On Thu, 16 Feb 2023 19:24:24 +0000 Jon Turney wrote: > On 14/02/2023 21:21, Takashi Yano via Cygwin-apps wrote: > > On Tue, 14 Feb 2023 17:41:16 +0100 > > ASSI wrote: > >> Takashi Yano via Cygwin-apps writes: > >>> Thanks for the advice. I have revised the cygport file. > >> > >> You are getting the file and the hash from the same unprotected source. > >> I was thinking you should put the hash into the cygport file and hence > >> the postinstall script. > >> > >> Also note that the system doing the postinstall will not necessarily > >> have internet access, so you'll need to cope with errors that will > >> produce. > > > > Thanks. > > > > The new cygport file attached downloads md5hash during > > the packaging process and embeds it into postinstall > > script. Does this make sense? > > Thanks. > > So, this looks like it works, and meets the requirements. > > Is md5 the only hash available? This is not really considered "good > enough" any more. > > As a thought-experiment, consider doing it slightly differently: > > package contains: > - the headers > - a data file with the version (or maybe URL) and hash > - a script which can fetch (using above data) or remove the DLL > - postinstall and preremove scripts which invoke that script appropriately > > (I think this means the post/pre scripts can be static, and packaged via > $C, rather than written by the cygport itself) > > What do you think of that? Thanks for the advice! So, how about this one? package contains: - the headers - the data files with the version and hash - postinstall and preremove scripts which fetch (using above data) and remove the DLL -- Takashi Yano