search

gradle / gradle

Adaptable, fast automation for all
https://gradle.org
Apache License 2.0
16.36k stars 4.58k forks source link

When wrapper fails checksum validation, don't show the actual checksum, instead redirect users to a more reliable source #29629

Closed adam-enko closed 5 days ago

adam-enko commented 1 week ago

Expected Behavior

When verification fails, Gradle prints the actual checksum, and instructions to a trusted source about how to get the expected checksum.

It is hard to copy/paste the actual checksum. It is clear how to actually verify that actual checksum is correct.

$ ./gradlew wrapper

[...]

Verification of Gradle distribution failed!

Your Gradle distribution may have been tampered with.
Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties file is correct and you are downloading the wrapper from a trusted source.

 Distribution Url: https://cache-redirector.jetbrains.com/services.gradle.org/distributions/gradle-8.6-bin.zip
Download Location: /[...]/.gradle/wrapper/dists/gradle-8.6-bin/5calmees0wab02zcsk6szluz1/gradle-8.6-bin.zip
  Actual checksum: '9631d53cf3e74bfa726893aee1f8994fee4e060c401335946dba2156f440f24c'

Visit https://gradle.org/release-checksums/ to verify the checksums.

[...]

Current Behavior (optional)

When verification fails, Gradle prints the expected checksum.

It is easy to copy/paste the displayed checksum. It is not clear how to actually verify that actual checksum is correct.

$ ./gradlew wrapper

[...]

Verification of Gradle distribution failed!

Your Gradle distribution may have been tampered with.
Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties file is correct and you are downloading the wrapper from a trusted source.

 Distribution Url: https://cache-redirector.jetbrains.com/services.gradle.org/distributions/gradle-8.6-bin.zip
Download Location: /[...]/.gradle/wrapper/dists/gradle-8.6-bin/5calmees0wab02zcsk6szluz1/gradle-8.6-bin.zip
Expected checksum: '544c35d6bd849ae8a5ed0bcea39ba677dc40f49df7d1835561582da2009b961d'
  Actual checksum: '9631d53cf3e74bfa726893aee1f8994fee4e060c401335946dba2156f440f24c'

[...]

Context

When verification fails, Gradle prints the expected checksum.

It is easy to copy/paste the displayed checksum. It is not clear how to actually verify that actual checksum is correct.

ljacomet commented 1 week ago

This feature request is in the backlog of the relevant team and is prioritized by them.

This issue is a good choice for first-time contributors to Gradle, it is actionable and ready for contribution.

See CONTRIBUTING.md for more information.

The message should be something like:

Visit https://gradle.org/release-checksums/ to verify the checksums of official distributions.If your build uses a custom distribution, see with its provider.

We should not remove any of the current information however. Hiding a value because someone could copy paste it does not feel like the right balance against having the value available to be reported to a security team.

thachlp commented 1 week ago

@ljacomet @adam-enko This is my first contribution to gradle project, please help review it 🙇