You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Rafael Winterhalter (Jira)" <ji...@apache.org> on 2022/08/03 07:07:00 UTC
[jira] [Created] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
Rafael Winterhalter created MWRAPPER-75:
-------------------------------------------
Summary: Allow for sha256 checksum verification of downloaded artifacts.
Key: MWRAPPER-75
URL: https://issues.apache.org/jira/browse/MWRAPPER-75
Project: Maven Wrapper
Issue Type: Improvement
Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper Scripts
Reporter: Rafael Winterhalter
Maven Wrapper is downloading binary artifacts that are later executed. To prevent from an attack where a vulnerable repository could distribute malicious Maven (wrapper) artifacts, the downloaded artifacts should be verified against a secure checksum. If the expected checksum does not match, execution could be aborted before the potentially compromised artifact is executed.
In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)