From 1564fbb03a103e26a2c4b3cd929feff5ef9220bf Mon Sep 17 00:00:00 2001 From: Erik Meuwese Date: Thu, 13 Nov 2025 11:16:11 +0100 Subject: [PATCH 01/15] MWRAPPER-117 - added distributionSha512Sum and wrapperSha512Sum for verification with SHA-512 since Maven only publishes the SHA-512 checksum and not the SHA-256 checksum --- maven-wrapper-distribution/pom.xml | 2 +- maven-wrapper-distribution/src/resources/mvnw | 32 +++++++++ .../src/resources/mvnw.cmd | 19 +++++ .../src/resources/only-mvnw | 30 +++++++- .../src/resources/only-mvnw.cmd | 12 ++++ maven-wrapper-plugin/pom.xml | 2 +- .../it/projects/sha512_distribution/pom.xml | 69 ++++++++++++++++++ .../sha512_distribution/test.properties | 20 ++++++ .../sha512_distribution/verify.groovy | 35 +++++++++ .../projects/sha512_type_only-script/pom.xml | 71 +++++++++++++++++++ .../sha512_type_only-script/test.properties | 19 +++++ .../sha512_type_only-script/verify.groovy | 36 ++++++++++ .../src/it/projects/sha512_wrapper/pom.xml | 69 ++++++++++++++++++ .../projects/sha512_wrapper/test.properties | 19 +++++ .../it/projects/sha512_wrapper/verify.groovy | 36 ++++++++++ .../maven/plugins/wrapper/WrapperMojo.java | 26 ++++++- maven-wrapper/pom.xml | 2 +- .../org/apache/maven/wrapper/Installer.java | 9 +++ .../org/apache/maven/wrapper/Verifier.java | 2 + .../maven/wrapper/WrapperConfiguration.java | 10 +++ .../apache/maven/wrapper/WrapperExecutor.java | 3 + .../wrapper/HashAlgorithmVerifierTest.java | 27 +++++++ .../apache/maven/wrapper/InstallerTest.java | 5 +- pom.xml | 2 +- src/site/markdown/index.md | 6 +- 25 files changed, 550 insertions(+), 13 deletions(-) create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy diff --git a/maven-wrapper-distribution/pom.xml b/maven-wrapper-distribution/pom.xml index 43df1a90..a124e5e8 100644 --- a/maven-wrapper-distribution/pom.xml +++ b/maven-wrapper-distribution/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT maven-wrapper-distribution diff --git a/maven-wrapper-distribution/src/resources/mvnw b/maven-wrapper-distribution/src/resources/mvnw index 6deb5c2b..85f4507e 100755 --- a/maven-wrapper-distribution/src/resources/mvnw +++ b/maven-wrapper-distribution/src/resources/mvnw @@ -310,6 +310,38 @@ if [ -n "$wrapperSha256Sum" ]; then fi fi +# If specified, validate the SHA-512 sum of the Maven wrapper jar file +wrapperSha512Sum="" +while IFS="=" read -r key value; do + case "$key" in wrapperSha512Sum) + wrapperSha512Sum=$(trim "${value-}") + break + ;; + esac +done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties" +if [ -n "$wrapperSha512Sum" ]; then + wrapperSha512Result=false + if command -v sha512sum >/dev/null; then + if echo "$wrapperSha512Sum $wrapperJarPath" | sha512sum -c - >/dev/null 2>&1; then + wrapperSha512Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$wrapperSha512Sum $wrapperJarPath" | shasum -a 512 -c >/dev/null 2>&1; then + wrapperSha512Result=true + fi + else + echo "Checksum validation was requested but neither 'sha512sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'wrapperSha512Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $wrapperSha512Result = false ]; then + echo "Error: Failed to validate Maven wrapper SHA-512, your Maven wrapper might be compromised." >&2 + echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2 + echo "If you updated your Maven version, you need to update the specified wrapperSha512Sum property." >&2 + exit 1 + fi +fi + MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" # For Cygwin, switch paths to Windows format before running java diff --git a/maven-wrapper-distribution/src/resources/mvnw.cmd b/maven-wrapper-distribution/src/resources/mvnw.cmd index 708460f9..1ad03ac5 100644 --- a/maven-wrapper-distribution/src/resources/mvnw.cmd +++ b/maven-wrapper-distribution/src/resources/mvnw.cmd @@ -172,6 +172,25 @@ IF NOT %WRAPPER_SHA_256_SUM%=="" ( if ERRORLEVEL 1 goto error ) +@REM If specified, validate the SHA-512 sum of the Maven wrapper jar file +SET WRAPPER_SHA_512_SUM="" +FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( + IF "%%A"=="wrapperSha512Sum" SET WRAPPER_SHA_512_SUM=%%B +) +IF NOT %WRAPPER_SHA_512_SUM%=="" ( + powershell -Command "&{"^ + "Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash;"^ + "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA512).Hash.ToLower();"^ + "If('%WRAPPER_SHA_512_SUM%' -ne $hash){"^ + " Write-Error 'Error: Failed to validate Maven wrapper SHA-512, your Maven wrapper might be compromised.';"^ + " Write-Error 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^ + " Write-Error 'If you updated your Maven version, you need to update the specified wrapperSha512Sum property.';"^ + " exit 1;"^ + "}"^ + "}" + if ERRORLEVEL 1 goto error +) + @REM Provide a "standardized" way to retrieve the CLI args that will @REM work with both Windows and non-Windows executions. set MAVEN_CMD_LINE_ARGS=%* diff --git a/maven-wrapper-distribution/src/resources/only-mvnw b/maven-wrapper-distribution/src/resources/only-mvnw index 93373137..88471feb 100755 --- a/maven-wrapper-distribution/src/resources/only-mvnw +++ b/maven-wrapper-distribution/src/resources/only-mvnw @@ -108,11 +108,12 @@ trim() { scriptDir="$(dirname "$0")" scriptName="$(basename "$0")" -# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties +# parse distributionUrl and optional distributionSha256Sum or distributionSha512Sum, requires .mvn/wrapper/maven-wrapper.properties while IFS="=" read -r key value; do case "${key-}" in distributionUrl) distributionUrl=$(trim "${value-}") ;; distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; + distributionSha512Sum) distributionSha512Sum=$(trim "${value-}") ;; esac done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties" [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" @@ -249,6 +250,33 @@ if [ -n "${distributionSha256Sum-}" ]; then fi fi +# If specified, validate the SHA-512 sum of the Maven distribution zip file +if [ -n "${distributionSha512Sum-}" ]; then + distributionSha512Result=false + if [ "$MVN_CMD" = mvnd.sh ]; then + echo "Checksum validation is not supported for maven-mvnd." >&2 + echo "Please disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." >&2 + exit 1 + elif command -v sha512sum >/dev/null; then + if echo "$distributionSha512Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha512sum -c - >/dev/null 2>&1; then + distributionSha512Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$distributionSha512Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 512 -c >/dev/null 2>&1; then + distributionSha512Result=true + fi + else + echo "Checksum validation was requested but neither 'sha512sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $distributionSha512Result = false ]; then + echo "Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised." >&2 + echo "If you updated your Maven version, you need to update the specified distributionSha512Sum property." >&2 + exit 1 + fi +fi + # unzip and move if command -v unzip >/dev/null; then unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip" diff --git a/maven-wrapper-distribution/src/resources/only-mvnw.cmd b/maven-wrapper-distribution/src/resources/only-mvnw.cmd index fc99db2f..e53321d7 100644 --- a/maven-wrapper-distribution/src/resources/only-mvnw.cmd +++ b/maven-wrapper-distribution/src/resources/only-mvnw.cmd @@ -146,6 +146,18 @@ if ($distributionSha256Sum) { } } +# If specified, validate the SHA-512 sum of the Maven distribution zip file +$distributionSha512Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha512Sum +if ($distributionSha512Sum) { + if ($USE_MVND) { + Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." + } + Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash + if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA512).Hash.ToLower() -ne $distributionSha512Sum) { + Write-Error "Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha512Sum property." + } +} + # unzip and move Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null diff --git a/maven-wrapper-plugin/pom.xml b/maven-wrapper-plugin/pom.xml index baea971e..dae36254 100644 --- a/maven-wrapper-plugin/pom.xml +++ b/maven-wrapper-plugin/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT org.apache.maven.plugins diff --git a/maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml b/maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml new file mode 100644 index 00000000..b8e83ddc --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml @@ -0,0 +1,69 @@ + + + + + + 4.0.0 + + org.apache.maven.plugins.it.wrapper + extension + 1.0.0-SNAPSHOT + pom + + + + + + + + + + org.codehaus.mojo + exec-maven-plugin + @version.exec-maven-plugin@ + + mvnw${cmd} + + 1 + + + -v + + + true + + + + + + + + + + windows + + windows + + + .cmd + + + + diff --git a/maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties b/maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties new file mode 100644 index 00000000..c4e5afcb --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties @@ -0,0 +1,20 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +alwaysUnpack=true +type=bin +distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d \ No newline at end of file diff --git a/maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy b/maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy new file mode 100644 index 00000000..27bcdf84 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy @@ -0,0 +1,35 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +assert new File(basedir,'mvnw').exists() +assert new File(basedir,'mvnw.cmd').exists() +assert !