[
https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574549#comment-17574549
]
ASF GitHub Bot commented on MWRAPPER-75:
----------------------------------------
raphw opened a new pull request, #58:
URL: https://github.com/apache/maven-wrapper/pull/58
Optionally verify checksums of downloaded binaries, both for Maven wrapper
jar and actual Maven distribution.
The verification is optional and is activated by adding checksums to the
maven.properties file, either as
'wrapperSha256Sum' (Maven wrapper) or as 'distributionSha256Sum' (Maven
distribution).
Following this checklist to help us incorporate your
contribution quickly and easily:
- [ ] Make sure there is a [JIRA
issue](https://issues.apache.org/jira/browse/MWRAPPER) filed
for the change (usually before you start working on it). Trivial
changes like typos do not
require a JIRA issue. Your pull request should address just this
issue, without
pulling in other changes.
- [ ] Each commit in the pull request should have a meaningful subject line
and body.
- [ ] Format the pull request title like `[MWRAPPER-XXX] - Fixes bug in
ApproximateQuantiles`,
where you replace `MWRAPPER-XXX` with the appropriate JIRA issue.
Best practice
is to use the JIRA issue title in the pull request title and in the
first line of the
commit message.
- [ ] Write a pull request description that is detailed enough to
understand what the pull request does, how, and why.
- [ ] Run `mvn clean verify` to make sure basic checks pass. A more
thorough check will
be performed on your pull request automatically.
- [ ] You have run the integration tests successfully (`mvn -Prun-its clean
verify`).
If your pull request is about ~20 lines of code you don't need to sign an
[Individual Contributor License
Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
please ask on the developers list.
To make clear that you license your contribution under
the [Apache License Version 2.0, January
2004](http://www.apache.org/licenses/LICENSE-2.0)
you have to acknowledge this by using the following check-box.
- [ ] I hereby declare this contribution to be licenced under the [Apache
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
- [ ] In any other case, please file an [Apache Individual Contributor
License Agreement](https://www.apache.org/licenses/icla.pdf).
> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
> Key: MWRAPPER-75
> URL: https://issues.apache.org/jira/browse/MWRAPPER-75
> Project: Maven Wrapper
> Issue Type: Improvement
> Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper
> Scripts
> Reporter: Rafael Winterhalter
> Priority: Normal
>
> Maven Wrapper is downloading binary artifacts that are later executed. To
> prevent from an attack where a vulnerable repository could distribute
> malicious Maven (wrapper) artifacts, the downloaded artifacts should be
> verified against a secure checksum. If the expected checksum does not match,
> execution could be aborted before the potentially compromised artifact is
> executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still
> impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
