[I] SHA-256 validation fails when unzip is unavailable because distribution format is silently changed to .tar.gz [maven-wrapper]

Thu, 04 Jun 2026 02:49:39 -0700 


rhusar opened a new issue, #425:
URL: https://github.com/apache/maven-wrapper/issues/425

   When `unzip` is not installed, `mvnw` silently rewrites the 
`distributionUrl` from `.zip` to `.tar.gz` ([mvnw line 
179-181](https://github.com/apache/maven-wrapper/blob/master/maven-wrapper-distribution/src/resources/mvnw#L179-L181)):
   
   ```bash
   if ! command -v unzip >/dev/null; then
     distributionUrl="${distributionUrl%.zip}.tar.gz"
     distributionUrlName="${distributionUrl##*/}"
   fi
   ```
   
   However, the `distributionSha256Sum` validation on [line 
226](https://github.com/apache/maven-wrapper/blob/master/maven-wrapper-distribution/src/resources/mvnw#L226)
 still runs against the configured checksum, which was computed for the `.zip` 
file. The `.tar.gz` has a different checksum, so validation always fails with:
   
   ```
   Error: Failed to validate Maven distribution SHA-256, your Maven 
distribution might be compromised.
   If you updated your Maven version, you need to update the specified 
distributionSha256Sum property.
   ```
   
   ## Steps to reproduce
   
   1. Configure `maven-wrapper.properties` with `distributionSha256Sum` for the 
`.zip` distribution
   2. Run `./mvnw` in an environment without `unzip` (e.g. `eclipse-temurin` 
Docker image)
   3. Build fails with SHA-256 validation error
   
   ## Expected behavior
   
   Either:
   - The SHA-256 validation should account for the format switch (e.g. skip 
validation when the URL was rewritten), or
   - The script should error early with a clear message that `unzip` is 
required when `distributionSha256Sum` is configured, or
   - The script should compute/expect the checksum for whichever format it 
actually downloads
   
   ## Environment
   
   - Maven Wrapper 3.3.4
   - `eclipse-temurin:25` Docker image (Ubuntu 26.04, no `unzip`, no 
`wget`/`curl`)
   
   ## Workaround
   
   Install `unzip` in the environment before running `mvnw`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to