You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/10/02 11:55:00 UTC

[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.

    [ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17612084#comment-17612084 ] 

ASF GitHub Bot commented on MWRAPPER-75:
----------------------------------------

slawekjaranowski commented on PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264625016

   @raphw - next round ... please look at build result




> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
>                 Key: MWRAPPER-75
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-75
>             Project: Maven Wrapper
>          Issue Type: Improvement
>          Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper Scripts
>            Reporter: Rafael Winterhalter
>            Priority: Normal
>
> Maven Wrapper is downloading binary artifacts that are later executed. To prevent from an attack where a vulnerable repository could distribute malicious Maven (wrapper) artifacts, the downloaded artifacts should be verified against a secure checksum. If the expected checksum does not match, execution could be aborted before the potentially compromised artifact is executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still impossible to replicate with a corrupted binary.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)