Re: [PR] Always check gradle wrapper sha checksum and download if necessary [lucene]

via GitHub Sun, 04 May 2025 09:32:37 -0700


dweiss commented on code in PR #14608:
URL: https://github.com/apache/lucene/pull/14608#discussion_r2072657950



##########
gradlew.bat:
##########
@@ -81,10 +81,22 @@ SET DEFAULT_JVM_OPTS=%DEFAULT_JVM_OPTS% 
"-Djava.io.tmpdir=%GRADLE_TEMPDIR%"
 
 @rem LUCENE-9266: verify and download the gradle wrapper jar if we don't have 
one.
 set GRADLE_WRAPPER_JAR=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
-IF NOT EXIST "%GRADLE_WRAPPER_JAR%" (
-    "%JAVA_EXE%" %JAVA_OPTS% 
"%APP_HOME%/build-tools/build-infra/src/main/java/org/apache/lucene/gradle/WrapperDownloader.java"
 "%GRADLE_WRAPPER_JAR%"
-    IF %ERRORLEVEL% EQU 1 goto failWithJvmMessage
-    IF %ERRORLEVEL% NEQ 0 goto fail
+set GRADLE_WRAPPER_CHECKSUM=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar.sha256
+
+@rem Read the expected hash from .sha256 file
+for /f "tokens=1" %%A in (%GRADLE_WRAPPER_CHECKSUM%) do (
+    set "EXPECTED=%%A"
+)

Review Comment:
   the assumption here is that the sha file only contains the 
gradle-wrapper.jar checksum and it's sane. If anything doesn't match/ work 
here, we fall back to the Java version in WrapperDownloader anyway, where 
things are checked in depth.



##########
gradlew.bat:
##########
@@ -81,10 +81,22 @@ SET DEFAULT_JVM_OPTS=%DEFAULT_JVM_OPTS% 
"-Djava.io.tmpdir=%GRADLE_TEMPDIR%"
 
 @rem LUCENE-9266: verify and download the gradle wrapper jar if we don't have 
one.
 set GRADLE_WRAPPER_JAR=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
-IF NOT EXIST "%GRADLE_WRAPPER_JAR%" (
-    "%JAVA_EXE%" %JAVA_OPTS% 
"%APP_HOME%/build-tools/build-infra/src/main/java/org/apache/lucene/gradle/WrapperDownloader.java"
 "%GRADLE_WRAPPER_JAR%"
-    IF %ERRORLEVEL% EQU 1 goto failWithJvmMessage
-    IF %ERRORLEVEL% NEQ 0 goto fail
+set GRADLE_WRAPPER_CHECKSUM=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar.sha256
+
+@rem Read the expected hash from .sha256 file
+for /f "tokens=1" %%A in (%GRADLE_WRAPPER_CHECKSUM%) do (
+    set "EXPECTED=%%A"
+)
+@rem Get actual SHA-256 hash using certutil
+for /f "tokens=* delims=" %%H in ('certutil -hashfile "%GRADLE_WRAPPER_JAR%" 
SHA256 ^| findstr /R /B /I /X "[0-9a-f]*"') do (
+    set "ACTUAL=%%H"
+)

Review Comment:
   this computes sha256 using certutil, then tries to pick a line that looks 
like an sha256 checksum. Again - if something fails, we rely on the Java 
version to tell us what's wrong.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Re: [PR] Always check gradle wrapper sha checksum and download if necessary [lucene]

Reply via email to