[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.

Wed, 03 Aug 2022 02:58:05 -0700 


    [ 
https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574643#comment-17574643
 ] 

ASF GitHub Bot commented on MWRAPPER-75:
----------------------------------------

jorsol commented on code in PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#discussion_r936473189


##########
maven-wrapper-distribution/src/resources/mvnw:
##########
@@ -247,6 +247,21 @@ fi
 # End of extension
 
##########################################################################################
 
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read key value; do
+  case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+  esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+  if ! echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c > 
/dev/null 2>&1; then
+    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper 
might be compromised." >&2

Review Comment:
   It *might* imply a security aspect, but also an incomplete download, a 
failure in the network, a cosmic ray, etc.





> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
>                 Key: MWRAPPER-75
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-75
>             Project: Maven Wrapper
>          Issue Type: Improvement
>          Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper 
> Scripts
>            Reporter: Rafael Winterhalter
>            Priority: Normal
>
> Maven Wrapper is downloading binary artifacts that are later executed. To 
> prevent from an attack where a vulnerable repository could distribute 
> malicious Maven (wrapper) artifacts, the downloaded artifacts should be 
> verified against a secure checksum. If the expected checksum does not match, 
> execution could be aborted before the potentially compromised artifact is 
> executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still 
> impossible to replicate with a corrupted binary.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to