maven-wrapper icon indicating copy to clipboard operation
maven-wrapper copied to clipboard

Published 20 hours ago verified publisher icon apache

[MWRAPPER-97] sha256 checksum is not well supported for distributionType=only-script

Open jira-importer opened this issue 2 years ago • 2 comments

James Z.M. Gao opened MWRAPPER-97 and commented

The entry scripts for distributionType=only-script may change the base name of the distribution url, then the fixed sha256 checksum in maven-wrapper.properties becomes invalid. These cases are:

 

  • maven, type .zip: verify OK
  • maven, type .tar.gz: verify FAIL
  • mvnd: always FAIL, since the url is dynamic decided based on OS and ARCH, the extension may also fallback to .tar.gz

 

To fix the issue, we need store all possible checksums in the config file, and better to have an easy and secure way to generate these checksums from the distribution url or from the apache site.

Affects: 3.2.0

1 votes, 4 watchers

jira-importer avatar Feb 24 '23 06:02 jira-importer

Marcono1234 commented

For the Maven distribution, one case is here, right? https://github.com/apache/maven-wrapper/blob/maven-wrapper-3.3.2/maven-wrapper-distribution/src/resources/only-mvnw#L175-L179

1. select .zip or .tar.gz
if ! command -v unzip >/dev/null; then
  distributionUrl="${distributionUrl%.zip}.tar.gz"
  distributionUrlName="${distributionUrl##*/}"
fi

jira-importer avatar Aug 19 '24 21:08 jira-importer

James Z.M. Gao commented

Marcono1234 yes, this snip selects a proper url for downloading and uncompressing.

jira-importer avatar Aug 20 '24 02:08 jira-importer