MWRAPPER-117 - added distributionSha512Sum and wrapperSha512Sum

.github/workflows/maven-verify.yml

@@ -27,3 +27,4 @@ jobs:
     uses: apache/maven-gh-actions-shared/.github/workflows/maven-verify.yml@v4
     with:
       verify-fail-fast: false
+      maven4-enabled: true

.github/workflows/shellcheck-posix.yml

@@ -31,7 +31,7 @@ jobs:
       # SC2009: Don't consider pgrep, not available everywhere; https://www.shellcheck.net/wiki/SC2009
       SHELLCHECK_OPTS: '-e SC1091 -e SC2009'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: download
         run: |
           curl --silent --fail --show-error --retry 2 --retry-delay 1 --connect-timeout 5 --location --url "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" -o shellcheck-v${SHELLCHECK_VERSION}.tar.xz

maven-wrapper-distribution/pom.xml

@@ -23,7 +23,7 @@ under the License.
   <parent>
     <groupId>org.apache.maven.wrapper</groupId>
     <artifactId>maven-wrapper-parent</artifactId>
-    <version>3.3.5-SNAPSHOT</version>
+    <version>3.4.0-SNAPSHOT</version>
   </parent>
 
   <artifactId>maven-wrapper-distribution</artifactId>

maven-wrapper-distribution/src/resources/only-mvnw

@@ -108,11 +108,12 @@ trim() {
 scriptDir="$(dirname "$0")"
 scriptName="$(basename "$0")"
 
-# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties
+# parse distributionUrl and optional distributionSha256Sum or distributionSha512Sum, requires .mvn/wrapper/maven-wrapper.properties
 while IFS="=" read -r key value; do
   case "${key-}" in
   distributionUrl) distributionUrl=$(trim "${value-}") ;;
   distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;;
+  distributionSha512Sum) distributionSha512Sum=$(trim "${value-}") ;;
   esac
 done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties"
 [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
@@ -170,17 +171,17 @@ fi
 
 mkdir -p -- "${MAVEN_HOME%/*}"
 
-# Download and Install Apache Maven
-verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
-verbose "Downloading from: $distributionUrl"
-verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
-
 # select .zip or .tar.gz
 if ! command -v unzip >/dev/null; then
   distributionUrl="${distributionUrl%.zip}.tar.gz"
   distributionUrlName="${distributionUrl##*/}"
 fi
 
+# Download and Install Apache Maven
+verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
+verbose "Downloading from: $distributionUrl"
+verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
+
 # verbose opt
 __MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR=''
 [ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v
@@ -201,20 +202,20 @@ elif set_java_home; then
   verbose "Falling back to use Java to download"
   javaSource="$TMP_DOWNLOAD_DIR/Downloader.java"
   targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName"
-  cat >"$javaSource" <<-END
-	public class Downloader extends java.net.Authenticator
-	{
-	  protected java.net.PasswordAuthentication getPasswordAuthentication()
-	  {
-	    return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() );
-	  }
-	  public static void main( String[] args ) throws Exception
-	  {
-	    setDefault( new Downloader() );
-	    java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() );
-	  }
-	}
-	END
+  cat >"$javaSource" <<END
+    public class Downloader extends java.net.Authenticator
+    {
+      protected java.net.PasswordAuthentication getPasswordAuthentication()
+      {
+        return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() );
+      }
+      public static void main( String[] args ) throws Exception
+      {
+        setDefault( new Downloader() );
+        java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() );
+      }
+    }
+END
   # For Cygwin/MinGW, switch paths to Windows format before running javac and java
   verbose " - Compiling Downloader.java ..."
   "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java"
@@ -230,7 +231,7 @@ if [ -n "${distributionSha256Sum-}" ]; then
     echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
     exit 1
   elif command -v sha256sum >/dev/null; then
-    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c - >/dev/null 2>&1; then
+    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c --strict - >/dev/null 2>&1; then
       distributionSha256Result=true
     fi
   elif command -v shasum >/dev/null; then
@@ -249,6 +250,33 @@ if [ -n "${distributionSha256Sum-}" ]; then
   fi
 fi
 
+# If specified, validate the SHA-512 sum of the Maven distribution zip file
+if [ -n "${distributionSha512Sum-}" ]; then
+  distributionSha512Result=false
+  if [ "$MVN_CMD" = mvnd.sh ]; then
+    echo "Checksum validation is not supported for maven-mvnd." >&2
+    echo "Please disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." >&2
+    exit 1
+  elif command -v sha512sum >/dev/null; then
+    if echo "$distributionSha512Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha512sum -c - >/dev/null 2>&1; then
+      distributionSha512Result=true
+    fi
+  elif command -v shasum >/dev/null; then
+    if echo "$distributionSha512Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 512 -c >/dev/null 2>&1; then
+      distributionSha512Result=true
+    fi
+  else
+    echo "Checksum validation was requested but neither 'sha512sum' or 'shasum' are available." >&2
+    echo "Please install either command, or disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties." >&2
+    exit 1
+  fi
+  if [ $distributionSha512Result = false ]; then
+    echo "Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised." >&2
+    echo "If you updated your Maven version, you need to update the specified distributionSha512Sum property." >&2
+    exit 1
+  fi
+fi
+
 # unzip and move
 if command -v unzip >/dev/null; then
   unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip"

