[
https://issues.apache.org/jira/browse/MWRAPPER-93?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Cservenak reassigned MWRAPPER-93:
---------------------------------------
Assignee: Tamas Cservenak
> Distribution sha256 checksum not validated if the zip file was downloaded
> previously
> ------------------------------------------------------------------------------------
>
> Key: MWRAPPER-93
> URL: https://issues.apache.org/jira/browse/MWRAPPER-93
> Project: Maven Wrapper
> Issue Type: Bug
> Components: Maven Wrapper Jar
> Affects Versions: 3.2.0
> Reporter: Jorge Solórzano
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.3.0
>
>
> If I make a first run without *distributionSha256Sum*, the Maven distribution
> will be downloaded without any checksum, this is the normal behavior.
> But if I later add the *distributionSha256Sum* to the
> maven-wrapper.properties file, having downloaded previously the distribution,
> the checksum is not verified, I consider this a bug since even if the
> distribution is already downloaded and unpacked it could contain a
> compromised download.
> The options *alwaysUnpack* and *alwaysDownload* triggers the verification and
> provides an extra layer of security, but normally the local zip should be
> verified always if the *distributionSha256Sum* is set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
