[
https://issues.apache.org/jira/browse/MWRAPPER-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837830#comment-17837830
]
Jorge Solórzano commented on MWRAPPER-93:
-----------------------------------------
This might be closed as it looks like it is the requested behavior, and the
*alwaysUnpack* or *alwaysDownload* should be used. See:
https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265742206
I still believe that as a "security" feature, this check should always be done
(https://github.com/apache/maven-wrapper/pull/58#issuecomment-1405007910), but
if there is no need to check every single time, then this issue can be closed.
> Distribution sha256 checksum not validated if the zip file was downloaded
> previously
> ------------------------------------------------------------------------------------
>
> Key: MWRAPPER-93
> URL: https://issues.apache.org/jira/browse/MWRAPPER-93
> Project: Maven Wrapper
> Issue Type: Bug
> Components: Maven Wrapper Jar
> Affects Versions: 3.2.0
> Reporter: Jorge Solórzano
> Priority: Major
> Fix For: 3.3.0
>
>
> If I make a first run without *distributionSha256Sum*, the Maven distribution
> will be downloaded without any checksum, this is the normal behavior.
> But if I later add the *distributionSha256Sum* to the
> maven-wrapper.properties file, having downloaded previously the distribution,
> the checksum is not verified, I consider this a bug since even if the
> distribution is already downloaded and unpacked it could contain a
> compromised download.
> The options *alwaysUnpack* and *alwaysDownload* triggers the verification and
> provides an extra layer of security, but normally the local zip should be
> verified always if the *distributionSha256Sum* is set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
