You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jorge Solórzano (Jira)" <ji...@apache.org> on 2023/01/25 18:21:00 UTC
[jira] [Created] (MWRAPPER-93) Distribution sha256 checksum not validated if the zip file was downloaded previously
Jorge Solórzano created MWRAPPER-93:
---------------------------------------
Summary: Distribution sha256 checksum not validated if the zip file was downloaded previously
Key: MWRAPPER-93
URL: https://issues.apache.org/jira/browse/MWRAPPER-93
Project: Maven Wrapper
Issue Type: Bug
Components: Maven Wrapper Jar
Affects Versions: 3.2.0
Reporter: Jorge Solórzano
If I make a first run without *distributionSha256Sum*, the Maven distribution will be downloaded without any checksum, this is the normal behavior.
But if I later add the *distributionSha256Sum* to the maven-wrapper.properties file, having downloaded previously the distribution, the checksum is not verified, I consider this a bug since even if the distribution is already downloaded and unpacked it could contain a compromised download.
The options *alwaysUnpack* and *alwaysDownload* triggers the verification and provides an extra layer of security, but normally the local zip should be verified always if the *distributionSha256Sum* is set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)