It's 2023 and md5 is basically broken. This PR adds sha256 verification support. The latest.json for Chunky 2.4.5 on my server already contains the sha256 hashes.
Using --dangerouslyDisableLibraryValidation, checksum validation of libraries can now be disabled. This is a potential security issue and thus not recommended. It does help with local debugging and sharing custom Chunky versions though. Closes #1509
Having that flag as system property means that the checksum validation could be disabled by environment variables (ie. JAVA_TOOL_OPTIONS. I'll change this to a command line flag.
It's 2023 and md5 is basically broken. This PR adds sha256 verification support. The
latest.json
for Chunky 2.4.5 on my server already contains the sha256 hashes.Using
--dangerouslyDisableLibraryValidation
, checksum validation of libraries can now be disabled. This is a potential security issue and thus not recommended. It does help with local debugging and sharing custom Chunky versions though. Closes #1509