obsidian narwhal
It would be nice to have the checksum value of the requested file in the http response headers when we are trying to download it.
It can helpful to check the integrity of the downloaded file, the content length isn't reliable enough.
Of course, we can hit the api to grab the checksum, but it can be inconsistent when the file is cached.
terse canopy
In the meantime, you could probably storage a .sig file along it, with the checksum, and make the client download the file, sha256 the contents and download the signature, and verify that way
obsidian narwhal
Yes, it's a good idea, but only for files never updated, to be sure that the file will always match with its signature file.
When you update the file, you can't be sure that you will grab the proper signature for the proper file.
You have uploading, replication, purge, cache and download delays all the way.
terse canopy
If it were to return the signature every time you request it, it would have to do the checksum upon serving the file. That's fairly time-consuming for cache-miss requests, since it's purely based on backend CPU performance and size of file
But obviously if one could attach metadata headers, then you can supply the checksum upon upload, like with S3 for example