Rafael Winterhalter created MWRAPPER-75:
-------------------------------------------
Summary: Allow for sha256 checksum verification of downloaded
artifacts.
Key: MWRAPPER-75
URL: https://issues.apache.org/jira/browse/MWRAPPER-75
Project: Maven Wrapper
Issue Type: Improvement
Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper
Scripts
Reporter: Rafael Winterhalter
Maven Wrapper is downloading binary artifacts that are later executed. To
prevent from an attack where a vulnerable repository could distribute malicious
Maven (wrapper) artifacts, the downloaded artifacts should be verified against
a secure checksum. If the expected checksum does not match, execution could be
aborted before the potentially compromised artifact is executed.
In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still
impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
