Add download checksum to maven-wrapper.properties

[GregDThomas]

Currently, the maven-wrapper will download the file referenced in maven-wrapper.properties and happily use it.

However, there is no guarantee that the file being downloaded is the file that the original person who committed the maven-wrapper.properties. Yes, HTTPS gives a good degree of confidence, but is not a 100% guarantee.

To add greater confidence, if a checksum of the file referenced in maven-wrapper.properties was added to maven-wrapper.properties, after downloading the file the checksum could be compared to what was expected and a suitable error message displayed in case of a mis-match.

[mosabua]

This would be pretty hard to do since the jar changes with each release and you have to find a platform independent shell command way to validate without needing unusual commands installed. I think the perceived benefits is outweighed by the problems of implementing this.

[GregDThomas]

I was thinking along the lines of simply ...

a) Calculate the hash as the file is being downloaded in DefaultDownloader#downloadInternal b) If there is no hash stored in maven-wrapper.properties update maven-wrapper.properties with the hash else check the saved hash matches the hash of the file downloaded

So update the version of Maven would simply be a case of

1. Edit the properties file with the new version and remove the hash
2. Use the wrapper to download the new version

This will update the hash - the new version of the properties file can then be committed, and anyone using it can be confident that the file fetched as part of the build process is the right one.

[mosabua]

This project is essentially frozen for development and new efforts are ongoing in the Apache Maven project itself. We therefore close this issue. Please find more information at https://github.com/takari/maven-wrapper#ongoing-migration-to-apache-maven and participate in the development there.