maven-wrapper-distribution/src/resources/only-mvnw.cmd

@@ -89,10 +89,10 @@ if (-not (Test-Path -Path $MAVEN_M2_PATH)) {
 }
 
 $MAVEN_WRAPPER_DISTS = $null
-if ((Get-Item $MAVEN_M2_PATH).Target[0] -eq $null) {
+if ((Get-Item -Path $MAVEN_M2_PATH -Force).Target[0] -eq $null) {
   $MAVEN_WRAPPER_DISTS = "$MAVEN_M2_PATH/wrapper/dists"
 } else {
-  $MAVEN_WRAPPER_DISTS = (Get-Item $MAVEN_M2_PATH).Target[0] + "/wrapper/dists"
+  $MAVEN_WRAPPER_DISTS = (Get-Item -Path $MAVEN_M2_PATH -Force).Target[0] + "/wrapper/dists"
 }
 
 $MAVEN_HOME_PARENT = "$MAVEN_WRAPPER_DISTS/$distributionUrlNameMain"
@@ -146,6 +146,18 @@ if ($distributionSha256Sum) {
   }
 }
 
+# If specified, validate the SHA-512 sum of the Maven distribution zip file
+$distributionSha512Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha512Sum
+if ($distributionSha512Sum) {
+  if ($USE_MVND) {
+    Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha512Sum' from your maven-wrapper.properties."
+  }
+  Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash
+  if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA512).Hash.ToLower() -ne $distributionSha512Sum) {
+    Write-Error "Error: Failed to validate Maven distribution SHA-512, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha512Sum property."
+  }
+}
+
 # unzip and move
 Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null
 

maven-wrapper-plugin/pom.xml

@@ -23,7 +23,7 @@ under the License.
   <parent>
     <groupId>org.apache.maven.wrapper</groupId>
     <artifactId>maven-wrapper-parent</artifactId>
-    <version>3.3.5-SNAPSHOT</version>
+    <version>3.4.0-SNAPSHOT</version>
   </parent>
 
   <groupId>org.apache.maven.plugins</groupId>
@@ -64,7 +64,7 @@ under the License.
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-archiver</artifactId>
-      <version>4.10.4</version>
+      <version>4.11.0</version>
     </dependency>
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
@@ -74,7 +74,7 @@ under the License.
     <dependency>
       <groupId>org.apache.maven.resolver</groupId>
       <artifactId>maven-resolver-api</artifactId>
-      <version>1.9.24</version>
+      <version>1.9.25</version>
       <scope>provided</scope>
     </dependency>
 
@@ -192,7 +192,7 @@ under the License.
           <plugin>
             <groupId>org.codehaus.mojo</groupId>
             <artifactId>mrm-maven-plugin</artifactId>
-            <version>1.7.0</version>
+            <version>1.7.1</version>
             <configuration>
               <repositories>
                 <mockRepo>

maven-wrapper-plugin/src/it/projects/default/pom.xml

@@ -63,4 +63,4 @@ under the License.
       </properties>
     </profile>
   </profiles>
-</project>
+</project>

maven-wrapper-plugin/src/it/projects/includeDebug/pom.xml

@@ -63,4 +63,4 @@ under the License.
       </properties>
     </profile>
   </profiles>
-</project>
+</project>

maven-wrapper-plugin/src/it/projects/includeDebug/test.properties

@@ -15,4 +15,4 @@
 # specific language governing permissions and limitations
 # under the License.
 
-includeDebug=true
+includeDebug=true

maven-wrapper-plugin/src/it/projects/mavenversion/pom.xml

@@ -63,4 +63,4 @@ under the License.
       </properties>
     </profile>
   </profiles>
-</project>
+</project>

maven-wrapper-plugin/src/it/projects/mavenversion/test.properties

@@ -15,4 +15,4 @@
 # specific language governing permissions and limitations
 # under the License.
 
-maven=3.6.3
+maven=3.6.3

maven-wrapper-plugin/src/it/projects/sha256_distribution/test.properties

@@ -17,4 +17,4 @@
 
 alwaysUnpack=true
 type=bin
-distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb
+distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb

maven-wrapper-plugin/src/it/projects/sha256_type_only-script/test.properties

@@ -16,4 +16,4 @@
 # under the License.
 
 type=only-script
-distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb
+distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb

maven-wrapper-plugin/src/it/projects/sha256_wrapper/test.properties

@@ -16,4 +16,4 @@
 # under the License.
 
 type=bin
-wrapperSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb
+wrapperSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb