[
https://issues.apache.org/jira/browse/MWRAPPER-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17838094#comment-17838094
]
Jorge Solórzano commented on MWRAPPER-93:
-----------------------------------------
Suppose that you already downloaded the maven distribution without the
*distributionSha256Sum* set, this could be a "malicious" download, then you add
the *distributionSha256Sum* but it will not check that the downloaded
distribution is the correct one.
Again, this could be solved by using *alwaysUnpack* or *alwaysDownload* to
ensure the validation is done and it's running the correct distribution, so
under that premise, this issue can be closed as Won't Fix.
> Distribution sha256 checksum not validated if the zip file was downloaded
> previously
> ------------------------------------------------------------------------------------
>
> Key: MWRAPPER-93
> URL: https://issues.apache.org/jira/browse/MWRAPPER-93
> Project: Maven Wrapper
> Issue Type: Bug
> Components: Maven Wrapper Jar
> Affects Versions: 3.2.0
> Reporter: Jorge Solórzano
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.3.0
>
>
> If I make a first run without *distributionSha256Sum*, the Maven distribution
> will be downloaded without any checksum, this is the normal behavior.
> But if I later add the *distributionSha256Sum* to the
> maven-wrapper.properties file, having downloaded previously the distribution,
> the checksum is not verified, I consider this a bug since even if the
> distribution is already downloaded and unpacked it could contain a
> compromised download.
> The options *alwaysUnpack* and *alwaysDownload* triggers the verification and
> provides an extra layer of security, but normally the local zip should be
> verified always if the *distributionSha256Sum* is set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
