[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574643#comment-17574643 ]
ASF GitHub Bot commented on MWRAPPER-75: ---------------------------------------- jorsol commented on code in PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#discussion_r936473189 ########## maven-wrapper-distribution/src/resources/mvnw: ########## @@ -247,6 +247,21 @@ fi # End of extension ########################################################################################## +# If specified, validate the SHA-256 sum of the Maven wrapper jar file +wrapperSha256Sum="" +while IFS="=" read key value; do + case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;; + esac +done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties" +if [ -n "$wrapperSha256Sum" ]; then + if ! echo "$wrapperSha256Sum $wrapperJarPath" | shasum -a 256 -c > /dev/null 2>&1; then + echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2 Review Comment: It *might* imply a security aspect, but also an incomplete download, a failure in the network, a cosmic ray, etc. > Allow for sha256 checksum verification of downloaded artifacts. > --------------------------------------------------------------- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts > Reporter: Rafael Winterhalter > Priority: Normal > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)