[
https://issues.apache.org/jira/browse/MWRAPPER-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469609#comment-17469609
]
Marcin Zajaczkowski commented on MWRAPPER-50:
---------------------------------------------
Checksums can mitigate some risk with a the wrapper downloaded from local
mirror (e.g. on a public CI server) which could be tempered by a malicious
party (to still credentials or poise produced artifacts). Of course, it just
narrows the scope of a possible attack and definitely it is not a remedy for
everything.
However, the implementation should be easier than a verification of Apache's
digital signature and it would be worth to have it.
Btw, Gradle, the originator of the wrapper concept, has been supporting it for
years -
[https://docs.gradle.org/current/userguide/gradle_wrapper.html#customizing_wrapper]
(but unfortunately, still doesn't provided OpenPGP signed artifacts...).
> Verify checksum when downloading maven-wrapper.jar
> ----------------------------------------------------
>
> Key: MWRAPPER-50
> URL: https://issues.apache.org/jira/browse/MWRAPPER-50
> Project: Maven Wrapper
> Issue Type: Bug
> Reporter: Premek Vyhnal
> Priority: Major
>
> Hi,
> Sorry if I just cannot find it
> but it seems the checksum is not checked of the `maven-wrapper.jar`
> downloaded here:
> [https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]
>
> Checksum of the downloaded file should be checked before executing it to
> avoid a remote code execution attack on the developer machine.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
