You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/08/03 07:11:00 UTC
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574549#comment-17574549 ]
ASF GitHub Bot commented on MWRAPPER-75:
----------------------------------------
raphw opened a new pull request, #58:
URL: https://github.com/apache/maven-wrapper/pull/58
Optionally verify checksums of downloaded binaries, both for Maven wrapper jar and actual Maven distribution.
The verification is optional and is activated by adding checksums to the maven.properties file, either as
'wrapperSha256Sum' (Maven wrapper) or as 'distributionSha256Sum' (Maven distribution).
Following this checklist to help us incorporate your
contribution quickly and easily:
- [ ] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/MWRAPPER) filed
for the change (usually before you start working on it). Trivial changes like typos do not
require a JIRA issue. Your pull request should address just this issue, without
pulling in other changes.
- [ ] Each commit in the pull request should have a meaningful subject line and body.
- [ ] Format the pull request title like `[MWRAPPER-XXX] - Fixes bug in ApproximateQuantiles`,
where you replace `MWRAPPER-XXX` with the appropriate JIRA issue. Best practice
is to use the JIRA issue title in the pull request title and in the first line of the
commit message.
- [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
- [ ] Run `mvn clean verify` to make sure basic checks pass. A more thorough check will
be performed on your pull request automatically.
- [ ] You have run the integration tests successfully (`mvn -Prun-its clean verify`).
If your pull request is about ~20 lines of code you don't need to sign an
[Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
please ask on the developers list.
To make clear that you license your contribution under
the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
you have to acknowledge this by using the following check-box.
- [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
- [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
> Key: MWRAPPER-75
> URL: https://issues.apache.org/jira/browse/MWRAPPER-75
> Project: Maven Wrapper
> Issue Type: Improvement
> Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper Scripts
> Reporter: Rafael Winterhalter
> Priority: Normal
>
> Maven Wrapper is downloading binary artifacts that are later executed. To prevent from an attack where a vulnerable repository could distribute malicious Maven (wrapper) artifacts, the downloaded artifacts should be verified against a secure checksum. If the expected checksum does not match, execution could be aborted before the potentially compromised artifact is executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)