[
https://issues.apache.org/jira/browse/MWRAPPER-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470940#comment-17470940
]
Marcin Zajaczkowski commented on MWRAPPER-50:
---------------------------------------------
Thanks [~premek] for taking a look at that!
> We can use sha256sum but sha1 is being published (to see it's the same):
> [https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar.sha1]
In general, sha1 is better than nothing, but from the security point of you
both MD5 and SHA1 are "broken" nowadays (the malicious matching artifacts can
be prepared in sensible time). Since May 2021, Nexus has
[supported|https://issues.sonatype.org/browse/NEXUS-23603] also SHA256 as
metadata for published artifacts. In fact, a level
[above|https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/],
there is also a .sha256 file. Maybe it would be possible to enhance the Maven
wrapper building process to publish also sha256/512 checksum files (or course
as a separate, somehow independent task)?
However, again, from the security point of view, using checksum files from the
same repo (possibly a mirror) generate the similar security risk. An attacker
could rpelace both JAR and .sha1 files. OpenGPG signature would be resistant to
that, however, using a checksum, probably it should be downloaded from a
separate site, such as
[https://downloads.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz.sha512]
(available for Apache Maven itself) - unfortunately, for Maven wrapper it
doesn't look so good: [https://downloads.apache.org/maven/wrapper/]
Maybe it could be also improved during the release process?
> Verify checksum when downloading maven-wrapper.jar
> ----------------------------------------------------
>
> Key: MWRAPPER-50
> URL: https://issues.apache.org/jira/browse/MWRAPPER-50
> Project: Maven Wrapper
> Issue Type: Bug
> Reporter: Premek Vyhnal
> Priority: Major
>
> Hi,
> Sorry if I just cannot find it
> but it seems the checksum is not checked of the `maven-wrapper.jar`
> downloaded here:
> [https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]
>
> Checksum of the downloaded file should be checked before executing it to
> avoid a remote code execution attack on the developer machine.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
