands, make sure you have the following command line dependencies installed:

• curl: A command-line tool for transferring data with URLs.
• jq: A lightweight and flexible command-line JSON processor.
• tr: A utility for translating or deleting characters.
• sha256sum: A tool to compute and verify SHA256 checksums.

You can install these tools on most Linux distributions using the package manager. For example:

# On Debian-based systems
sudo apt-get install curl jq coreutils

# On Red Hat-based systems
sudo yum install curl jq coreutils

Understanding the GitHub API

The GitHub API provides a convenient endpoint to fetch the latest release of a repository. The general format for accessing the latest release is:

https://api.github.com/repos/{owner}/{repo}/releases/latest

• {owner}: The GitHub username or organization name that owns the repository.
• {repo}: The name of the repository.

This API endpoint returns JSON data, including the release’s tag name, asset URLs, and other metadata.

Downloading the Latest Release

To download the latest release for a specific system architecture, you need to construct the download URL using the information from the GitHub API. Below are a few examples of how you can achieve this for different projects and platforms.

Example 1: Downloading Chroma for Linux 64-bit

Let’s download the latest version of the chroma project for a Linux 64-bit system.

# Fetch the Latest Tag Name:
TAG=$(curl -sS https://api.github.com/repos/alecthomas/chroma/releases/latest | jq -r '.tag_name')
# Download the Release Asset:
curl -OL "https://github.com/alecthomas/chroma/releases/download/${TAG}/chroma-${TAG:1}-linux-amd64.tar.gz"

Here, we use curl to request the latest release data, jq to parse the JSON, and -r to extract the tag_name as a raw string. Then we construct the download URL using the tag_name and download the appropriate asset using curl.

Example 2: Downloading Protocol Buffers for Windows 64-bit

For Windows users, let’s download the latest release of protobuf for a Windows 64-bit system.

# Fetch the Latest Tag Name:
TAG=$(curl -sS https://api.github.com/repos/protocolbuffers/protobuf/releases/latest | jq -r '.tag_name')
# Download the Release Asset:
curl -OL "https://github.com/protocolbuffers/protobuf/releases/download/${TAG}/protoc-${TAG:1}-win64.zip"

Note that the URL format may vary slightly depending on the naming conventions used by the project’s maintainers.

Example 3: Downloading gRPCurl for Any Operating System

gRPCurl provides binaries for multiple operating systems. Let’s download the appropriate grpcurl version for your current system.

# Fetch the Latest Tag Name:
TAG=$(curl -sS https://api.github.com/repos/fullstorydev/grpcurl/releases/latest | jq -r '.tag_name')
# Determine System and Architecture:
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m)
# Download the Release Asset:
curl -OL "https://github.com/fullstorydev/grpcurl/releases/download/${TAG}/grpcurl_${TAG:1}_${OS}_${ARCH}.tar.gz"

Here, we use uname to get the operating system and architecture. tr is used to convert the OS name to lowercase, ensuring compatibility with the asset naming convention. This approach automatically adapts to your system’s architecture, making it cross-platform.\

Verifying the Integrity of the Downloaded Release

When downloading binaries from GitHub, it’s crucial to verify the integrity of the downloaded files to ensure they have not been tampered with or corrupted. Many projects provide checksum files, typically using SHA256, which you can use to verify the downloaded artifact.

Reasons for verifying checksums:

• Security: Ensures that the file has not been tampered with by malicious actors.
• Integrity: Confirms that the file was not corrupted during the download process.
• Authenticity: Verifies that the file you received is exactly what the developers released.

Example: Verifying OpenSSL Release for Linux 64-bit

Let’s demonstrate how to verify the integrity of the latest release of OpenSSL using SHA256 checksums.

First, download as shown before the latest release of the software (the $TAG in this project contains both the name and the software version):

# Fetch the Latest Tag Name:
TAG=$(curl -sS https://api.github.com/repos/openssl/openssl/releases/latest | jq -r '.tag_name')
# Download the Release Asset:
curl -OL "https://github.com/openssl/openssl/releases/download/${TAG}/${TAG}.tar.gz"

Then we can download the SHA256 Checksum File and verify it:

# Download the SHA256 Checksum File:
curl -OL "https://github.com/openssl/openssl/releases/download/${TAG}/${TAG}.tar.gz.sha256"
# Verify the Checksum:
echo "$(cat ${TAG}.tar.gz.sha256) ${TAG}.tar.gz" | sha256sum --check

Most projects provide checksum files alongside their release binaries. Check the project’s release page to find the correct URL for the checksum file.

Here’s a breakdown of the command:

• cat ${TAG}.tar.gz.sha256: reads the expected checksum from the file.
• echo "$(cat ${TAG}.tar.gz.sha256) ${TAG}.tar.gz": constructs a command-line compatible string that pairs the checksum with the downloaded file’s name.
• sha256sum --check: computes the checksum of the downloaded file and verifies it against the expected value.

If the verification is successful, you’ll see a message similar to:

openssl-3.3.1.tar.gz: OK

If the checksums do not match, you’ll receive an error indicating a potential issue with the downloaded file.

openssl-3.3.1.tar.gz: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match