(new File(basedir,'mvnwDebug').exists()) +assert !(new File(basedir,'mvnwDebug.cmd').exists()) + +properties = new File(basedir,'.mvn/wrapper/maven-wrapper.properties') +assert properties.exists() +assert properties.text.contains('distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d') + +log = new File(basedir, 'build.log').text +// check "mvn wrapper:wrapper" output +assert log.contains('Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised.') + +// check "mvnw -v" output +assert log.contains('Apache Maven ') diff --git a/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml new file mode 100644 index 00000000..ccd5664a --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml @@ -0,0 +1,71 @@ + + + + + + 4.0.0 + + org.apache.maven.plugins.it.wrapper + extension + 1.0.0-SNAPSHOT + pom + + + + + + + + + + org.codehaus.mojo + exec-maven-plugin + @version.exec-maven-plugin@ + + mvnw${cmd} + + 1 + + + -v + + + true + ${project.build.directory} + ${project.build.directory} + + + + + + + + + + windows + + windows + + + .cmd + + + + diff --git a/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties new file mode 100644 index 00000000..466cbfc8 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +type=only-script +distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d \ No newline at end of file diff --git a/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy new file mode 100644 index 00000000..d21329a8 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy @@ -0,0 +1,36 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +assert new File(basedir,'mvnw').exists() +assert new File(basedir,'mvnw.cmd').exists() +assert !(new File(basedir,'mvnwDebug').exists()) +assert !(new File(basedir,'mvnwDebug.cmd').exists()) + +properties = new File(basedir,'.mvn/wrapper/maven-wrapper.properties') +assert properties.exists() +assert properties.text.contains('distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d') + +log = new File(basedir, 'build.log').text +// check "mvn wrapper:wrapper" output +assert log.contains('Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised.') +assert !log.contains('shasum:') + +// check "mvnw -v" output +assert !log.contains('Apache Maven ') diff --git a/maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml new file mode 100644 index 00000000..b8e83ddc --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml @@ -0,0 +1,69 @@ + + + + + + 4.0.0 + + org.apache.maven.plugins.it.wrapper + extension + 1.0.0-SNAPSHOT + pom + + + + + + + + + + org.codehaus.mojo + exec-maven-plugin + @version.exec-maven-plugin@ + + mvnw${cmd} + + 1 + + + -v + + + true + + + + + + + + + + windows + + windows + + + .cmd + + + + diff --git a/maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties new file mode 100644 index 00000000..c1f2c705 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +type=bin +wrapperSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d \ No newline at end of file diff --git a/maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy new file mode 100644 index 00000000..919a8b28 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy @@ -0,0 +1,36 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +assert new File(basedir,'mvnw').exists() +assert new File(basedir,'mvnw.cmd').exists() +assert !(new File(basedir,'mvnwDebug').exists()) +assert !(new File(basedir,'mvnwDebug.cmd').exists()) + +properties = new File(basedir,'.mvn/wrapper/maven-wrapper.properties') +assert properties.exists() +assert properties.text.contains('wrapperSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d') + +log = new File(basedir, 'build.log').text +// check "mvn wrapper:wrapper" output +assert log.contains('Error: Failed to validate Maven wrapper SHA-512, your Maven wrapper might be compromised.') +assert !log.contains('shasum:') + +// check "mvnw -v" output +assert !log.contains('Apache Maven ') diff --git a/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java b/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java index 6146ff88..e0ec554b 100644 --- a/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java +++ b/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java @@ -123,7 +123,14 @@ public class WrapperMojo extends AbstractMojo { */ @Parameter(property = "wrapperSha256Sum") private String wrapperSha256Sum; - + /** + * The expected SHA-512 checksum of the maven-wrapper.jar that is + * used to load the configured Maven distribution. + * + * @since 3.4.0 + */ + @Parameter(property = "wrapperSha512Sum") + private String wrapperSha512Sum; /** * The expected SHA-256 checksum of the Maven distribution that is * executed by the installed wrapper. @@ -132,7 +139,14 @@ public class WrapperMojo extends AbstractMojo { */ @Parameter(property = "distributionSha256Sum") private String distributionSha256Sum; - + /** + * The expected SHA-512 checksum of the Maven distribution that is + * executed by the installed wrapper. + * + * @since 3.4.0 + */ + @Parameter(property = "distributionSha512Sum") + private String distributionSha512Sum; /** * Determines if the Maven distribution should be downloaded * on every execution of the Maven wrapper. @@ -286,7 +300,7 @@ private void unpack(Artifact artifact, Path targetFolder) { unarchiver.setSourceFile(artifact.getFile()); if (!includeDebugScript) { unarchiver.setFileSelectors( - new FileSelector[] {fileInfo -> !fileInfo.getName().contains("Debug")}); + new FileSelector[]{fileInfo -> !fileInfo.getName().contains("Debug")}); } unarchiver.extract(); getLog().info("Unpacked " + buffer().strong(distributionType) + " type wrapper distribution " + artifact); @@ -332,12 +346,18 @@ private void replaceProperties(String wrapperVersion, Path targetFolder) throws if (distributionSha256Sum != null) { out.append("distributionSha256Sum=" + distributionSha256Sum + System.lineSeparator()); } + if (distributionSha512Sum != null) { + out.append("distributionSha512Sum=" + distributionSha512Sum + System.lineSeparator()); + } if (!distributionType.equals(TYPE_ONLY_SCRIPT)) { out.append("wrapperUrl=" + wrapperUrl + System.lineSeparator()); } if (wrapperSha256Sum != null) { out.append("wrapperSha256Sum=" + wrapperSha256Sum + System.lineSeparator()); } + if (wrapperSha512Sum != null) { + out.append("wrapperSha512Sum=" + wrapperSha512Sum + System.lineSeparator()); + } if (alwaysDownload) { out.append("alwaysDownload=" + Boolean.TRUE + System.lineSeparator()); } diff --git a/maven-wrapper/pom.xml b/maven-wrapper/pom.xml index 1a6c9224..75385120 100644 --- a/maven-wrapper/pom.xml +++ b/maven-wrapper/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT maven-wrapper diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java index 177bb429..39e54857 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java @@ -67,6 +67,8 @@ public Path createDist(WrapperConfiguration configuration) throws Exception { boolean alwaysUnpack = configuration.isAlwaysUnpack(); boolean verifyDistributionSha256Sum = !configuration.getDistributionSha256Sum().isEmpty(); + boolean verifyDistributionSha512Sum = + !configuration.getDistributionSha512Sum().isEmpty(); PathAssembler.LocalDistribution localDistribution = pathAssembler.getDistribution(configuration); Path localZipFile = localDistribution.getZipFile(); @@ -97,6 +99,13 @@ public Path createDist(WrapperConfiguration configuration) throws Exception { Verifier.SHA_256_ALGORITHM, configuration.getDistributionSha256Sum()); } + if (verifyDistributionSha512Sum) { + verifier.verify( + localZipFile, + "distributionSha512Sum", + Verifier.SHA_512_ALGORITHM, + configuration.getDistributionSha512Sum()); + } for (Path dir : dirs) { Logger.info("Deleting directory " + dir.toAbsolutePath()); deleteDir(dir); diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java index 623f57a3..067cebea 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java @@ -29,5 +29,7 @@ public interface Verifier { String SHA_256_ALGORITHM = "SHA-256"; + String SHA_512_ALGORITHM = "SHA-512"; + void verify(Path file, String property, String algorithm, String expectedSum) throws Exception; } diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java index c42bad9d..b1b9ed3d 