[
https://issues.apache.org/jira/browse/MWRAPPER-153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17894342#comment-17894342
]
Zafer Balkan commented on MWRAPPER-153:
---------------------------------------
Here's a background. I am a security manager in a company, and my devs came to
me saying that the hardening measures blocks their workflow. That's how I mat
the maven wrapper. I checked the code, found the issue, updated MD5 with SHA256
and made sue this workaround is documented and communicated within the team.
But this is not a unique issue. I believe many devs around the world can face
this issue with a trivial fix. So, it is a better decision to make it a
permanent solution than a workaround.
> only-mvnw.cmd fails when FIPS mode is enabled on Windows hosts
> --------------------------------------------------------------
>
> Key: MWRAPPER-153
> URL: https://issues.apache.org/jira/browse/MWRAPPER-153
> Project: Maven Wrapper
> Issue Type: Bug
> Components: Maven Wrapper Scripts
> Environment: Tested on Windows 10 and 11
> Reporter: Zafer Balkan
> Priority: Trivial
>
> h2. Problem
> When `only-mvnw.cmd` is used to initiate the wrapper, the script fails due to
> MD5.
>
> {code:java}
> Exception calling "Create" with "0" argument(s): "This implementation is not
> part of the Windows Platform FIPS
> validated cryptographic algorithms."
> At line:1 char:1
> + $MAVEN_HOME_NAME = ([System.Security.Cryptography.MD5]::Create().Comp ...
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
> + FullyQualifiedErrorId : InvalidOperationException {code}
> Since the hashes are used within the script, it is easier to replace the line
> below
>
> {code:java}
> $MAVEN_HOME_NAME =
> ([System.Security.Cryptography.MD5]::Create().ComputeHash([byte[]][char[]]$distributionUrl)
> | ForEach-Object {$_.ToString("x2")}) -join '' {code}
> with
>
> {code:java}
> $MAVEN_HOME_NAME =
> ([System.Security.Cryptography.SHA256]::Create().ComputeHash([byte[]][char[]]$distributionUrl)
> | ForEach-Object {$_.ToString("x2")}) -join '' {code}
> h2. Steps to reproduce
> * Under
> {{{}Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy{}}},
> set {{Enabled}} to {{{}1{}}}.
> * {{Run only-mvnw.cmd}}
> h2. Caveat
> The FIPS check works with Powershell 5, not Powershell 7. It looks like the
> new PowerShell does not respect the OS configuration as well. So if the
> script is run within the new PowerShell, it would succeed due to –or thanks
> to– this problem.
> I created an issue on their repository for this problem:
> https://github.com/PowerShell/PowerShell/issues/24502
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
