>(since we don't know if the file is the right one). for that purpose, you should check the pgp signature against Apache Maven developers KEYS, which can't be tricked by anybody, unlike checksums hosted anywhere.
FTR, instructions "In order to guard against corrupted downloads/ installations" are there: https://maven.apache.org/download.cgi#files Regards, Hervé Le jeudi 14 septembre 2023, 18:25:01 CEST Alexis Tual a écrit : > Hi Nils, thanks for your quick response! > > Yeah, calculating the checksum yourself kind of defeats the purpose (since > we don't know if the file is the right one). > Although that's true I could use another available checksum, verify it and > then calculate the sha256. > But it would add complexity to the automated workflow I'm working on. I'll > fill a request ticket then. > > Thanks! > > Le jeu. 14 sept. 2023 à 18:17, Nils Breunese <n...@breun.nl> a écrit : > > Hi Alexis, > > > > I don’t know if SHA-256 hashes are published anywhere, but after verifying > > the other hashes that are published on Maven Central, you could calculate > > the SHA-256 hashes yourself. (I’m sorry if I’m being Captain Obvious > > here.) > > > > For the Maven distribution: > > > > ❯ shasum -a 256 > > ~/.m2/wrapper/dists/apache-maven-3.9.4-bin/*/apache-maven-3.9.4-bin.zip | > > awk ‘{ print $1 }' > > e896b60329a71b719d77bb4388b251a50aebcd73c62f69d510c858ce360afe0f > > > > And for the Maven Wrapper JAR in your project: > > > > ❯ shasum -a 256 .mvn/wrapper/maven-wrapper.jar | awk '{ print $1 }' > > e63a53cfb9c4d291ebe3c2b0edacb7622bbc480326beaa5a0456e412f52f066a > > > > But yes, I agree it would be nicer if Maven Central and/or release notes > > would contain the SHA-256 hashes for use with this feature. Maybe open a > > request ticket for that ( > > https://issues.apache.org/jira/secure/CreateIssue!default.jspa)? > > > > Nils. > > > > > Op 14 sep. 2023, om 16:29 heeft Alexis Tual <at...@gradle.com> het > > > > volgende geschreven: > > > Hi, > > > > > > I noticed the Maven wrapper supports setting the sha256 for both the > > > > > distributions and the wrapper jar: > > https://maven.apache.org/wrapper/#checksum-verification-of-downloaded-bina > > ries> > > > . > > > However I could not find those checksums in > > > https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/ nor > > > > https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrappe > > r > > . > > > > > Where are they located? > > > > > > Thanks for your help! > > > > > > -- > > > > > > Alexis Tual --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
