michael-o commented on code in PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#discussion_r936336907
##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
# End of extension
##########################################################################################
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+ case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+ esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+ if ! echo "$wrapperSha256Sum $wrapperJarPath" | shasum -a 256 -c >
/dev/null 2>&1; then
+ echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper
might be compromised." >&2
Review Comment:
I don't like this wording because this implies some security aspect.
##########
maven-wrapper-distribution/src/resources/mvnw.cmd:
##########
@@ -153,6 +153,24 @@ if exist %WRAPPER_JAR% (
)
@REM End of extension
+@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+SET WRAPPER_SHA_256_SUM=""
+FOR /F "usebackq tokens=1,2 delims==" %%A IN
("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+ IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+)
+IF NOT %WRAPPER_SHA_256_SUM%=="" (
+ FOR /F "usebackq tokens=*" %%A in ('certUtil -hashfile "%WRAPPER_JAR%"
SHA256') do (
+ echo %%A | findstr /C:"hash" 1>nul || (
+ IF NOT %%A==%WRAPPER_SHA_256_SUM% (
+ echo Error: Failed to validate Maven wrapper SHA-256, your
Maven wrapper might be compromised. >&2
Review Comment:
ditto
##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
# End of extension
##########################################################################################
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+ case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+ esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+ if ! echo "$wrapperSha256Sum $wrapperJarPath" | shasum -a 256 -c >
/dev/null 2>&1; then
Review Comment:
You should check whether `shasum` is available.
##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
# End of extension
##########################################################################################
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+ case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+ esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
Review Comment:
Are you certain that this is POSIX compliant?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
