[jira] [Assigned] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.

Slawomir Jaranowski (Jira) Mon, 12 Dec 2022 04:54:07 -0800


     [ 
https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Slawomir Jaranowski reassigned MWRAPPER-75:
-------------------------------------------

    Assignee: Slawomir Jaranowski

> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
>                 Key: MWRAPPER-75
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-75
>             Project: Maven Wrapper
>          Issue Type: Improvement
>          Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper 
> Scripts
>            Reporter: Rafael Winterhalter
>            Assignee: Slawomir Jaranowski
>            Priority: Normal
>             Fix For: 3.2.0
>
>
> Maven Wrapper is downloading binary artifacts that are later executed. To 
> prevent from an attack where a vulnerable repository could distribute 
> malicious Maven (wrapper) artifacts, the downloaded artifacts should be 
> verified against a secure checksum. If the expected checksum does not match, 
> execution could be aborted before the potentially compromised artifact is 
> executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still 
> impossible to replicate with a corrupted binary.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.

Reply via email to