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java @@ -45,6 +45,8 @@ public class WrapperConfiguration { private String distributionSha256Sum; + private String distributionSha512Sum; + public boolean isAlwaysDownload() { return alwaysDownload; } @@ -105,7 +107,15 @@ public String getDistributionSha256Sum() { return distributionSha256Sum; } + public String getDistributionSha512Sum() { + return distributionSha512Sum; + } + public void setDistributionSha256Sum(String distributionSha256Sum) { this.distributionSha256Sum = distributionSha256Sum; } + + public void setDistributionSha512Sum(String distributionSha512Sum) { + this.distributionSha512Sum = distributionSha512Sum; + } } diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java index 5b7ace9f..14a53763 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java @@ -49,6 +49,8 @@ public class WrapperExecutor { public static final String DISTRIBUTION_SHA_256_SUM = "distributionSha256Sum"; + public static final String DISTRIBUTION_SHA_512_SUM = "distributionSha512Sum"; + public static final String ALWAYS_DOWNLOAD = "alwaysDownload"; public static final String ALWAYS_UNPACK = "alwaysUnpack"; @@ -85,6 +87,7 @@ public static WrapperExecutor forWrapperPropertiesFile(Path propertiesFile) { config.setZipPath(Paths.get( getProperty(ZIP_STORE_PATH_PROPERTY, config.getZipPath().toString()))); config.setDistributionSha256Sum(getProperty(DISTRIBUTION_SHA_256_SUM, "")); + config.setDistributionSha512Sum(getProperty(DISTRIBUTION_SHA_512_SUM, "")); config.setAlwaysUnpack(Boolean.parseBoolean(getProperty(ALWAYS_UNPACK, Boolean.FALSE.toString()))); config.setAlwaysDownload(Boolean.parseBoolean(getProperty(ALWAYS_DOWNLOAD, Boolean.FALSE.toString()))); } catch (Exception e) { diff --git a/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java b/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java index 498ee563..b34a42db 100644 --- a/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java +++ b/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java @@ -57,6 +57,15 @@ void sha256SumsMatch() throws Exception { "7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb"); } + @Test + void sha512SumsMatch() throws Exception { + verifier.verify( + file, + "property", + Verifier.SHA_512_ALGORITHM, + "256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d"); + } + @Test void sha256SumsDoNotMatch() throws Exception { try { @@ -74,4 +83,22 @@ void sha256SumsDoNotMatch() throws Exception { e.getMessage()); } } + + @Test + void sha512SumsDoNotMatch() throws Exception { + try { + verifier.verify( + file, + "prop", + Verifier.SHA_512_ALGORITHM, + "03e2d65d4483a3396980629f260e25cac0d8b6f7f2791e4dc20bc83f9514db8d0f05b0479e699a5f34679250c49c8e52e961262ded468a20de0be254d8207076"); + fail("Expected RuntimeException"); + } catch (RuntimeException e) { + assertEquals( + "Failed to validate Maven distribution SHA-512, your Maven " + + "distribution might be compromised. If you updated your Maven version, " + + "you need to update the specified prop property.", + e.getMessage()); + } + } } diff --git a/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java b/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java index 04731eaa..f456415f 100644 --- a/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java +++ b/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java @@ -91,6 +91,7 @@ void setup() throws Exception { configuration.setAlwaysDownload(false); configuration.setAlwaysUnpack(false); configuration.setDistributionSha256Sum(""); + configuration.setDistributionSha512Sum(""); distributionDir = testDir.resolve("someDistPath"); mavenHomeDir = distributionDir.resolve("maven-0.9"); zipStore = testDir.resolve("zips"); @@ -120,7 +121,7 @@ private void createTestZip(Path zipDestination) throws Exception { writer.write("something"); } try (OutputStream os = Files.newOutputStream(mavenLib); - JarOutputStream jar = new JarOutputStream(os, new Manifest())) { + JarOutputStream jar = new JarOutputStream(os, new Manifest())) { jar.putNextEntry(new ZipEntry("test")); jar.closeEntry(); } @@ -227,7 +228,7 @@ void testZipSlip() throws URISyntaxException { public void zipTo(final Path directoryToZip, final Path zipFile) throws IOException { // Creating a ZipOutputStream by wrapping a OutputStream try (OutputStream fos = Files.newOutputStream(zipFile); - ZipOutputStream zos = new ZipOutputStream(fos)) { + ZipOutputStream zos = new ZipOutputStream(fos)) { // Walk the tree structure using WalkFileTree method Files.walkFileTree(directoryToZip, new SimpleFileVisitor() { @Override diff --git a/pom.xml b/pom.xml index 4b547d42..a7378b39 100644 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT pom Apache Maven Wrapper diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index 471a0216..fead08f8 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -192,10 +192,10 @@ used. To avoid supply-chain-attacks by downloading a corrupted artifact, it is possible to specify checksums for both the *maven-wrapper.jar* and the downloaded distribution. To apply verification, add the expected -file's SHA-256 sum in hex notation, using only small caps, to +file's SHA-256 or SHA-512 sum in hex notation, using only small caps, to `maven-wrapper.properties`. The property for validating the -*maven-wrapper.jar* file is named `wrapperSha256Sum` whereas the -distribution file property is named `distributionSha256Sum`. +*maven-wrapper.jar* file are named `wrapperSha256Sum` and `wrapperSha512Sum` whereas the +distribution file property are named `distributionSha256Sum` and `distributionSha512Sum`. ## Internals From 93c507d972c754d3b9f13c5b82169805d6c084d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 10:10:08 +0100 Subject: [PATCH 02/15] Bump actions/checkout from 5 to 6 (#386) Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/shellcheck-posix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shellcheck-posix.yml b/.github/workflows/shellcheck-posix.yml index 2d73e0ad..807eccfb 100644 --- a/.github/workflows/shellcheck-posix.yml +++ b/.github/workflows/shellcheck-posix.yml @@ -31,7 +31,7 @@ jobs: # SC2009: Don't consider pgrep, not available everywhere; https://www.shellcheck.net/wiki/SC2009 SHELLCHECK_OPTS: '-e SC1091 -e SC2009' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: download run: | curl --silent --fail --show-error --retry 2 --retry-delay 1 --connect-timeout 5 --location --url "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" -o shellcheck-v${SHELLCHECK_VERSION}.tar.xz From 64dce35d8c0191d22436af5c47fd038b3fef6479 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 19:46:26 +0100 Subject: [PATCH 03/15] Bump org.apache.maven.resolver:maven-resolver-api from 1.9.24 to 1.9.25 (#387) Bumps [org.apache.maven.resolver:maven-resolver-api](https://github.com/apache/maven-resolver) from 1.9.24 to 1.9.25. - [Release notes](https://github.com/apache/maven-resolver/releases) - [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.24...maven-resolver-1.9.25) --- updated-dependencies: - dependency-name: org.apache.maven.resolver:maven-resolver-api dependency-version: 1.9.25 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- maven-wrapper-plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maven-wrapper-plugin/pom.xml b/maven-wrapper-plugin/pom.xml index baea971e..a1e7efd3 100644 --- a/maven-wrapper-plugin/pom.xml +++ b/maven-wrapper-plugin/pom.xml @@ -74,7 +74,7 @@ under the License. org.apache.maven.resolver maven-resolver-api - 1.9.24 + 1.9.25 provided From ecfa913386f2a68d71431e9d4e204e088d9550cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Dec 2025 05:51:24 +0100 Subject: [PATCH 04/15] Bump mavenVersion from 3.9.11 to 3.9.12 (#388) Bumps `mavenVersion` from 3.9.11 to 3.9.12. Updates `org.apache.maven:maven-core` from 3.9.11 to 3.9.12 Updates `org.apache.maven:maven-plugin-api` from 3.9.11 to 3.9.12 - [Release notes](https://github.com/apache/maven/releases) - [Commits](https://github.com/apache/maven/compare/maven-3.9.11...maven-3.9.12) Updates `org.apache.maven:maven-settings` from 3.9.11 to 3.9.12 --- updated-dependencies: - dependency-name: org.apache.maven:maven-core dependency-version: 3.9.12 dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.apache.maven:maven-plugin-api dependency-version: 3.9.12 dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.apache.maven:maven-settings dependency-version: 3.9.12 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4b547d42..0b127f65 100644 --- a/pom.xml +++ b/pom.xml @@ -64,7 +64,7 @@ under the License. tools-archives/wrapper-LATEST - 3.9.11 + 3.9.12 8 3.6.2 From 2c78a2305d374e996b6cffd827ad4a1672f9e4ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 06:42:45 +0100 Subject: [PATCH 05/15] Bump org.codehaus.mojo:exec-maven-plugin from 3.6.2 to 3.6.3 (#389) Bumps [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) from 3.6.2 to 3.6.3. - [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases) - [Commits](https://github.com/mojohaus/exec-maven-plugin/compare/3.6.2...3.6.3) --- updated-dependencies: - dependency-name: org.codehaus.mojo:exec-maven-plugin dependency-version: 3.6.