Verify hashes on each request

[aakilfernandes]

My understanding is that after getting a file from a node, there is no additional check to verify the returned file matches the hash. It would be good to hash the file in the client to make sure the file is correct. That way, it would be possible to use untrusted nodes (for example https://ipfs.infura.io)

[nycoliver]

IPFS definitely verifies data from other nodes. See white paper, section 3.5. I think https://github.com/ipfs/go-ipfs/blob/master/exchange/bitswap/message/message.go#L105 is where blocks from peers are checked. Am I misunderstanding your question?

[aakilfernandes]

Ipfs nodes don't trust each other, but js-ipfs-api trusts the node. For example if I do

ipfsApi = IpfsApi(host, port)
ipfsApi.get('Qm...')

I'm trusting that the node at host:portis not lying to me. This is fine if we assume the user is using a local node on their machine, however users could be using remote nodes. For example https://infura.io/.

[nycoliver]

Oh I see. The simplest solution I can think of is to expose ipfs add --only-hash in the js api so you can compare the two hashes.

[hacdias]

onlyHash is supported since #717 so shall we close this @diasdavid?