Jorge Solórzano created MWRAPPER-93:
---------------------------------------

             Summary: Distribution sha256 checksum not validated if the zip 
file was downloaded previously
                 Key: MWRAPPER-93
                 URL: https://issues.apache.org/jira/browse/MWRAPPER-93
             Project: Maven Wrapper
          Issue Type: Bug
          Components: Maven Wrapper Jar
    Affects Versions: 3.2.0
            Reporter: Jorge Solórzano


If I make a first run without *distributionSha256Sum*, the Maven distribution 
will be downloaded without any checksum, this is the normal behavior.

But if I later add the *distributionSha256Sum* to the maven-wrapper.properties 
file, having downloaded previously the distribution, the checksum is not 
verified, I consider this a bug since even if the distribution is already 
downloaded and unpacked it could contain a compromised download.

The options *alwaysUnpack* and *alwaysDownload* triggers the verification and 
provides an extra layer of security, but normally the local zip should be 
verified always if the *distributionSha256Sum* is set.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to