I understand that the way checksums must be handled during the download is not compatible with curl's implementation. I've created a prototype to check the API and behavior (https://github.com/falk-werner/fetch) and I've encountered all the things you mentioned: the download must be buffered in a separate file, the checksum must be computed during download, all data must be printed to stdout after successful check and the temporary file must finally be removed.
Regarding problem two, you have a point that it wouldn't add any security when the site is breached. In fact, one might have a false sense of security because the checksum is verified correctly. But I don't think that TLS alone is enough to solve the problem. There are cases where you can't rely on TLS. One might be in case of redirects. Another one is the use of so called "interception certificates", which are very popular by some IT departments. -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
