This is an automated email from the ASF dual-hosted git repository.
jkf pushed a commit to branch 1.9.x
in repository https://gitbox.apache.org/repos/asf/ant.git
commit fb6d9b0d5d603d4339f5547a74f00833b221cc0a
Author: jkf <j...@famkruithof.net>
AuthorDate: Sun May 26 08:11:28 2019 +0200
Validating contents of resources fetched via insecure channels
---
fetch.xml | 8 ++++++++
lib/libraries.properties | 3 +++
2 files changed, 11 insertions(+)
diff --git a/fetch.xml b/fetch.xml
index 679aceb..106237d 100644
--- a/fetch.xml
+++ b/fetch.xml
@@ -342,6 +342,14 @@ Set -Ddest=LOCATION on the command line
<target name="netrexx"
description="load NetRexx compiler"
depends="init-no-m2,-setup-temp-cache,-fetch-netrexx,-fetch-netrexx-no-commons-net">
+ <checksum file="${temp.dir}/NetRexx.zip" algorithm="SHA-256"
property="${netrexx.sha256}" verifyProperty="netrexx.hash.matches"/>
+ <fail message="NetRexx.zip fetched via ftp has an unexpected SHA-256
checksum, the file may have been tampered with">
+ <condition>
+ <not>
+ <istrue value="${netrexx.hash.matches}"/>
+ </not>
+ </condition>
+ </fail>
<copy todir="${dest.dir}" flatten="true">
<zipfileset src="${temp.dir}/NetRexx.zip">
<include name="NetRexx\lib\NetRexxC.jar"/>
diff --git a/lib/libraries.properties b/lib/libraries.properties
index 9ecbcfb..fcad671 100644
--- a/lib/libraries.properties
+++ b/lib/libraries.properties
@@ -28,6 +28,9 @@ m2.sha1.checksum=b09be554228d66d208e5fef5266844aacf443abc
# Repository to use by default for fetching dependencies.
m2.repo=http://repo1.maven.org/maven2/
+# hashes of libraries loaded over insecure connections
+netrexx.sha256=1f99f054e9b1e412d29823088f3fa7cfce90a7af25d907a60a6d7908a6b97ea4
+
# Versions of different libraries. Please keep in alphabetical order, except
# when a specific dependency forces them to be out-of-order
ivy.version=2.4.0
