[
https://issues.apache.org/jira/browse/MWRAPPER-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17875000#comment-17875000
]
Marcono1234 commented on MWRAPPER-97:
-------------------------------------
For the Maven distribution, one case is here, right?
https://github.com/apache/maven-wrapper/blob/maven-wrapper-3.3.2/maven-wrapper-distribution/src/resources/only-mvnw#L175-L179
{code:lang=bash}
# select .zip or .tar.gz
if ! command -v unzip >/dev/null; then
distributionUrl="${distributionUrl%.zip}.tar.gz"
distributionUrlName="${distributionUrl##*/}"
fi
{code}
> sha256 checksum is not well supported for distributionType=only-script
> ----------------------------------------------------------------------
>
> Key: MWRAPPER-97
> URL: https://issues.apache.org/jira/browse/MWRAPPER-97
> Project: Maven Wrapper
> Issue Type: Improvement
> Components: Maven Wrapper Scripts
> Affects Versions: 3.2.0
> Reporter: James Z.M. Gao
> Priority: Normal
>
> The entry scripts for distributionType=only-script may change the base name
> of the distribution url, then the fixed sha256 checksum in
> maven-wrapper.properties becomes invalid. These cases are:
>
> * maven, type .zip: verify OK
> * maven, type .tar.gz: verify FAIL
> * mvnd: always FAIL, since the url is dynamic decided based on OS and ARCH,
> the extension may also fallback to .tar.gz
>
> To fix the issue, we need store all possible checksums in the config file,
> and better to have an easy and secure way to generate these checksums from
> the distribution url or from the apache site.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