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0b127f65..072574a5 100644 --- a/pom.xml +++ b/pom.xml @@ -66,7 +66,7 @@ under the License. tools-archives/wrapper-LATEST 3.9.12 8 - 3.6.2 + 3.6.3 3.14.1 From bb62ef7511cb96bd4ba9bf590eccd9e369496a3b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 7 Jan 2026 06:54:15 +0100 Subject: [PATCH 06/15] Bump org.apache.maven:maven-parent from 45 to 46 (#390) Bumps [org.apache.maven:maven-parent](https://github.com/apache/maven-parent) from 45 to 46. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven:maven-parent dependency-version: '46' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 072574a5..da9c77a5 100644 --- a/pom.xml +++ b/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven maven-parent - 45 + 46 org.apache.maven.wrapper From e0f41e5ff4c9dbb793e02cef590183d179a31507 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jan 2026 06:12:47 +0100 Subject: [PATCH 07/15] Bump org.codehaus.plexus:plexus-archiver from 4.10.4 to 4.11.0 (#391) Bumps [org.codehaus.plexus:plexus-archiver](https://github.com/codehaus-plexus/plexus-archiver) from 4.10.4 to 4.11.0. - [Release notes](https://github.com/codehaus-plexus/plexus-archiver/releases) - [Changelog](https://github.com/codehaus-plexus/plexus-archiver/blob/master/ReleaseNotes.md) - [Commits](https://github.com/codehaus-plexus/plexus-archiver/compare/plexus-archiver-4.10.4...plexus-archiver-4.11.0) --- updated-dependencies: - dependency-name: org.codehaus.plexus:plexus-archiver dependency-version: 4.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- maven-wrapper-plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maven-wrapper-plugin/pom.xml b/maven-wrapper-plugin/pom.xml index a1e7efd3..fb800ef2 100644 --- a/maven-wrapper-plugin/pom.xml +++ b/maven-wrapper-plugin/pom.xml @@ -64,7 +64,7 @@ under the License. org.codehaus.plexus plexus-archiver - 4.10.4 + 4.11.0 org.codehaus.plexus From 5d65ea1edd3f707c209f7b807fdd6541b56cdd93 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Jan 2026 05:49:13 +0100 Subject: [PATCH 08/15] Bump org.apache.maven:maven-parent from 46 to 47 (#392) Bumps [org.apache.maven:maven-parent](https://github.com/apache/maven-parent) from 46 to 47. - [Release notes](https://github.com/apache/maven-parent/releases) - [Commits](https://github.com/apache/maven-parent/commits) --- updated-dependencies: - dependency-name: org.apache.maven:maven-parent dependency-version: '47' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index da9c77a5..900ee926 100644 --- a/pom.xml +++ b/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven maven-parent - 46 + 47 org.apache.maven.wrapper From 4ab5304132fe4287fea8c0f3961ab0675d5ff47a Mon Sep 17 00:00:00 2001 From: Emil Lindholm Brandt Date: Sat, 17 Jan 2026 07:24:10 +0100 Subject: [PATCH 09/15] Add --strict flag to sha256sum verification Without it, the macOS implementation exits with code 0 for malformed input, triggering a false positive --- maven-wrapper-distribution/src/resources/mvnw | 2 +- maven-wrapper-distribution/src/resources/only-mvnw | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/maven-wrapper-distribution/src/resources/mvnw b/maven-wrapper-distribution/src/resources/mvnw index 6deb5c2b..df1a80ac 100755 --- a/maven-wrapper-distribution/src/resources/mvnw +++ b/maven-wrapper-distribution/src/resources/mvnw @@ -290,7 +290,7 @@ done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties" if [ -n "$wrapperSha256Sum" ]; then wrapperSha256Result=false if command -v sha256sum >/dev/null; then - if echo "$wrapperSha256Sum $wrapperJarPath" | sha256sum -c - >/dev/null 2>&1; then + if echo "$wrapperSha256Sum $wrapperJarPath" | sha256sum -c --strict - >/dev/null 2>&1; then wrapperSha256Result=true fi elif command -v shasum >/dev/null; then diff --git a/maven-wrapper-distribution/src/resources/only-mvnw b/maven-wrapper-distribution/src/resources/only-mvnw index 93373137..b4861c00 100755 --- a/maven-wrapper-distribution/src/resources/only-mvnw +++ b/maven-wrapper-distribution/src/resources/only-mvnw @@ -230,7 +230,7 @@ if [ -n "${distributionSha256Sum-}" ]; then echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 exit 1 elif command -v sha256sum >/dev/null; then - if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c - >/dev/null 2>&1; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c --strict - >/dev/null 2>&1; then distributionSha256Result=true fi elif command -v shasum >/dev/null; then From 7443d4eebc98734709481f7c5140d027566da310 Mon Sep 17 00:00:00 2001 From: Marshal Hayes <17213165+marshalhayes@users.noreply.github.com> Date: Sun, 9 Nov 2025 15:35:17 -0600 Subject: [PATCH 10/15] Allow m2 path to be hidden on Windows --- maven-wrapper-distribution/src/resources/only-mvnw.cmd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/maven-wrapper-distribution/src/resources/only-mvnw.cmd b/maven-wrapper-distribution/src/resources/only-mvnw.cmd index fc99db2f..fd5f5ccd 100644 --- a/maven-wrapper-distribution/src/resources/only-mvnw.cmd +++ b/maven-wrapper-distribution/src/resources/only-mvnw.cmd @@ -89,10 +89,10 @@ if (-not (Test-Path -Path $MAVEN_M2_PATH)) { } $MAVEN_WRAPPER_DISTS = $null -if ((Get-Item $MAVEN_M2_PATH).Target[0] -eq $null) { +if ((Get-Item -Path $MAVEN_M2_PATH -Force).Target[0] -eq $null) { $MAVEN_WRAPPER_DISTS = "$MAVEN_M2_PATH/wrapper/dists" } else { - $MAVEN_WRAPPER_DISTS = (Get-Item $MAVEN_M2_PATH).Target[0] + "/wrapper/dists" + $MAVEN_WRAPPER_DISTS = (Get-Item -Path $MAVEN_M2_PATH -Force).Target[0] + "/wrapper/dists" } $MAVEN_HOME_PARENT = "$MAVEN_WRAPPER_DISTS/$distributionUrlNameMain" From df870750755cf3d8585bc2889b43236021cfa1dc Mon Sep 17 00:00:00 2001 From: IdiotCult <235524555+idiotcult@users.noreply.github.com> Date: Wed, 1 Oct 2025 22:06:13 +0200 Subject: [PATCH 11/15] Fix premature output of distribution URL --- maven-wrapper-distribution/src/resources/only-mvnw | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/maven-wrapper-distribution/src/resources/only-mvnw b/maven-wrapper-distribution/src/resources/only-mvnw index b4861c00..2a846723 100755 --- a/maven-wrapper-distribution/src/resources/only-mvnw +++ b/maven-wrapper-distribution/src/resources/only-mvnw @@ -170,17 +170,17 @@ fi mkdir -p -- "${MAVEN_HOME%/*}" -# Download and Install Apache Maven -verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." -verbose "Downloading from: $distributionUrl" -verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" - # select .zip or .tar.gz if ! command -v unzip >/dev/null; then distributionUrl="${distributionUrl%.zip}.tar.gz" distributionUrlName="${distributionUrl##*/}" fi +# Download and Install Apache Maven +verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +verbose "Downloading from: $distributionUrl" +verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + # verbose opt __MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' [ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v From eb05003739088e972f50f33c2ac6993c9a63617c Mon Sep 17 00:00:00 2001 From: Guillaume Nodet Date: Fri, 25 Jul 2025 06:17:12 +0200 Subject: [PATCH 12/15] Also test with Maven 4 --- .github/workflows/maven-verify.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/maven-verify.yml b/.github/workflows/maven-verify.yml index f213d075..c52e4b99 100644 --- a/.github/workflows/maven-verify.yml +++ b/.github/workflows/maven-verify.yml @@ -27,3 +27,4 @@ jobs: uses: apache/maven-gh-actions-shared/.github/workflows/maven-verify.yml@v4 with: verify-fail-fast: false + maven4-enabled: true From 32540155a0679bc498638ec6402571aa07fa0a68 Mon Sep 17 00:00:00 2001 From: Jeremy Landis Date: Sat, 17 Jan 2026 16:24:25 -0500 Subject: [PATCH 13/15] Normalization: Ensure end of file markers per git standards and tabs as spaces (#361) --- .../src/resources/mvnw.cmd | 12 ++++---- .../src/resources/only-mvnw | 28 +++++++++---------- .../src/it/projects/default/pom.xml | 2 +- .../src/it/projects/includeDebug/pom.xml | 2 +- .../it/projects/includeDebug/test.properties | 2 +- .../src/it/projects/mavenversion/pom.xml | 2 +- .../it/projects/mavenversion/test.properties | 2 +- .../sha256_distribution/test.properties | 2 +- .../sha256_type_only-script/test.properties | 2 +- .../projects/sha256_wrapper/test.properties | 2 +- .../src/it/projects/type_bin/pom.xml | 2 +- .../src/it/projects/type_bin/test.properties | 2 +- .../type_only-script-fail/test.properties | 2 +- .../src/it/projects/type_script/pom.xml | 2 +- .../it/projects/type_script/test.properties | 2 +- .../src/it/projects/type_source/pom.xml | 2 +- .../it/projects/type_source/test.properties | 2 +- .../src/it/projects/type_unknown/pom.xml | 2 +- .../.mvn/wrapper/maven-wrapper.properties | 2 +- .../upgrade_with_existing_type/pom.xml | 2 +- src/site/markdown/CHANGELOG.old.md | 2 +- src/site/resources/download.cgi | 2 +- 22 files changed, 40 insertions(+), 40 deletions(-) diff --git a/maven-wrapper-distribution/src/resources/mvnw.cmd b/maven-wrapper-distribution/src/resources/mvnw.cmd index 708460f9..97fff177 100644 --- a/maven-wrapper-distribution/src/resources/mvnw.cmd +++ b/maven-wrapper-distribution/src/resources/mvnw.cmd @@ -141,12 +141,12 @@ if exist %WRAPPER_JAR% ( ) powershell -Command "&{"^ - "$webclient = new-object System.Net.WebClient;"^ - "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ - "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ - "}"^ - "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^ - "}" + "$webclient = new-object System.Net.WebClient;"^ + "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ + "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ + "}"^ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^ + "}" if "%MVNW_VERBOSE%" == "true" ( echo Finished downloading %WRAPPER_JAR% ) diff --git a/maven-wrapper-distribution/src/resources/only-mvnw b/maven-wrapper-distribution/src/resources/only-mvnw index 2a846723..402d622d 100755 --- a/maven-wrapper-distribution/src/resources/only-mvnw +++ b/maven-wrapper-distribution/src/resources/only-mvnw @@ -201,20 +201,20 @@ elif set_java_home; then verbose "Falling back to use Java to download" javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" - cat >"$javaSource" <<-END - public class Downloader extends java.net.Authenticator - { - protected java.net.PasswordAuthentication getPasswordAuthentication() - { - return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); - } - public static void main( String[] args ) throws Exception - { - setDefault( new Downloader() ); - java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); - } - } - END + cat >"$javaSource" < - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/includeDebug/pom.xml b/maven-wrapper-plugin/src/it/projects/includeDebug/pom.xml index 2a01d776..a8c9a6d5 100644 --- a/maven-wrapper-plugin/src/it/projects/includeDebug/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/includeDebug/pom.xml @@ -63,4 +63,4 @@ under the License. - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/includeDebug/test.properties b/maven-wrapper-plugin/src/it/projects/includeDebug/test.properties index 0f1a0a6f..e93b3a71 100644 --- a/maven-wrapper-plugin/src/it/projects/includeDebug/test.properties +++ b/maven-wrapper-plugin/src/it/projects/includeDebug/test.properties @@ -15,4 +15,4 @@ # specific language governing permissions and limitations # under the License. -includeDebug=true \ No newline at end of file +includeDebug=true diff --git a/maven-wrapper-plugin/src/it/projects/mavenversion/pom.xml b/maven-wrapper-plugin/src/it/projects/mavenversion/pom.xml index 2a01d776..a8c9a6d5 100644 --- a/maven-wrapper-plugin/src/it/projects/mavenversion/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/mavenversion/pom.xml @@ -63,4 +63,4 @@ under the License. - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/mavenversion/test.properties b/maven-wrapper-plugin/src/it/projects/mavenversion/test.properties index 28146008..ef6174ec 100644 --- a/maven-wrapper-plugin/src/it/projects/mavenversion/test.properties +++ b/maven-wrapper-plugin/src/it/projects/mavenversion/test.properties @@ -15,4 +15,4 @@ # specific language governing permissions and limitations # under the License. -maven=3.6.3 \ No newline at end of file +maven=3.6.3 diff --git a/maven-wrapper-plugin/src/it/projects/sha256_distribution/test.properties b/maven-wrapper-plugin/src/it/projects/sha256_distribution/test.properties index c8a102d4..30451a7c 100644 --- a/maven-wrapper-plugin/src/it/projects/sha256_distribution/test.properties +++ b/maven-wrapper-plugin/src/it/projects/sha256_distribution/test.properties @@ -17,4 +17,4 @@ alwaysUnpack=true type=bin -distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb \ No newline at end of file +distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb diff --git a/maven-wrapper-plugin/src/it/projects/sha256_type_only-script/test.properties b/maven-wrapper-plugin/src/it/projects/sha256_type_only-script/test.properties index 8a731bcb..cbf51476 100644 --- a/maven-wrapper-plugin/src/it/projects/sha256_type_only-script/test.properties +++ b/maven-wrapper-plugin/src/it/projects/sha256_type_only-script/test.properties @@ -16,4 +16,4 @@ # under the License. type=only-script -distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb \ No newline at end of file +distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb diff --git a/maven-wrapper-plugin/src/it/projects/sha256_wrapper/test.properties b/maven-wrapper-plugin/src/it/projects/sha256_wrapper/test.properties index 64dd8552..79e34614 100644 --- a/maven-wrapper-plugin/src/it/projects/sha256_wrapper/test.properties +++ b/maven-wrapper-plugin/src/it/projects/sha256_wrapper/test.properties @@ -16,4 +16,4 @@ # under the License. type=bin -wrapperSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb \ No newline at end of file +wrapperSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb diff --git a/maven-wrapper-plugin/src/it/projects/type_bin/pom.xml b/maven-wrapper-plugin/src/it/projects/type_bin/pom.xml index 2a01d776..a8c9a6d5 100644 --- a/maven-wrapper-plugin/src/it/projects/type_bin/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/type_bin/pom.xml @@ -63,4 +63,4 @@ under the License. - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/type_bin/test.properties b/maven-wrapper-plugin/src/it/projects/type_bin/test.properties index b77cbfdd..4ed9b1df 100644 --- a/maven-wrapper-plugin/src/it/projects/type_bin/test.properties +++ b/maven-wrapper-plugin/src/it/projects/type_bin/test.properties @@ -15,4 +15,4 @@ # specific language governing permissions and limitations # under the License. -type=bin \ No newline at end of file +type=bin diff --git a/maven-wrapper-plugin/src/it/projects/type_only-script-fail/test.properties b/maven-wrapper-plugin/src/it/projects/type_only-script-fail/test.properties index 725ecf89..84769f45 100644 --- a/maven-wrapper-plugin/src/it/projects/type_only-script-fail/test.properties +++ b/maven-wrapper-plugin/src/it/projects/type_only-script-fail/test.properties @@ -16,4 +16,4 @@ # under the License. type=only-script -maven=0.0.0 \ No newline at end of file +maven=0.0.0 diff --git a/maven-wrapper-plugin/src/it/projects/type_script/pom.xml b/maven-wrapper-plugin/src/it/projects/type_script/pom.xml index 2a01d776..a8c9a6d5 100644 --- a/maven-wrapper-plugin/src/it/projects/type_script/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/type_script/pom.xml @@ -63,4 +63,4 @@ under the License. - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/type_script/test.properties b/maven-wrapper-plugin/src/it/projects/type_script/test.properties index 18216806..6f23499b 100644 --- a/maven-wrapper-plugin/src/it/projects/type_script/test.properties +++ b/maven-wrapper-plugin/src/it/projects/type_script/test.properties @@ -15,4 +15,4 @@ # specific language governing permissions and limitations # under the License. -type=script \ No newline at end of file +type=script diff --git a/maven-wrapper-plugin/src/it/projects/type_source/pom.xml b/maven-wrapper-plugin/src/it/projects/type_source/pom.xml index 2a01d776..a8c9a6d5 100644 --- a/maven-wrapper-plugin/src/it/projects/type_source/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/type_source/pom.xml @@ -63,4 +63,4 @@ under the License. - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/type_source/test.properties b/maven-wrapper-plugin/src/it/projects/type_source/test.properties index 1c83fbb0..47b85b87 100644 --- a/maven-wrapper-plugin/src/it/projects/type_source/test.properties +++ b/maven-wrapper-plugin/src/it/projects/type_source/test.properties @@ -15,4 +15,4 @@ # specific language governing permissions and limitations # under the License. -type=source \ No newline at end of file +type=source diff --git a/maven-wrapper-plugin/src/it/projects/type_unknown/pom.xml b/maven-wrapper-plugin/src/it/projects/type_unknown/pom.xml index ed54d551..4baf722d 100644 --- a/maven-wrapper-plugin/src/it/projects/type_unknown/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/type_unknown/pom.xml @@ -26,4 +26,4 @@ under the License. extension 1.0.0-SNAPSHOT pom - \ No newline at end of file + diff --git a/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/.mvn/wrapper/maven-wrapper.properties b/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/.mvn/wrapper/maven-wrapper.properties index 3ba43029..cc8e886c 100644 --- a/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/.mvn/wrapper/maven-wrapper.properties +++ b/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/.mvn/wrapper/maven-wrapper.properties @@ -16,4 +16,4 @@ # under the License. distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.5/apache-maven-3.9.5-bin.zip distributionType=bin -wrapperVersion=3.3.1 \ No newline at end of file +wrapperVersion=3.3.1 diff --git a/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/pom.xml b/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/pom.xml index 2a01d776..a8c9a6d5 100644 --- a/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/pom.xml +++ b/maven-wrapper-plugin/src/it/projects/upgrade_with_existing_type/pom.xml @@ -63,4 +63,4 @@ under the License. - \ No newline at end of file + diff --git a/src/site/markdown/CHANGELOG.old.md b/src/site/markdown/CHANGELOG.old.md index c6b0a82e..1c4e619e 100644 --- a/src/site/markdown/CHANGELOG.old.md +++ b/src/site/markdown/CHANGELOG.old.md @@ -51,7 +51,7 @@ at an easier glance. - fixes https://github.com/takari/maven-wrapper/issues/109 - see https://github.com/takari/maven-wrapper/pull/111 - contributed by Piotrek Żygieło https://github.com/pzygielo and - Sebastian Peters https://github.com/sepe81, + Sebastian Peters https://github.com/sepe81, Release performed by Manfred Moser - http://www.simpligility.com diff --git a/src/site/resources/download.cgi b/src/site/resources/download.cgi index 1b178d2e..4af6dd9d 100644 --- a/src/site/resources/download.cgi +++ b/src/site/resources/download.cgi @@ -19,4 +19,4 @@ # # Just call the standard mirrors.cgi script. It will use download.html # as the input template. -exec /www/www.apache.org/dyn/mirrors/mirrors.cgi $* \ No newline at end of file +exec /www/www.apache.org/dyn/mirrors/mirrors.cgi $* From 92da30cd3931c20ec9bf342e42785082279d003d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jan 2026 07:38:11 +0100 Subject: [PATCH 14/15] Bump org.codehaus.mojo:mrm-maven-plugin from 1.7.0 to 1.7.1 (#394) Bumps [org.codehaus.mojo:mrm-maven-plugin](https://github.com/mojohaus/mrm) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/mojohaus/mrm/releases) - [Commits](https://github.com/mojohaus/mrm/compare/1.7.0...mrm-1.7.1) --- updated-dependencies: - dependency-name: org.codehaus.mojo:mrm-maven-plugin dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- maven-wrapper-plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maven-wrapper-plugin/pom.xml b/maven-wrapper-plugin/pom.xml index fb800ef2..cb25fe7f 100644 --- a/maven-wrapper-plugin/pom.xml +++ b/maven-wrapper-plugin/pom.xml @@ -192,7 +192,7 @@ under the License. org.codehaus.mojo mrm-maven-plugin - 1.7.0 + 1.7.1 From 335b1fdbd6066902f3c828ffc85943c5bda90c6d Mon Sep 17 00:00:00 2001 From: Erik Meuwese Date: Thu, 13 Nov 2025 11:16:11 +0100 Subject: [PATCH 15/15] MWRAPPER-117 - added distributionSha512Sum and wrapperSha512Sum for verification with SHA-512 since Maven only publishes the SHA-512 checksum and not the SHA-256 checksum --- maven-wrapper-distribution/pom.xml | 2 +- maven-wrapper-distribution/src/resources/mvnw | 32 +++++++++ .../src/resources/mvnw.cmd | 19 +++++ .../src/resources/only-mvnw | 30 +++++++- .../src/resources/only-mvnw.cmd | 12 ++++ maven-wrapper-plugin/pom.xml | 2 +- .../it/projects/sha512_distribution/pom.xml | 69 ++++++++++++++++++ .../sha512_distribution/test.properties | 20 ++++++ .../sha512_distribution/verify.groovy | 35 +++++++++ .../projects/sha512_type_only-script/pom.xml | 71 +++++++++++++++++++ .../sha512_type_only-script/test.properties | 19 +++++ .../sha512_type_only-script/verify.groovy | 36 ++++++++++ .../src/it/projects/sha512_wrapper/pom.xml | 69 ++++++++++++++++++ .../projects/sha512_wrapper/test.properties | 19 +++++ .../it/projects/sha512_wrapper/verify.groovy | 36 ++++++++++ .../maven/plugins/wrapper/WrapperMojo.java | 26 ++++++- maven-wrapper/pom.xml | 2 +- .../org/apache/maven/wrapper/Installer.java | 9 +++ .../org/apache/maven/wrapper/Verifier.java | 2 + .../maven/wrapper/WrapperConfiguration.java | 10 +++ .../apache/maven/wrapper/WrapperExecutor.java | 3 + .../wrapper/HashAlgorithmVerifierTest.java | 27 +++++++ .../apache/maven/wrapper/InstallerTest.java | 5 +- pom.xml | 2 +- src/site/markdown/index.md | 6 +- 25 files changed, 550 insertions(+), 13 deletions(-) create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties create mode 100644 maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy diff --git a/maven-wrapper-distribution/pom.xml b/maven-wrapper-distribution/pom.xml index 43df1a90..a124e5e8 100644 --- a/maven-wrapper-distribution/pom.xml +++ b/maven-wrapper-distribution/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT maven-wrapper-distribution diff --git a/maven-wrapper-distribution/src/resources/mvnw b/maven-wrapper-distribution/src/resources/mvnw index df1a80ac..154b7d37 100755 --- a/maven-wrapper-distribution/src/resources/mvnw +++ b/maven-wrapper-distribution/src/resources/mvnw @@ -310,6 +310,38 @@ if [ -n "$wrapperSha256Sum" ]; then fi fi +# If specified, validate the SHA-512 sum of the Maven wrapper jar file +wrapperSha512Sum="" +while IFS="=" read -r key value; do + case "$key" in wrapperSha512Sum) + wrapperSha512Sum=$(trim "${value-}") + break + ;; + esac +done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties" +if [ -n "$wrapperSha512Sum" ]; then + wrapperSha512Result=false + if command -v sha512sum >/dev/null; then + if echo "$wrapperSha512Sum $wrapperJarPath" | sha512sum -c - >/dev/null 2>&1; then + wrapperSha512Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$wrapperSha512Sum $wrapperJarPath" | shasum -a 512 -c >/dev/null 2>&1; then + wrapperSha512Result=true + fi + else + echo "Checksum validation was requested but neither 'sha512sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'wrapperSha512Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $wrapperSha512Result = false ]; then + echo "Error: Failed to validate Maven wrapper SHA-512, your Maven wrapper might be compromised." >&2 + echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2 + echo "If you updated your Maven version, you need to update the specified wrapperSha512Sum property." >&2 + exit 1 + fi +fi + MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" # For Cygwin, switch paths to Windows format before running java diff --git a/maven-wrapper-distribution/src/resources/mvnw.cmd b/maven-wrapper-distribution/src/resources/mvnw.cmd index 97fff177..45628748 100644 --- a/maven-wrapper-distribution/src/resources/mvnw.cmd +++ b/maven-wrapper-distribution/src/resources/mvnw.cmd @@ -172,6 +172,25 @@ IF NOT %WRAPPER_SHA_256_SUM%=="" ( if ERRORLEVEL 1 goto error ) +@REM If specified, validate the SHA-512 sum of the Maven wrapper jar file +SET WRAPPER_SHA_512_SUM="" +FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( + IF "%%A"=="wrapperSha512Sum" SET WRAPPER_SHA_512_SUM=%%B +) +IF NOT %WRAPPER_SHA_512_SUM%=="" ( + powershell -Command "&{"^ + "Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash;"^ + "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA512).Hash.ToLower();"^ + "If('%WRAPPER_SHA_512_SUM%' -ne $hash){"^ + " Write-Error 'Error: Failed to validate Maven wrapper SHA-512, your Maven wrapper might be compromised.';"^ + " Write-Error 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^ + " Write-Error 'If you updated your Maven version, you need to update the specified wrapperSha512Sum property.';"^ + " exit 1;"^ + "}"^ + "}" + if ERRORLEVEL 1 goto error +) + @REM Provide a "standardized" way to retrieve the CLI args that will @REM work with both Windows and non-Windows executions. set MAVEN_CMD_LINE_ARGS=%* diff --git a/maven-wrapper-distribution/src/resources/only-mvnw b/maven-wrapper-distribution/src/resources/only-mvnw index 402d622d..91859490 100755 --- a/maven-wrapper-distribution/src/resources/only-mvnw +++ b/maven-wrapper-distribution/src/resources/only-mvnw @@ -108,11 +108,12 @@ trim() { scriptDir="$(dirname "$0")" scriptName="$(basename "$0")" -# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties +# parse distributionUrl and optional distributionSha256Sum or distributionSha512Sum, requires .mvn/wrapper/maven-wrapper.properties while IFS="=" read -r key value; do case "${key-}" in distributionUrl) distributionUrl=$(trim "${value-}") ;; distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; + distributionSha512Sum) distributionSha512Sum=$(trim "${value-}") ;; esac done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties" [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" @@ -249,6 +250,33 @@ if [ -n "${distributionSha256Sum-}" ]; then fi fi +# If specified, validate the SHA-512 sum of the Maven distribution zip file +if [ -n "${distributionSha512Sum-}" ]; then + distributionSha512Result=false + if [ "$MVN_CMD" = mvnd.sh ]; then + echo "Checksum validation is not supported for maven-mvnd." >&2 + echo "Please disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." >&2 + exit 1 + elif command -v sha512sum >/dev/null; then + if echo "$distributionSha512Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha512sum -c - >/dev/null 2>&1; then + distributionSha512Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$distributionSha512Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 512 -c >/dev/null 2>&1; then + distributionSha512Result=true + fi + else + echo "Checksum validation was requested but neither 'sha512sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $distributionSha512Result = false ]; then + echo "Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised." >&2 + echo "If you updated your Maven version, you need to update the specified distributionSha512Sum property." >&2 + exit 1 + fi +fi + # unzip and move if command -v unzip >/dev/null; then unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip" diff --git a/maven-wrapper-distribution/src/resources/only-mvnw.cmd b/maven-wrapper-distribution/src/resources/only-mvnw.cmd index fd5f5ccd..9caacf0b 100644 --- a/maven-wrapper-distribution/src/resources/only-mvnw.cmd +++ b/maven-wrapper-distribution/src/resources/only-mvnw.cmd @@ -146,6 +146,18 @@ if ($distributionSha256Sum) { } } +# If specified, validate the SHA-512 sum of the Maven distribution zip file +$distributionSha512Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha512Sum +if ($distributionSha512Sum) { + if ($USE_MVND) { + Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." + } + Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash + if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA512).Hash.ToLower() -ne $distributionSha512Sum) { + Write-Error "Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha512Sum property." + } +} + # unzip and move Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null diff --git a/maven-wrapper-plugin/pom.xml b/maven-wrapper-plugin/pom.xml index cb25fe7f..99a1bde0 100644 --- a/maven-wrapper-plugin/pom.xml +++ b/maven-wrapper-plugin/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT org.apache.maven.plugins diff --git a/maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml b/maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml new file mode 100644 index 00000000..b8e83ddc --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_distribution/pom.xml @@ -0,0 +1,69 @@ + + + + + + 4.0.0 + + org.apache.maven.plugins.it.wrapper + extension + 1.0.0-SNAPSHOT + pom + + + + + + + + + + org.codehaus.mojo + exec-maven-plugin + @version.exec-maven-plugin@ + + mvnw${cmd} + + 1 + + + -v + + + true + + + + + + + + + + windows + + windows + + + .cmd + + + + diff --git a/maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties b/maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties new file mode 100644 index 00000000..c4e5afcb --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_distribution/test.properties @@ -0,0 +1,20 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +alwaysUnpack=true +type=bin +distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d \ No newline at end of file diff --git a/maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy b/maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy new file mode 100644 index 00000000..27bcdf84 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_distribution/verify.groovy @@ -0,0 +1,35 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +assert new File(basedir,'mvnw').exists() +assert new File(basedir,'mvnw.cmd').exists() +assert !(new File(basedir,'mvnwDebug').exists()) +assert !(new File(basedir,'mvnwDebug.cmd').exists()) + +properties = new File(basedir,'.mvn/wrapper/maven-wrapper.properties') +assert properties.exists() +assert properties.text.contains('distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d') + +log = new File(basedir, 'build.log').text +// check "mvn wrapper:wrapper" output +assert log.contains('Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised.') + +// check "mvnw -v" output +assert log.contains('Apache Maven ') diff --git a/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml new file mode 100644 index 00000000..ccd5664a --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/pom.xml @@ -0,0 +1,71 @@ + + + + + + 4.0.0 + + org.apache.maven.plugins.it.wrapper + extension + 1.0.0-SNAPSHOT + pom + + + + + + + + + + org.codehaus.mojo + exec-maven-plugin + @version.exec-maven-plugin@ + + mvnw${cmd} + + 1 + + + -v + + + true + ${project.build.directory} + ${project.build.directory} + + + + + + + + + + windows + + windows + + + .cmd + + + + diff --git a/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties new file mode 100644 index 00000000..466cbfc8 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/test.properties @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +type=only-script +distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d \ No newline at end of file diff --git a/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy new file mode 100644 index 00000000..d21329a8 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_type_only-script/verify.groovy @@ -0,0 +1,36 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +assert new File(basedir,'mvnw').exists() +assert new File(basedir,'mvnw.cmd').exists() +assert !(new File(basedir,'mvnwDebug').exists()) +assert !(new File(basedir,'mvnwDebug.cmd').exists()) + +properties = new File(basedir,'.mvn/wrapper/maven-wrapper.properties') +assert properties.exists() +assert properties.text.contains('distributionSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d') + +log = new File(basedir, 'build.log').text +// check "mvn wrapper:wrapper" output +assert log.contains('Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised.') +assert !log.contains('shasum:') + +// check "mvnw -v" output +assert !log.contains('Apache Maven ') diff --git a/maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml new file mode 100644 index 00000000..b8e83ddc --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/pom.xml @@ -0,0 +1,69 @@ + + + + + + 4.0.0 + + org.apache.maven.plugins.it.wrapper + extension + 1.0.0-SNAPSHOT + pom + + + + + + + + + + org.codehaus.mojo + exec-maven-plugin + @version.exec-maven-plugin@ + + mvnw${cmd} + + 1 + + + -v + + + true + + + + + + + + + + windows + + windows + + + .cmd + + + + diff --git a/maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties new file mode 100644 index 00000000..c1f2c705 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/test.properties @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +type=bin +wrapperSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d \ No newline at end of file diff --git a/maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy new file mode 100644 index 00000000..919a8b28 --- /dev/null +++ b/maven-wrapper-plugin/src/it/projects/sha512_wrapper/verify.groovy @@ -0,0 +1,36 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +assert new File(basedir,'mvnw').exists() +assert new File(basedir,'mvnw.cmd').exists() +assert !(new File(basedir,'mvnwDebug').exists()) +assert !(new File(basedir,'mvnwDebug.cmd').exists()) + +properties = new File(basedir,'.mvn/wrapper/maven-wrapper.properties') +assert properties.exists() +assert properties.text.contains('wrapperSha512Sum=256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d') + +log = new File(basedir, 'build.log').text +// check "mvn wrapper:wrapper" output +assert log.contains('Error: Failed to validate Maven wrapper SHA-512, your Maven wrapper might be compromised.') +assert !log.contains('shasum:') + +// check "mvnw -v" output +assert !log.contains('Apache Maven ') diff --git a/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java b/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java index 6146ff88..e0ec554b 100644 --- a/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java +++ b/maven-wrapper-plugin/src/main/java/org/apache/maven/plugins/wrapper/WrapperMojo.java @@ -123,7 +123,14 @@ public class WrapperMojo extends AbstractMojo { */ @Parameter(property = "wrapperSha256Sum") private String wrapperSha256Sum; - + /** + * The expected SHA-512 checksum of the maven-wrapper.jar that is + * used to load the configured Maven distribution. + * + * @since 3.4.0 + */ + @Parameter(property = "wrapperSha512Sum") + private String wrapperSha512Sum; /** * The expected SHA-256 checksum of the Maven distribution that is * executed by the installed wrapper. @@ -132,7 +139,14 @@ public class WrapperMojo extends AbstractMojo { */ @Parameter(property = "distributionSha256Sum") private String distributionSha256Sum; - + /** + * The expected SHA-512 checksum of the Maven distribution that is + * executed by the installed wrapper. + * + * @since 3.4.0 + */ + @Parameter(property = "distributionSha512Sum") + private String distributionSha512Sum; /** * Determines if the Maven distribution should be downloaded * on every execution of the Maven wrapper. @@ -286,7 +300,7 @@ private void unpack(Artifact artifact, Path