elharo opened a new issue, #413: URL: https://github.com/apache/maven-wrapper/issues/413
### New feature, improvement proposal From docs ## Checksum verification of downloaded binaries To avoid supply-chain-attacks by downloading a corrupted artifact, it is possible to specify checksums for both the *maven-wrapper.jar* and the downloaded distribution. To apply verification, add the expected file's SHA-256 sum in hex notation, using only small caps, to `maven-wrapper.properties`. The property for validating the *maven-wrapper.jar* file is named `wrapperSha256Sum` whereas the distribution file property is named `distributionSha256Sum`. Given the increasing frequency and sophistication of supply chain attacks, we should probably just do this by default. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