targetFolder) { unarchiver.setSourceFile(artifact.getFile()); if (!includeDebugScript) { unarchiver.setFileSelectors( - new FileSelector[] {fileInfo -> !fileInfo.getName().contains("Debug")}); + new FileSelector[]{fileInfo -> !fileInfo.getName().contains("Debug")}); } unarchiver.extract(); getLog().info("Unpacked " + buffer().strong(distributionType) + " type wrapper distribution " + artifact); @@ -332,12 +346,18 @@ private void replaceProperties(String wrapperVersion, Path targetFolder) throws if (distributionSha256Sum != null) { out.append("distributionSha256Sum=" + distributionSha256Sum + System.lineSeparator()); } + if (distributionSha512Sum != null) { + out.append("distributionSha512Sum=" + distributionSha512Sum + System.lineSeparator()); + } if (!distributionType.equals(TYPE_ONLY_SCRIPT)) { out.append("wrapperUrl=" + wrapperUrl + System.lineSeparator()); } if (wrapperSha256Sum != null) { out.append("wrapperSha256Sum=" + wrapperSha256Sum + System.lineSeparator()); } + if (wrapperSha512Sum != null) { + out.append("wrapperSha512Sum=" + wrapperSha512Sum + System.lineSeparator()); + } if (alwaysDownload) { out.append("alwaysDownload=" + Boolean.TRUE + System.lineSeparator()); } diff --git a/maven-wrapper/pom.xml b/maven-wrapper/pom.xml index 1a6c9224..75385120 100644 --- a/maven-wrapper/pom.xml +++ b/maven-wrapper/pom.xml @@ -23,7 +23,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT maven-wrapper diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java index 177bb429..39e54857 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java @@ -67,6 +67,8 @@ public Path createDist(WrapperConfiguration configuration) throws Exception { boolean alwaysUnpack = configuration.isAlwaysUnpack(); boolean verifyDistributionSha256Sum = !configuration.getDistributionSha256Sum().isEmpty(); + boolean verifyDistributionSha512Sum = + !configuration.getDistributionSha512Sum().isEmpty(); PathAssembler.LocalDistribution localDistribution = pathAssembler.getDistribution(configuration); Path localZipFile = localDistribution.getZipFile(); @@ -97,6 +99,13 @@ public Path createDist(WrapperConfiguration configuration) throws Exception { Verifier.SHA_256_ALGORITHM, configuration.getDistributionSha256Sum()); } + if (verifyDistributionSha512Sum) { + verifier.verify( + localZipFile, + "distributionSha512Sum", + Verifier.SHA_512_ALGORITHM, + configuration.getDistributionSha512Sum()); + } for (Path dir : dirs) { Logger.info("Deleting directory " + dir.toAbsolutePath()); deleteDir(dir); diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java index 623f57a3..067cebea 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/Verifier.java @@ -29,5 +29,7 @@ public interface Verifier { String SHA_256_ALGORITHM = "SHA-256"; + String SHA_512_ALGORITHM = "SHA-512"; + void verify(Path file, String property, String algorithm, String expectedSum) throws Exception; } diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java index c42bad9d..b1b9ed3d 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperConfiguration.java @@ -45,6 +45,8 @@ public class WrapperConfiguration { private String distributionSha256Sum; + private String distributionSha512Sum; + public boolean isAlwaysDownload() { return alwaysDownload; } @@ -105,7 +107,15 @@ public String getDistributionSha256Sum() { return distributionSha256Sum; } + public String getDistributionSha512Sum() { + return distributionSha512Sum; + } + public void setDistributionSha256Sum(String distributionSha256Sum) { this.distributionSha256Sum = distributionSha256Sum; } + + public void setDistributionSha512Sum(String distributionSha512Sum) { + this.distributionSha512Sum = distributionSha512Sum; + } } diff --git a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java index 5b7ace9f..14a53763 100644 --- a/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java +++ b/maven-wrapper/src/main/java/org/apache/maven/wrapper/WrapperExecutor.java @@ -49,6 +49,8 @@ public class WrapperExecutor { public static final String DISTRIBUTION_SHA_256_SUM = "distributionSha256Sum"; + public static final String DISTRIBUTION_SHA_512_SUM = "distributionSha512Sum"; + public static final String ALWAYS_DOWNLOAD = "alwaysDownload"; public static final String ALWAYS_UNPACK = "alwaysUnpack"; @@ -85,6 +87,7 @@ public static WrapperExecutor forWrapperPropertiesFile(Path propertiesFile) { config.setZipPath(Paths.get( getProperty(ZIP_STORE_PATH_PROPERTY, config.getZipPath().toString()))); config.setDistributionSha256Sum(getProperty(DISTRIBUTION_SHA_256_SUM, "")); + config.setDistributionSha512Sum(getProperty(DISTRIBUTION_SHA_512_SUM, "")); config.setAlwaysUnpack(Boolean.parseBoolean(getProperty(ALWAYS_UNPACK, Boolean.FALSE.toString()))); config.setAlwaysDownload(Boolean.parseBoolean(getProperty(ALWAYS_DOWNLOAD, Boolean.FALSE.toString()))); } catch (Exception e) { diff --git a/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java b/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java index 498ee563..b34a42db 100644 --- a/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java +++ b/maven-wrapper/src/test/java/org/apache/maven/wrapper/HashAlgorithmVerifierTest.java @@ -57,6 +57,15 @@ void sha256SumsMatch() throws Exception { "7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb"); } + @Test + void sha512SumsMatch() throws Exception { + verifier.verify( + file, + "property", + Verifier.SHA_512_ALGORITHM, + "256cdc53261371d6f6fefd92e99d85df5295d1f83ab826106768094a34e6f1b0eb4f7c30e75ada80218ed5bb384bdce334a6697354eef561f50adfc2113c881d"); + } + @Test void sha256SumsDoNotMatch() throws Exception { try { @@ -74,4 +83,22 @@ void sha256SumsDoNotMatch() throws Exception { e.getMessage()); } } + + @Test + void sha512SumsDoNotMatch() throws Exception { + try { + verifier.verify( + file, + "prop", + Verifier.SHA_512_ALGORITHM, + "03e2d65d4483a3396980629f260e25cac0d8b6f7f2791e4dc20bc83f9514db8d0f05b0479e699a5f34679250c49c8e52e961262ded468a20de0be254d8207076"); + fail("Expected RuntimeException"); + } catch (RuntimeException e) { + assertEquals( + "Failed to validate Maven distribution SHA-512, your Maven " + + "distribution might be compromised. If you updated your Maven version, " + + "you need to update the specified prop property.", + e.getMessage()); + } + } } diff --git a/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java b/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java index 04731eaa..f456415f 100644 --- a/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java +++ b/maven-wrapper/src/test/java/org/apache/maven/wrapper/InstallerTest.java @@ -91,6 +91,7 @@ void setup() throws Exception { configuration.setAlwaysDownload(false); configuration.setAlwaysUnpack(false); configuration.setDistributionSha256Sum(""); + configuration.setDistributionSha512Sum(""); distributionDir = testDir.resolve("someDistPath"); mavenHomeDir = distributionDir.resolve("maven-0.9"); zipStore = testDir.resolve("zips"); @@ -120,7 +121,7 @@ private void createTestZip(Path zipDestination) throws Exception { writer.write("something"); } try (OutputStream os = Files.newOutputStream(mavenLib); - JarOutputStream jar = new JarOutputStream(os, new Manifest())) { + JarOutputStream jar = new JarOutputStream(os, new Manifest())) { jar.putNextEntry(new ZipEntry("test")); jar.closeEntry(); } @@ -227,7 +228,7 @@ void testZipSlip() throws URISyntaxException { public void zipTo(final Path directoryToZip, final Path zipFile) throws IOException { // Creating a ZipOutputStream by wrapping a OutputStream try (OutputStream fos = Files.newOutputStream(zipFile); - ZipOutputStream zos = new ZipOutputStream(fos)) { + ZipOutputStream zos = new ZipOutputStream(fos)) { // Walk the tree structure using WalkFileTree method Files.walkFileTree(directoryToZip, new SimpleFileVisitor() { @Override diff --git a/pom.xml b/pom.xml index 900ee926..fcfbb45c 100644 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,7 @@ under the License. org.apache.maven.wrapper maven-wrapper-parent - 3.3.5-SNAPSHOT + 3.4.0-SNAPSHOT pom Apache Maven Wrapper diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index 471a0216..fead08f8 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -192,10 +192,10 @@ used. To avoid supply-chain-attacks by downloading a corrupted artifact, it is possible to specify checksums for both the *maven-wrapper.jar* and the downloaded distribution. To apply verification, add the expected -file's SHA-256 sum in hex notation, using only small caps, to +file's SHA-256 or SHA-512 sum in hex notation, using only small caps, to `maven-wrapper.properties`. The property for validating the -*maven-wrapper.jar* file is named `wrapperSha256Sum` whereas the -distribution file property is named `distributionSha256Sum`. +*maven-wrapper.jar* file are named `wrapperSha256Sum` and `wrapperSha512Sum` whereas the +distribution file property are named `distributionSha256Sum` and `distributionSha512Sum`. ## Internals